Any plans to support more TLS Crypt ciphers for OpenVPN?

[MRizkBV]

They started blocking VPNs where I live and it seems like tls-cypt seems to be still working when used with TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 (That's why my phone used automatically to get access to the VPN).

I tried looking for this TLS cipher on asus merlin (I am using the latest stable build for 56u) but I can't find it. I can only find ecdsa-with-SHA1 which doesn't work. RSA-SHA256 also doesn't work for me :/

 

[RMerlin]

GCM ciphers are not available as legacy ciphers, they can only be used through NCP. By default if you enable NCP, AES-128-GCM and AES-256-GCM are already supported, provided both ends use OpenVPN 2.4 and have NCP enabled.

 

[MRizkBV]

GCM ciphers are not available as legacy ciphers, they can only be used through NCP. By default if you enable NCP, AES-128-GCM and AES-256-GCM are already supported, provided both ends use OpenVPN 2.4 and have NCP enabled.

You are talking about the ciphers used for TLS-crypt, not the other cipher right? The one I meant is called "Auth digest" on your software. I am sorry if I caused you any confusion, I am not good myself with these terms :/

What I am trying to achieve is:
tls-crypt
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

 

[DonnyJohnny]

It should already support in 382 and 384.
U can use the command to see
openvpn --show-tls

tls-crypt and tls 1.2is also supported.
It is known as Encrypt channel in the option.

HMAC Authentication will be SHA 256

And u can simply use
tls-version-min 1.2 in the additional configuration.
It will use TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 With tls 1.2

 

[MRizkBV]

It should already support in 382 and 384.
U can use the command to see
openvpn --show-tls

tls-crypt and tls 1.2is also supported.
It is known as Encrypt channel in the option.

HMAC Authentication will be SHA 256

And u can simply use
tls-version-min 1.2 in the additional configuration.
It will use TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 With tls 1.2

I just updated to 382 Beta 3 and enabled Encrypt Channel, and used tls-version-min 1.2 in the additional conf but nothing is working. Which is weird as the same exact settings are working perfectly fine on my iPhone OpenVPN connect client, on the LEDE on a friend's router.

 

[DonnyJohnny]

@MRizkBV
When u say not working, have u tried other cipher or encryption if it is working?
Can it connect in the first place? Is your cert and key good?
Maybe u like to post the log to see what and where it stop you.

Also i am not sure about ac56 as I am using ac68.
Have u check openvpn --show-tls if the tls cipher is supported?

A common mistake I think is your config may still have tls-auth config. Check your client and server config to make sure they are not there like, direction 1/0.
And the wrapping of ta key in the client config, make sure is wrapped in <tls-crypt>...</tls-crypt>

You may want to see the actual server configuration generated. It is at
/tmp/etc/openvpn/server1 or server2. File name is config.opvn
See if the configuration is good.

In server customised configuration,
Add in
tls-crypt /jffs/openvpn/ta.key
(File name may be different, check yourself. All keys are store at /jffs/openvpn)

 

[MRizkBV]

@MRizkBV
When u say not working, have u tried other cipher or encryption if it is working?
Can it connect in the first place? Is your cert and key good?
Maybe u like to post the log to see what and where it stop you.

Also i am not sure about ac56 as I am using ac68.
Have u check openvpn --show-tls if the tls cipher is supported?

A common mistake I think is your config may still have tls-auth config. Check your client and server config to make sure they are not there like, direction 1/0.
And the wrapping of ta key in the client config, make sure is wrapped in <tls-crypt>...</tls-crypt>

You may want to see the actual server configuration generated. It is at
/tmp/etc/openvpn/server1 or server2. File name is config.opvn
See if the configuration is good.

In server customised configuration,
Add in
tls-crypt /jffs/openvpn/ta.key
(File name may be different, check yourself. All keys are store at /jffs/openvpn)

I tried the same config (.ovpn and cert files) on iOS and they are working fine. I am currently using Softether as the server (OpenVPN clone protocol). I tried OpenVPN itself and it didn't work on the router too with tls-crypt active.

The log shows that the router receives initial TLS packet but it keeps waiting there and then gives a TLS handshake error (this is what happens with TLS-Auth too because the DPI (Deep Packet Inspection) software drops packets instantly when it identifies the TLS handshake as OpenVPN).

As I said, Softether OpenVPN protocol seems to be having more success specially with the OpenVPN Connect client on iOS. Here is the client .ovpn for Softether:

dev tun
proto udp
remote REMOVED 1194
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
REMOVED
-----END PRIVATE KEY-----
</key>

Using the previous config works perfectly fine on iOS, here is the log from OpenVPN Connect on iOS after the connection is established.

