TLS-Crypt-V2 on open vpn

[libea18]

Hi, I'm an amateur and want to install TLS-Crypt-V2 on my config First I installed the script https://github.com/angristan/openvpn-install and found that the openvpn version is 2.4.4. Then download version 2.5 from https://github-wiki-see.page/m/SRingler98/how2guides/wiki/How-to-install-and-compile-openvpn-version-2.5.2-on-Ubuntu-20.04 . I installed 02 and then ran the angristan script and ran the configuration I wanted based on --tls-crypt. But I have no other idea to implement TLS-Crypt-V2 I am in Iran and there is severe filtering. I need this Information I have:

root @ ubuntu-8gb-fsn1-2: / etc / openvpn / easy-rsa # openvpn --version OpenVPN 2.5.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH / PKTINFO] [AEAD] Built on 6 April 2022 Library Versions: OpenSSL 1.1.1 September 11, 2018, LZO 2.08 Originally developed by James Greece Copyright (C) 2002-2018 OpenVPN Inc sales@openvpn.net Compile definition of time: enable_async_push = no Enable_Comp_Stub = no Enable_Crypto_Ofb_Cfb = Yes Enable_Debug = Yes Enable_Def_Auth = Yes enable_dlopen = enable_dlopen_self unknown = Enable_Dlopen_Self_Static unknown = Unknown enable2 enable yes enable_ yes_2 = Yes Enable_Pam_Dlopen = no Enable_Pedantic = no Enable_Pf = Yes Enable_Pkcs11 = no Enable_Plugin_Auth_Pam = yes enable_plugin_down_root = yes enable_plugins = yes enable_port_share = yes enable_selinux = no enable_shared = no enable_shared = yes enable_shared_wm_st active yes good enable enable_s enable_werror = no enable_win32dll = no enable_x509_altIXname with_n

If you can tell me the right script so I can go step by step, thank you for helping me go step by step. If necessary, I will give you money to give me enough training to do the job. You can also send me an email if you want eroxs1818@gmail.com

[TinCanTech]

The script is written for amateurs .. have a go.

[libea18]

well i have ubuntu 18.04 and use angristan script at first i should start which one ? https://github.com/TinCanTech/easy-tls/wiki#getting-started . Iran is severely censored and I want to make a config and send it to my family and friends.

[TinCanTech]

well,

if you want me to beat the Iranian censorship then this is going to cost you more than you expect.

[libea18]

I just want to be able to implement the TLS-Crypt-V2 configuration on my own open vpn config I do not want anything more

[TinCanTech]

Go ahead .. try easytls.

[libea18]

results :

root@ubuntu-8gb-fsn1-2:/etc/openvpn/easy-rsa# ./easytls

Easy-TLS usage and overview

USAGE: easytls [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, use:
  ./easytls help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easytls help options

For a list of abbreviated command names, use:
  ./easytls help abb

For a list of configurable options, use:
  ./easytls help config

Here is the list of commands available with a short syntax reminder.
Use the 'help' command above to get full usage details.

  build     :Inter-active menu to build TLS keys
  inline    :Inter-active menu to build Inline files
  remove    :Inter-active menu to remove TLS keys and Inline files
  script    :Inter-active menu to configure Server scripts
  selfsign  :Inter-active menu to build and inline self-signed certificates

