Anyone using TLS-Crypt in new 380.65 beta?

[el_Captain]

I've been able to use all of the new OpenVPN 2.4 features - except TLS-Crypt. I'm not sure if it's a configuration issue or if it's the client - RMerlin says he has it working. The .ovpn file has the <tls-crypt> inline tags and has the key from the certs page just like when I use TLS-Auth - although I did notice that using the inline format, I did have to manually add "key direction bidirectional" when using TLS-Auth. I read over the OpenVPN manual and I'm not seeing what other flags might be needed that aren't already in the "stock" ovpn file from the export.

I've been testing this with the Android OpenVPN Connect client, which says it supports LZ4 - so I assume it supports the other ver 2.4 features. The about page says core 3.0.12. I haven't tried it from a PC client though.

 

[Fitz Mutch]

Yes, I can connect with my Android phone using the tls-crypt feature. If yours doesn't then try this one here:
https://play.google.com/store/apps/details?id=de.blinkt.openvpn

 

[el_Captain]

Well that was easy - I used the "OpenVPN for Android" client without touching anything in the configuration and was able to get it to connect with the tls-crypt enabled in settings. Looking over the logs, it seems like it's working and no complaints. That's really odd that the "official" client supports some of the 2.4 features but not tls-crypt and doesn't throw some kind of error.

 

[Wutikorn]

Well that was easy - I used the "OpenVPN for Android" client without touching anything in the configuration and was able to get it to connect with the tls-crypt enabled in settings. Looking over the logs, it seems like it's working and no complaints. That's really odd that the "official" client supports some of the 2.4 features but not tls-crypt and doesn't throw some kind of error.

Last update to both Android and iOS OpenVPN clients was during May last year, so that's why it is not working properly, not sure why they don't update both apps. Luckily, LZ4 compression works properly. Btw, do any of you know a good app for TLS-CRYPT for iOS?

 

[Fitz Mutch]

Check your router's syslog to verify that tls-crypt is working. And apparently, my Android client connects with a better encrypted control channel than the Windows 10 client.

Android client using my phone's hardware-backed certificate store

Jan 23 x:x:x openvpn[24911]: x.x.x.x Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

Windows 10 client using the Windows Certificate System Store

Jan 23 x:x:x openvpn[24911]: x.x.x.x Control Channel: TLSv1.1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 4096 bit RSA

 

[RMerlin]

Check your router's syslog to verify that tls-crypt is working. And apparently, my Android client connects with a better encrypted control channel than the Windows 10 client.

Android client using my phone's hardware-backed certificate store

Jan 23 x:x:x openvpn[24911]: x.x.x.x Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

Windows 10 client using the Windows Certificate Store

Jan 23 x:x:x openvpn[24911]: x.x.x.x Control Channel: TLSv1.1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 4096 bit RSA

Your Windows client is only using TLS 1.1, you need 1.2 AFAIK to use the new GCM ciphers.

 

[Fitz Mutch]

Your Windows client is only using TLS 1.1, you need 1.2 AFAIK to use the new GCM ciphers.

Just a heads up, if you use the Windows OpenVPN client.

When I use --cryptoapicert on the Windows client, it reports a warning and the new GCM ciphers are not used for control channel encryption (tls-crypt).

--cryptoapicert select-string
Load the certificate and private key from the Windows Certificate System Store (Windows/OpenSSL Only).

Example usage in my OpenVPN config
cryptoapicert "SUBJ:xxxxx@xxxxxxxx.com"

Windows's OpenVPN client log shows this:
Tue Jan 24 xx:xx:xx 2017 us=228757 Warning: cryptapicert used, setting maximum TLS version to 1.1.

Router's OpenVPN server log shows this:
Jan 24 x:x:x openvpn[24911]: x.x.x.x Control Channel: TLSv1.1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 4096 bit RSA



Alternatively, when I use "pkcs12" on the Windows client, tls-crypt works as expected.