2018-02-02 01:18:31 ----- OpenVPN Start -----
OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 23 2018 15:56:53
2018-02-02 01:18:31 Frame=512/2048/512 mssfix-ctrl=1250
2018-02-02 01:18:31 UNUSED OPTIONS
5 [resolv-retry] [infinite] 
6 [nobind] 
7 [persist-key] 
8 [persist-tun] 
10 [verb] [3] 

2018-02-02 01:18:31 EVENT: RESOLVE
2018-02-02 01:18:32 Contacting [REMOVED]:1194/UDP via UDP
2018-02-02 01:18:32 EVENT: WAIT
2018-02-02 01:18:32 Connecting to [REMOVED]:1194 (REMOVED) via UDPv4
2018-02-02 01:18:32 EVENT: CONNECTING
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3875 1]: mbedtls_ssl_fetch_input() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3729 1]: mbedtls_ssl_read_record_layer() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_cli.c:1454 1]: mbedtls_ssl_read_record() returned -32768 (-0x8000)
2018-02-02 01:18:32 Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2018-02-02 01:18:32 Creds: Username/Password
2018-02-02 01:18:32 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.7-4
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2

2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3875 1]: mbedtls_ssl_fetch_input() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3729 1]: mbedtls_ssl_read_record_layer() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_cli.c:1454 1]: mbedtls_ssl_read_record() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:7160 1]: mbedtls_ssl_handshake() returned -32768 (-0x8000)
2018-02-02 01:18:32 VERIFY OK : depth=0
cert. version    : 3
serial number    : 00
issuer name      : CN=REMOVED, O=REMOVED, OU=REMOVED, C=US
subject name      : CN=REMOVED, O=REMOVED, OU=REMOVED, C=US
issued  on        : 2017-12-09 19:17:40
expires on        : 2037-12-31 19:17:40
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage        : Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Cert Sign, CRL Sign
ext key usage    : TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, ???, ???, ???, Time Stamping, OCSP Signing

2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3917 1]: mbedtls_ssl_fetch_input() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3729 1]: mbedtls_ssl_read_record_layer() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_cli.c:2300 1]: mbedtls_ssl_read_record() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:6788 1]: mbedtls_ssl_handshake() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3917 1]: mbedtls_ssl_fetch_input() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3729 1]: mbedtls_ssl_read_record_layer() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_cli.c:2300 1]: mbedtls_ssl_read_record() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:7160 1]: mbedtls_ssl_handshake() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3875 1]: mbedtls_ssl_fetch_input() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3729 1]: mbedtls_ssl_read_record_layer() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:4727 1]: mbedtls_ssl_read_record() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:6788 1]: mbedtls_ssl_handshake() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3875 1]: mbedtls_ssl_fetch_input() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3729 1]: mbedtls_ssl_read_record_layer() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:4727 1]: mbedtls_ssl_read_record() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:7160 1]: mbedtls_ssl_handshake() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3875 1]: mbedtls_ssl_fetch_input() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:3729 1]: mbedtls_ssl_read_record_layer() returned -32768 (-0x8000)
2018-02-02 01:18:32 mbed TLS[ssl_tls.c:6842 1]: mbedtls_ssl_read_record() returned -32768 (-0x8000)
2018-02-02 01:18:32 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-02-02 01:18:32 Session is ACTIVE
2018-02-02 01:18:32 EVENT: GET_CONFIG
2018-02-02 01:18:32 Sending PUSH_REQUEST to server...
2018-02-02 01:18:33 Sending PUSH_REQUEST to server...
2018-02-02 01:18:34 OPTIONS:
0 [ping] [3] 
1 [ping-restart] [10] 
2 [ifconfig] [192.168.30.17] [192.168.30.18] 
3 [dhcp-option] [DNS] [4.2.2.3] 
4 [dhcp-option] [DNS] [4.2.2.4] 
5 [route-gateway] [192.168.30.18] 
6 [redirect-gateway] [def1] 

2018-02-02 01:18:34 PROTOCOL OPTIONS:
cipher: AES-128-CBC
digest: SHA1
compress: NONE
peer ID: -1
2018-02-02 01:18:34 EVENT: ASSIGN_IP
2018-02-02 01:18:34 NIP: preparing TUN network settings
2018-02-02 01:18:34 NIP: init TUN network settings with endpoint: REMOVED
2018-02-02 01:18:34 NIP: adding IPv4 address to network settings 192.168.30.17/255.255.255.252
2018-02-02 01:18:34 NIP: adding (included) IPv4 route 192.168.30.16/30
2018-02-02 01:18:34 NIP: redirecting all IPv4 traffic to TUN interface
2018-02-02 01:18:34 NIP: adding DNS 4.2.2.3
2018-02-02 01:18:34 NIP: adding DNS 4.2.2.4
2018-02-02 01:18:34 Connected via NetworkExtensionTUN
2018-02-02 01:18:34 EVENT: CONNECTED CLIENT@REMOVED:1194 (REMOVED) via /UDPv4 on NetworkExtensionTUN/192.168.30.17/ gw=[/]

 

[DonnyJohnny]

From the way u say, it seem like it is not the firmware/openvpn issue. You can’t even connect. That’s mean your setting is wrong.
Could you check if you could connect with tls-auth in the first place?