  init   | init-tls <hash_algorithm> no-ca
  cf     | config
         |
  sss    | self-sign-server <server_filename_base> (No-CA mode only)
  ssc    | self-sign-client <client_filename_base> (No-CA mode only)
         |
  bta    | build-tls-auth
  btc    | build-tls-crypt
  bc2s   | build-tls-crypt-v2-server <server_common_name>
  bc2c   | build-tls-crypt-v2-client
         |     <server_common_name> <client_common_name> <HW-ADDR> <IP-ADDR>
         |
  ita    | inline-tls-auth <filename_base> <key_direction> [ cmd-opts ]
  itc    | inline-tls-crypt <filename_base> [ cmd-opts ]
  ic2    | inline-tls-crypt-v2 <filename_base> [ cmd-opts ]
         |
  bc2gc  | build-tls-crypt-v2-group-client
         |     <server_common_name> <client_group_name> <HW-ADDR> <IP-ADDR>
  ic2gc  | inline-tls-crypt-v2-group-client
         |     <client_common_name> <client_group_name> [ cmd-opts ]
         |
  s      | status [ cmd-opts ]
  rk     | remove-tlskey <client_filename_base>
  rgk    | remove-group-tlskey <client_filename_base> <Group-Name>
  ri     | remove-inline <filename_base>
  rgi    | remove-group-inline <Client-Name> <Group-Name>
  is     | inline-show <filename_base>
         | inline-index-rebuild
  ix     | inline-expire <filename_base>
  cx     | cert-expire <filename_base> | <ca>
  d      | disable <filename_base> (Or display the current disabled list)
  e      | enable <filename_base> (Or display the current disabled list)
         | disabled-list-rehash
  sid    | save-id
  ver    | version
         | upgrade

Easy-TLS also has a useful Howto and wiki with expanded help and examples:
* https://github.com/TinCanTech/easy-tls/blob/master/easytls-howto-ii.md
* https://github.com/TinCanTech/easy-tls/wiki

DIRECTORY STATUS (commands would take effect on these locations)
  EASYTLS: /etc/openvpn/easy-rsa
      PKI: /etc/openvpn/easy-rsa/pki
      TLS: /etc/openvpn/easy-rsa/pki/easytls

root@ubuntu-8gb-fsn1-2:/etc/openvpn/easy-rsa#

[TinCanTech]

LGTM

[libea18]

next step is ?

[libea18]

To cancel this inter-active menu at any time, press Control-C

• First, you MUST enter your Server commonName.

• This field only requires the certificate commonName, it does not require the complete file name.

  Enter the commonName of your Server certificate: server_DTm1qBrtMuSG7P3T

here must enter "server name".key "server name".cert that openvpn created in /etc/openvpn/ ?

---

To cancel this inter-active menu at any time, press Control-C

• Now, enter your Client commonName.

• This field only requires the certificate commonName, it does not require the complete file name.

  Enter the commonName of your Client certificate:

and here must enter which name ? is "name.ovpn" name ?

• Configure a custom group.

  You can configure a single Custom-Group like so:

  $ ./easytls config custom.group NAME

  If you want to configure a Custom-Group now then quit this menu.

  If you have configured your Custom-Group or do not require a Custom-Group then leave this field blank.

  • Your current Custom-Group is:

  Enter your Custom-Group or leave this blank to continue:

====================

To cancel this inter-active menu at any time, press Control-C

• Each X509 Client certificate can have multiple TLS-Crypt-V2 keys, these keys are referred to as Sub-keys. Each Sub-key is used in a separate inline file with the same X509 Client certificate.

  Enter the Sub-key Name for your key or leave blank to continue:

====================

To cancel this inter-active menu at any time, press Control-C

• You can lock this key to specific filter-addresses.

  Hardware-addresses can be in the form of:

  • 0123456789ab or 01-23-45-67-89-AB or 01:23:45:67:89:AB

  IP-addresses can be in the form of:

  • IPv4 CIDR - eg: 1.2.0.0/16, 1.2.3.0/24 or 1.2.3.4/32
  • IPv6 CIDR - eg: 2000:1:2:3::/64 or 2000:1:2:3:4:5:6:7/128 Ranges are in the first forms above. If you want to lock to a specific IP address (Not recommended) then you must use a host mask:
  • 1.2.3.4/32(v4) or 2000:1:2:3:4:5:6:7/128(v6)

  This field can contain any mixture of valid filter-addresses, however, each filter-address MUST be entered individually.