--pkcs12 file
Specify a PKCS #12 file containing local private key, local certificate, and root CA certificate.

Example usage in my OpenVPN config
pkcs12 xxxxx@xxxxxxxx.p12

Router's OpenVPN server log shows this:
Jan 24 x:x:x openvpn[24911]: x.x.x.x Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA



My Android client works as expected.

I don't own an Apple/iOS phone, so I didn't test that platform.

 

[unsynaps]

FYI tls-crypt is broken on iOS even on the update released on FEB 3rd. Server spews "tls-crypt unwrap error: packet too short" when trying to connect.

Works fine from a Win10 machine running 2.4.

v1.1.1 build 212

 

[Wutikorn]

FYI tls-crypt is broken on iOS even on the update released on FEB 3rd. Server spews "tls-crypt unwrap error: packet too short" when trying to connect.

Works fine from a Win10 machine running 2.4.

v1.1.1 build 212

I was expecting TLS-Crypt feature support in the changelog too, but didn't see anything related.

 

[bayern1975]

Check your router's syslog to verify that tls-crypt is working. And apparently, my Android client connects with a better encrypted control channel than the Windows 10 client.

Android client using my phone's hardware-backed certificate store

Jan 23 x:x:x openvpn[24911]: x.x.x.x Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

Windows 10 client using the Windows Certificate System Store

Jan 23 x:x:x openvpn[24911]: x.x.x.x Control Channel: TLSv1.1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 4096 bit RSA

how do you get 4096 bit RSA? i have just 1024?

Feb  4 12:26:24 openvpn[1238]: x.x.x.x Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA

 

[Fitz Mutch]

how do you get 4096 bit RSA?

While I'm not the forum expert on this stuff, I did manage to figure out everything for my own purposes. There are probably better tutorials available somewhere? Please correct me if I wrong.

How to make a password-protected PKCS #12 file for each customer, that contains the Root CA, and his certificate and his private key. And, how to manage the CRL (certificate revocation list).

Getting started
Fire up the latest Debian Linux in a VM, start a terminal window and type:
sudo apt-get update
sudo apt-get install easy-rsa


Configure the variables
cd /usr/share/easy-rsa
su
vi ./vars

# change these values in ./vars
export KEY_SIZE=4096
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export CRL_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="FL"
export KEY_CITY="Miami"
export KEY_ORG="Fernanda"
export KEY_EMAIL="TodoElMundoLoHace@mail2tor.com"
export KEY_OU="Fernanda"
export KEY_NAME="EasyRSA"

Create the Root CA, the server certificate and the password-protected PKCS #12 files for your customers.

su
source ./vars
./clean-all
./build-ca
./build-key revokekey
./revoke-full revokekey
cat keys/ca.crt keys/crl.pem > keys/ca+crl.pem
./build-key-server myrouter1
./build-key-pkcs12 eduardo1975@mail2tor.com
./build-key-pkcs12 leticia231@mail2tor.com
./build-key-pkcs12 lupekkk@mail2tor.com
./build-dh

Rebuild the CRL (certificate revocation list) with expiration in 10 years

su
cd /usr/share/easy-rsa
source ./vars
cd keys
export KEY_CN=""
export KEY_OU=""
export KEY_NAME=""
export KEY_ALTNAMES=""
openssl ca -gencrl -crldays 3650 -out crl.pem -config "$KEY_CONFIG"
cat ca.crt crl.pem > ca+crl.pem

