Openvpn tls-crypt unwrap error

JW0914 · October 6, 2018, 12:21pm

@AZNBCDDW Please post your full client config.

Please disregard prior text, as I missed the "Security Considerations" section under --tls-crypt on the man page

AZNBCDDW · October 6, 2018, 12:36pm

What should I specifically enter where?
I already tried
tls-crypt [path]\my-client.key (in the client config)
and got this error:
Key file ('[path]\my-client.key') can be a maximum of 2048 bytes

vgaetera · October 6, 2018, 12:57pm

Use the how-to to generate the correct client configs:

AZNBCDDW · October 8, 2018, 7:49am

First, I get a connection now! In so far the problem is solved. Many Thanks!

But there are still some questions left:

At the client I get the following message:
WARNING: this configuration may cache passwords in memory - use the auth-nocache option to prevent this
I need several TUN and several TUP connections. How can I do that best?
I would like that I am asked at the mobile device (client) when connecting in addition to a password. Can one configure that? The traget is that not all the data you need to build the VPN are be stored on the mobile device.

For info to the developers:

The script does not work with "sh -e -v -x /tmp/create-ovpn.sh". There was no ovpn file generated and on the screen came a large amount of garbage.

That's how it went
cd / tmp
chmod + x create-ovpn.sh
./create-ovpn.sh

The current IP, not a DDNS name was entered in the ovpn file (note: I have multiple DDNS).

AZNBCDDW · October 8, 2018, 10:19am

Now I tried to add a second VPN in LuCI.

No matter if I click add or save, no new VPN will be created.

Is that a mistake in LuCI or am I doing something wrong?

vgaetera · October 8, 2018, 10:40am

That's not a garbage, but information for debugging / troubleshooting.
I've updated script in the guide, it should be more fault tolerant now.

I've added auth-nocache to the script to fix the warning message.

It depends on differences in firewall zone policies and whether you need to run those VPN-connections simultaneously or not.
In general case you need to change every vpnserver to vpnserverN at least, and run the scripts again.

Package luci-app-openvpn is temporary bugged:

AZNBCDDW · October 8, 2018, 11:18am

Since I have little experience with openwrt: How can I get this update without bending my openwrt?

How long do I have to wait until the update comes over "opkg update".

vgaetera · October 8, 2018, 11:51am

You'd better ask @dibdot.

JW0914 · October 8, 2018, 12:00pm

Generally speaking, it's better to manage and configure OpenVPN via SSH, and not through LuCI, as the OpenVPN LuCI app is ridiculously convoluted and extremely inefficient to utilize. I always recommend installing it, but only utilizing it for a status check from LuCI.

luci-app-openvpn has been in need of a rewrite for years, as it really should either just have the most common options as check boxes, with a code box for any additional options, or just a code box with a link to the OpenVPN man page.

You'll encrypt the client key. If using an Android device, the client key must always be encrypted, as Android has a non-customizable 771 permission structure for it's internal storage due to exFAT.

AZNBCDDW · October 10, 2018, 10:08am

Thanks a lot for all the answers. Unfortunately, I have now lost a bit of the overview and will come back later to the other questions.

There is still a very fundamental problem. Although it is possible to set up the VPN and I can ping the router of the destination network, it is not possible to ping a client in the destination network.

Before the connection is established, ipconfig shows the following on the Windows client: IP 192.168.8.189/24, GW 192.168.8.1, after the connection is established the IP 192.168.200.2/24 but no further gateway is added.

AZNBCDDW · October 10, 2018, 10:13am

My idea was that the password is stored on the server. This would mean that you can not build the VPN with the files on the client alone. Is that possible?

The not so good alternative I'm using so far is to encrypt the files on the client.

AZNBCDDW · October 10, 2018, 10:18am

Okay, I see that luci-app-openvpn is not a way to set it up. Too bad, it had looked very simple.

JW0914 · October 10, 2018, 10:34am

Please make the following changes:
- Server
  - proto tcp
  - verb 5
- Client
  - proto tcp
  - verb 7
Restart the OpenVPN server: service openvpn restart
Disconnect, then connect, client
- Disconnect must be utilized in lieu of the Reconnect button, as Reconnect will not load any changes made to the config since the initial connection.
Attempt to ping device in the destination network, and once the ping fails, please post:
- Server Log: logread -l 50 -e openvpn
- Client Log: Right click on OpenVPN tray icon → View Log
- Ensure you remove your WAN IP, DDNS, and port number

OpenVPN can be configured to accept a user name and password for login, however I'm not entirely sure of how to configure OpenVPN to do so, and even with a username/password login, the client key should still be encrypted.

The only private portion of the client files is the client key, however the Basic wiki is using -nodes for the client key, which prevents the key from being encrypted. To encrypt a key that was created without encryption:

openssl rsa -in my-client.key -out my-client.key
- Once the new key is encrypted, open the key in a text editor (Notepad, Atom, etc.), copy the contents, then paste them into the client ovpn between <key> and </key>

vgaetera · October 10, 2018, 11:54am

That looks like a routing/firewall problem.

AZNBCDDW · October 10, 2018, 1:38pm

Earlier in this topic, I posted the configuration. Can someone recognize a problem?

vgaetera · October 10, 2018, 1:45pm

It requires additional client side diagnostics at least.

@windows-client:

ipconfig /all & route print

AZNBCDDW · October 10, 2018, 3:33pm

Openvpn is a very hard work for me. Now I have found a mistake: it was with the clients in target network not the openwrt router as GW registered. Sorry for my stupid question and thanks for the persistent support!

I now have a routed VPN. Excellent!

But there are two more steps to take. (I will discuss a third later)

Point 1) I need several routed VPNs. My idea is to copy all entries in /etc/config/openvpn and make the following changes:

the name
option tls_crypt '/etc/openvpn/tc.psk'
option ie '/etc/openvpn/dh.pem'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'

Presumably, I must / may not change everything. Do not have to stay option ca? And how can I generate the new certificates and keys?

Point 2) If I'm on a network with a notebook that has the same address as my destination network, a routed VPN will not work. So I still need (several bridges VPN) how can I adjust it?

vgaetera · October 10, 2018, 4:15pm

What are you planning to achieve?
Do you understand that single VPN-server instance with topology subnet can handle multiple clients?

Either resolve the conflict changing your IPv4-network, or use IPv6.

AZNBCDDW · October 10, 2018, 5:00pm

I would like to have several clients (three notebooks, two mobile phones) with different secrets (certificates or keys). If a secret is compromised, I can selectively block access without having to touch the other clients. In addition, you can see which device has built a VPN.

Unfortunately, I still do not understand openvpn in its depth.

AZNBCDDW · October 10, 2018, 5:08pm

if I'm in a foreign network guest (hotel) I can not influence the network address. IP6 is another foreign world for me (in addition to openvpn). What speaks against a bridged VPN? In addition, a bridged VPN may also become necessary for other reasons, e.g. for broadcasting.