  Enter a single filter-address or leave blank to continue:

====================

• Easy-TLS command:

  • ./easytls build-tls-crypt-v2-client server_DTm1qBrtMuSG7P3T 1

====================

TLS crypt v2 client key created: /etc/openvpn/easy-rsa/pki/easytls/1-tls-crypt-v2.key

====================

To cancel this inter-active menu at any time, press Control-C

• Do you want to build a corresponding inline-file ?

  • Default: Y

  Enter (y)es or (n)o: y

====================

To cancel this inter-active menu at any time, press Control-C

• Do you have the private key for this X509 certificate ?

  • Default: Y

  Enter (y)es or (n)o: y

====================

To cancel this inter-active menu at any time, press Control-C

• Do you want to include the client metadata in the inline file ?

  The metadata does not contain any security sensitive data but you may prefer to omit it.

  • Default: Y

  Enter (y)es or (n)o: y

====================

To cancel this inter-active menu at any time, press Control-C

• Do you want to include the hardware addresses in the client metadata ?

  • Default: N

  Enter (y)es or (n)o: n

====================

• Easy-TLS command:

  • ./easytls inline-tls-crypt-v2 1

====================

Inline TLS crypt v2 client file created: /etc/openvpn/easy-rsa/pki/easytls/1.inline

missing error_log Error: Master save hash must only run once

Easy-TLS 2.8.0 (0) root@ubuntu-8gb-fsn1-2:/etc/openvpn/easy-rsa#

and see Error in the end

[TinCanTech]

Nice error. I will have figure out what is going wrong.

[libea18]

I have hetzner server I can give you access for test your project if you want🙏🏼

[libea18]

also when i enter ./easytls-cryptv2-verify.sh :

Easy-TLS version: 2.8.0 ERROR: Path to CA directory is required, see help root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa#

[libea18]

./easytls build:

i start with * Available TLS-key types:

[1] TLS-Auth key - Legacy HMAC pre-shared key [2] TLS-Crypt-V1 key - Basic TLS-crypt-v1 pre-shared key [3] TLS-Crypt-V2 key for Server - Advanced TLS-Crypt-v2 Server key [4] TLS-Crypt-V2 key for Client - Advanced TLS-Crypt-v2 Client key [5] TLS-Crypt-V2 GROUP Client key - Advanced TLS-Crypt-v2 GROUP Client key

Select the type of TLS-key to build: 3

• Build TLS-Crypt-V2 key for Server

====================

To cancel this inter-active menu at any time, press Control-C

• This field only requires the certificate commonName, it does not require the complete file name.

  Enter the commonName of your Server certificate: server_NZBaXbaOaOFOyJNV

====================

• Easy-TLS command:

  • ./easytls build-tls-crypt-v2-server server_NZBaXbaOaOFOyJNV

====================

TLS crypt v2 server key created: ./pki/easytls/server_NZBaXbaOaOFOyJNV-tls-crypt-v2.key

====================

To cancel this inter-active menu at any time, press Control-C

• Do you want to build a corresponding inline-file ?

  • Default: Y

  Enter (y)es or (n)o: y

====================

To cancel this inter-active menu at any time, press Control-C

• Do you have the private key for this X509 certificate ?

  • Default: Y

  Enter (y)es or (n)o: n

====================

To cancel this inter-active menu at any time, press Control-C

• No Diffie-Hellman parameters file was found!

  If you need to use a custom Diffie-Hellman parameters file then enter the file location and name.

  Otherwise, quit this menu and use Easy-RSA to create your Diffie-Hellman parameters file.

  If you leave this blank then the Diffie-Hellman parameters file will NOT be add to the inline-file.

  • Default: none

  Enter the DH file name:

====================

• Easy-TLS command:

  • ./easytls inline-tls-crypt-v2 server_NZBaXbaOaOFOyJNV no-key

====================

Inline TLS crypt v2 server file created: ./pki/easytls/server_NZBaXbaOaOFOyJNV.inline

missing error_log Error: Master save hash must only run once

Easy-TLS 2.8.0 (0)

root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ./easytls build EASYTLS_PKI: ./pki/easytls EASYTLS_FASTER_HASH: ./pki/easytls/data/easytls-faster.hash gen'd:c0b24040445d19c16becab643681833b37ba7f0d917bf56194691a7e7f6e8640 <==> saved:951f65ff7446a190f66f2b7 56c224ebed44879ce7c352385084677de5cec98a9 TIP: Use './easytls rehash' to correct this hash.

