OpenVPN tls-crypt not working

chuck · January 15, 2017, 6:12pm

Hello,

In the last version of OpenVPN, 2.4.0, the tls-crypt functionality was added, which adds encryption to the control channel and adds more security for the user.

I'm using a LEDE build from the built script in this post (Build for TP-Link TL-WR841N(D) [all versions]) and I can confirm that the tls-crypt functionality is not working.

When I enable it on both the server (ubuntu-linux) and the client (LEDE Reboot SNAPSHOT r2815) the client doesn't apply the 'option tls_crypt" option in the openvpn client configuration.

I've tried it with the Android app and a windows client and it works perfectly, so I guess it must be a LEDE code problem.

If you need any help testing I'll gladly help.

Thank you very much and keep up with the good work!

makro · January 16, 2017, 7:29pm

Apparently the updates to the OpenVPN init script got lost between the initial 2.4_rc1 patch [1] and the final 2.4.0 version, so LEDE doesn't apply any of the new options introduced, like tls-crypt. I've prepared a patch to fix this, you can wait for that to be considered and the OpenVPN packages to be rebuilt, or try editing /etc/init.d/openvpn and adding the options as was done in the 2.4_rc1 patch (look at changes to openvpn.init).

https://patchwork.ozlabs.org/patch/704655/

chuck · January 16, 2017, 10:29pm

Thank you very much!
My knowledge is pretty limited so I'll wait till the OpenVPN packages are rebuilt.
How can I know when it's applied?
Thanks

makro · January 16, 2017, 10:51pm

You can follow the Git changelog [1], and look for my patch [2] (or something similar, if it needs reworking). Once it has been applied to master, buildbot will include the fix the next time the OpenVPN packages are built. Note that it probably won't be included in the first 17.01 test build, so you may have to stick to snapshots for now (which I suppose you are already using).

mrgenie · January 24, 2017, 9:03pm

Hi makro,

I'm also desperately waiting for the fix.

I already upgraded all my clients windows/android/linux to use AES-256-GCM and tls-crypt
but on LEDE it just doesn't work. the tls-crypt is ignored.

Since I would love to deploy all routers on their physical locations with a fully working openvpn 2.4.0
I really hope someone who knows how to fix it will do it any time soon.

I checked the gitlog but thus far no one committed a fix.

mrgenie · January 25, 2017, 8:33am

Since I didn't know how to apply the patch from Makro manually he explained me how to do it. Here's a copy:

cd /path/to/your/lede/git/tree
wget -O openvpn.init.patch http://patchwork.ozlabs.org/patch/715955/mbox/
git am openvpn.init.patch
make clean && make

tls-crypt works now on my end.

A big thank you for Makro especially for explaining how easily we can apply patches to packages on our local git!

chuck · January 28, 2017, 10:20am

I can see now the patch has been included in git, so no need to apply it to the sources anymore. Thanks a lot Maguns!

mrgenie · April 8, 2017, 6:50pm

Did this got broken on IPv6? It works on IPv4 but not on IPv6.. strange huh?

mrgenie · April 8, 2017, 7:08pm

or maybe some mtu values must be changed for IPv6?

lagoboy · July 1, 2018, 5:50am

I error connect with ExpressVpn, help me

config openvpn 'Express'
option client '1'
option proto 'udp'
option dev 'tun0'
option tun_mtu '1500'
option tun_mtu_extra '32'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option tls_auth '/etc/openvpn/ta.key 1
option ca '/etc/openvpn/ca2.crt'
option auth_user_pass '/etc/openvpn/pass.txt'
option remote_cert_tls 'server'
option verify_x509_name 'Server name-prefix'
option tls_version_min '1.2'
option persist_key '1'
option persist_tun '1'
option nobind '1'
option float '1'
option resolv_retry 'infinite'
# option status '/etc/openvpn/status 5'
option log '/etc/openvpn/log'
option comp_lzo 'yes'
option auth 'SHA512'
option sndbuf '524288'
option rcvbuf '524288'
option tls_client '1'
option ns_cert_type 'server'
option keysize '256'
option tls_exit '1'
option route_delay '2'
option fast_io '1'
option key_direction '1'
option enabled '1'
option ifconfig_nowarn '1'
list remote 'hongkong4-ca-version-2.expressnetw.com'
# option rport '1194'
option port '1195'
option cipher 'AES-256-CBC'
option tls_cipher 'AES-256-CBC'
option tls_timeout '2'
option verb '3'
# option lport '1195'

lenovomi · February 7, 2019, 10:24am

hi,
is there a solution for that issue if one doesnt want to re-build lede /openwrt from sources? I have latest stable version with openvpn 2.4.5. and getting error ```
Thu Feb 7 01:40:07 2019 daemon.err openvpn(vpnserver)[21490]: tls-crypt unwrap error: packet too short
Thu Feb 7 01:40:07 2019 daemon.err openvpn(vpnserver)[21490]: TLS Error: tls-crypt unwrapping failed from [AF_