openvpn-install icon indicating copy to clipboard operation
openvpn-install copied to clipboard

Published 20 hours ago verified publisher icon angristan

tls-crypt-v2

Open joksik opened this issue 2 years ago • 5 comments

Hello, i use your script and i love that by default its use more secure tls-crypt instead tls-auth but what about use tls-crypt-v2? can you also add this feature to script ? for example add new choice number 3) tls-crypt-v2 i read that tls-crypt-v2 is more secure than old tls-crypt so i think it will be good step to add this features i dont know how correct your script to add new options but form command line this work:

generate tls-crypt-v2 for server key openvpn --genkey tls-crypt-v2-server tls-crypt-v2.key generate tls-crypt-v2 for client key openvpn --tls-crypt-v2 tls-crypt-v2.key --genkey tls-crypt-v2-client client-v2.key

joksik avatar Mar 15 '22 17:03 joksik

Hello @joksik,

      I'm also looking for it, if your script got works. Please share the script with us.

Angu0083 avatar Jun 08 '22 23:06 Angu0083

Ok, sorry for late response but finally i figure it out. So after install this script with tls-crypt function (its default chooice) you must

  1. Generate server key for tls-crypt-v2 in my example for this i will use file name tls-crypt-v2.key and create new directory where i will have all generated client v2 keys. cd /etc/openvpn openvpn --genkey tls-crypt-v2-server tls-crypt-v2.key mkdir keys-v2

  2. change in script few lines. First you must find this function

case $TLS_SIG in 1)```

		echo "<tls-crypt>"
		cat /etc/openvpn/tls-crypt.key
		echo "</tls-crypt>"
		;;


and change this function to:

case $TLS_SIG in
		1)```

			openvpn --tls-crypt-v2 /etc/openvpn/tls-crypt-v2.key --genkey tls-crypt-v2-client /etc/openvpn/keys-v2/$CLIENT.key
                        echo "<tls-crypt-v2>"
			cat /etc/openvpn/keys-v2/$CLIENT.key
			echo "</tls-crypt-v2>"
			;;

after that when you run script and chooice add new user in directory /etc/openvpn/keys-v2 it will be create private tls-crypt-v2 key with user name and this key will be added to .ovpn certyficate in /home directory.

Remember to change in /etc/openvpn/server.conf new server tls-crypt-v2.key so find line in server.conf

<tls-crypt>
</tls-crypt>

and change to
<tls-crypt-v2>
paste your /etc/openvpn/tls-crypt-v2.key
</tls-crypt-v2>

and restart openvpn services

Maybe in future when i will have time i will send request with change to add tls-crypt-v2 support selectable during the script installation as the third option

joksik avatar Sep 22 '22 18:09 joksik

Hello @joksik,

            Thanks for fixing the major bug/vulnerability.

Angu0083 avatar Sep 22 '22 20:09 Angu0083

I have added tls-crypt-v2 as option 3 to the implementation in my fork of the repository here.

alinhayati avatar Jan 18 '23 01:01 alinhayati

I have added tls-crypt-v2 as option 3 to the implementation in my fork of the repository here.

@alinhayati thank you so much i've been searching for this for nearly 1 month before that i was using the official openvpn access server to get tls crypt v2 but it's limited to 2 connections only, but now it's not, good job

johnay0 avatar Sep 18 '23 01:09 johnay0