If you can’t, something wrong with the cert/key used.

You can read up
https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN-on-Merlin's-fw

By the way, softether is only using aes-128cbc without tls-crypt.
And they using SHA1.

 

[MRizkBV]

From the way u say, it seem like it is not the firmware/openvpn issue. You can’t even connect. That’s mean your setting is wrong.
Could you check if you could connect with tls-auth in the first place?

If you can’t, something wrong with the cert/key used.

You can read up
https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN-on-Merlin's-fw

By the way, softether is only using aes-128cbc without tls-crypt.
And they using SHA1.

I can’t connect not because of the server, or the router itself. I can’t connect because the country recently started using DPI software to block access to VPN protocols (including OpenVPN).

Regarding Softether. The latest beta release (last update was mid January) includes TLS 1.2 and all new ciphers now. That is why my iPhone is able to connect to it using the encryption ciphers showing in the log file I attached in the previous post.

As I said. OpenVPN is blocked at the TLS handshaking step. TLS-Crypt is supposed to kind of mask this step which will make the DPI ignore the packets and let the connection go through. That is why it is working perfectly fine on OpenVPN Connect on iOS.

 

[DonnyJohnny]

I can’t connect not because of the server, or the router itself. I can’t connect because the country recently started using DPI software to block access to VPN protocols (including OpenVPN).

Regarding Softether. The latest beta release (last update was mid January) includes TLS 1.2 and all new ciphers now. That is why my iPhone is able to connect to it using the encryption ciphers showing in the log file I attached in the previous post.

As I said. OpenVPN is blocked at the TLS handshaking step. TLS-Crypt is supposed to kind of mask this step which will make the DPI ignore the packets and let the connection go through. That is why it is working perfectly fine on OpenVPN Connect on iOS.

oh I see. Not aware of the new beta.

Have you do the
openvpn --show-tls

Can u see the tls cipher u want?

If yes, then it is the configuration problem.

Can u show the configuration found in
/tmp/etc/openvpn/server1 or server2. File name is config.ovpn


Did you mean you used the configuration from softether for asuswrt Openvpn configuration????

Please show the error log of openvpn server.

 

[MRizkBV]

oh I see. Not aware of the new beta.

Have you do the
openvpn --show-tls

Can u see the tls cipher u want?

If yes, then it is the configuration problem.

Can u show the configuration found in
/tmp/etc/openvpn/server1 or server2. File name is config.ovpn


Did you mean you used the configuration from softether for asuswrt Openvpn configuration????

Please show the error log of openvpn server.

I did the command you gave me and here is the result:

Available TLS Ciphers,

listed in order of preference:


TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

So it should support it but I am not really sure how to use them from the UI. I don't think they are available there and I have no idea how to use ssh to control OpenVPN :/

Regarding server conf, Softether doesn't store .conf files like OpenVPN does because it is technically not OpenVPN, it just acts like it so I am not really sure what I can provide here. Anyways, if you select an old encryption cipher in Softether it means it will allow this cipher and all new ones. That is why my phone can connect just fine using the new ciphers.

 

[DonnyJohnny]

So much questioning just to realised that you didn’t even went thru the basic openvpn setup like cert creation etc.

I Guess openvpn server setup seems too technical for you. I suggest you just stick to softether since it fits your needs, since it is a out of box application.

By the way, softether don’t use tls-crypt, they do have their way to bypass firewall.

If really still want to set up openvpn server, try use our Friend Google. They will have better answer. There is a lot of article on how to use ssh and setting up of openvpn.

 

[sfx2000]

GCM ciphers are not available as legacy ciphers, they can only be used through NCP. By default if you enable NCP, AES-128-GCM and AES-256-GCM are already supported, provided both ends use OpenVPN 2.4 and have NCP enabled.

GCM's are the future, but on many ARM processors, GCM is going to have a performance impact compared to CBC/SHA...

The HND platform is trying to get ahead of it, the B53's perform ok, but compared to AMD64, they're still behind things.