View the CRL

openssl crl -in crl.pem -text

Copy files to router JFFS. Your /jffs/openvpn folder should look something like this.
cd /jffs/openvpn

lrwxrwxrwx    1 admin    root            18 Feb  2 09:59 vpn_crt_server1_ca -> /jffs/certs/ca.crt
lrwxrwxrwx    1 admin    root            19 Feb  2 09:59 vpn_crt_server1_crl -> /jffs/certs/crl.pem
lrwxrwxrwx    1 admin    root            26 Feb  2 09:59 vpn_crt_server1_crt -> /jffs/certs/myrouter1.crt
lrwxrwxrwx    1 admin    root            22 Feb  2 09:59 vpn_crt_server1_dh -> /jffs/certs/dh4096.pem
lrwxrwxrwx    1 admin    root            26 Feb  2 09:59 vpn_crt_server1_key -> /jffs/certs/myrouter1.key
-rw-------    1 admin    root           636 Jan 14 11:43 vpn_crt_server1_static

 

[kvic]

My Android client works as expected.

I don't own an Apple/iOS phone, so I didn't test that platform.

I upgraded my OpenVPN server to 2.4 and found out official clients for both iOS and Android had not be updated yet...

tls-crypt seems an alternative to people (@Cake ) who had been requesting the XOR scramble patch! I also wondered if one of the GCM ciphers worth switching to. I'm less paranoid about big brothers. Turns out GCM has nothing to lose for me. More paranoid people might disagree.

Some bits of other consideration that I went through to reach a decision. It's documented here: http://kazoo.ga/random-bits-on-openvpn-2-4/. Welcome to leave me your thought here or there.

 

[sfx2000]

I also wondered if one of the GCM ciphers worth switching to. I'm less paranoid about big brothers. Turns out GCM has nothing to lose for me. More paranoid people might disagree.

GCM doesn't buy much - right now - on ARM - it can be better on x86-64 with AES-NI on both client and server - and in the future, it will be much better with changes in OpenSSL 1.1.x (which is non-trivial to port over to older platforms)

 

[kvic]

GCM doesn't buy much - right now - on ARM - it can be better on x86-64 with AES-NI on both client and server - and in the future, it will be much better with changes in OpenSSL 1.1.x (which is non-trivial to port over to older platforms)

A good reminder!

In current OpenSSL 1.0.x, GCM is much slower than CBC on both ARM and x86 *without* hardware acceleration (e.g. AES-NI). GCM leaves CBC in dust with AES-NI.

What's the excitement in openssl 1.1.x?

 

[sfx2000]

What's the excitement in openssl 1.1.x?

QAT on Intel - pretty awesome

 

[RMerlin]

GCM doesn't buy much - right now - on ARM - it can be better on x86-64 with AES-NI on both client and server - and in the future, it will be much better with changes in OpenSSL 1.1.x (which is non-trivial to port over to older platforms)

GCM saves a few bytes per packet. That's pretty much it. Otherwise, I saw no measurable performance difference when I tested it on a lab setup.

 

[sfx2000]

GCM saves a few bytes per packet. That's pretty much it. Otherwise, I saw no measurable performance difference when I tested it on a lab setup.

Bits/bytes - it counts...

I can appreciate your insight here - but while the room is dark, look towards the doorway...

 

[kvic]

QAT on Intel - pretty awesome

Look forward to it. I'll be in the market for a fan-less box to house a dedicated VPN server..

Did some dirty benchmark the other day when you mentioned about openssl. GCM scales nicely with AES-NI..

People can find more detail here:
http://kazoo.ga/quick-benchmark-cbc-vs-gcm/

 

[sfx2000]

Look forward to it. I'll be in the market for a fan-less box to house a dedicated VPN server..

GCM is a big step - as is OpenSSL 1.1...

 

[sfx2000]

tls-crypt seems an alternative to people (@Cake ) who had been requesting the XOR scramble patch! I also wondered if one of the GCM ciphers worth switching to. I'm less paranoid about big brothers. Turns out GCM has nothing to lose for me. More paranoid people might disagree.

That XOR scramble patch has been pretty much disputed - folks that do this stuff every day, they're all pretty much in agreement - don't mess with crypto...

Nice thing with GCM, is that it's a single code path for the control and data planes, which is good, less context switches - bit painful for some, but better in the long run...

Not saying it's perfect...