ERROR: verify_master_hash - match_two_hashes

Error: verify_master_hash

Easy-TLS 2.8.0 (0) root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ./easytls rehash

Rehash completed successfully.

i leaved those field blank because i didnt had any idea about that . ( Enter the DH file name )

root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ./easytls build

Easy-TLS Inter-active TLS-key builder Menu.

====================

To cancel this inter-active menu at any time, press Control-C

• Available TLS-key types:

  [1] TLS-Auth key - Legacy HMAC pre-shared key [2] TLS-Crypt-V1 key - Basic TLS-crypt-v1 pre-shared key [3] TLS-Crypt-V2 key for Server - Advanced TLS-Crypt-v2 Server key [4] TLS-Crypt-V2 key for Client - Advanced TLS-Crypt-v2 Client key [5] TLS-Crypt-V2 GROUP Client key - Advanced TLS-Crypt-v2 GROUP Client key

  Select the type of TLS-key to build: 4

• Build TLS-Crypt-V2 key for Client

====================

To cancel this inter-active menu at any time, press Control-C

• First, you MUST enter your Server commonName.

• This field only requires the certificate commonName, it does not require the complete file name.

  Enter the commonName of your Server certificate: server_NZBaXbaOaOFOyJNV

====================

To cancel this inter-active menu at any time, press Control-C

• Now, enter your Client commonName.

• This field only requires the certificate commonName, it does not require the complete file name.

  Enter the commonName of your Client certificate: 1

====================

To cancel this inter-active menu at any time, press Control-C

• Configure a custom group.

  You can configure a single Custom-Group like so:

  $ ./easytls config custom.group NAME

  If you want to configure a Custom-Group now then quit this menu.

  If you have configured your Custom-Group or do not require a Custom-Group then leave this field blank.

  • Your current Custom-Group is:

  Enter your Custom-Group or leave this blank to continue:

====================

To cancel this inter-active menu at any time, press Control-C

• Each X509 Client certificate can have multiple TLS-Crypt-V2 keys, these keys are referred to as Sub-keys. Each Sub-key is used in a separate inline file with the same X509 Client certificate.

  Enter the Sub-key Name for your key or leave blank to continue:

====================

To cancel this inter-active menu at any time, press Control-C

• You can lock this key to specific filter-addresses.

  Hardware-addresses can be in the form of:

  • 0123456789ab or 01-23-45-67-89-AB or 01:23:45:67:89:AB

  IP-addresses can be in the form of:

  • IPv4 CIDR - eg: 1.2.0.0/16, 1.2.3.0/24 or 1.2.3.4/32
  • IPv6 CIDR - eg: 2000:1:2:3::/64 or 2000:1:2:3:4:5:6:7/128 Ranges are in the first forms above. If you want to lock to a specific IP address (Not recommended) then you must use a host mask:
  • 1.2.3.4/32(v4) or 2000:1:2:3:4:5:6:7/128(v6)

  This field can contain any mixture of valid filter-addresses, however, each filter-address MUST be entered individually.

  Enter a single filter-address or leave blank to continue:

====================

• Easy-TLS command:

  • ./easytls build-tls-crypt-v2-client server_NZBaXbaOaOFOyJNV 1

====================

TLS crypt v2 client key created: ./pki/easytls/1-tls-crypt-v2.key

====================

To cancel this inter-active menu at any time, press Control-C

• Do you want to build a corresponding inline-file ?

  • Default: Y

  Enter (y)es or (n)o: y

====================

To cancel this inter-active menu at any time, press Control-C

• Do you have the private key for this X509 certificate ?

  • Default: Y

  Enter (y)es or (n)o: y

====================

To cancel this inter-active menu at any time, press Control-C

• Do you want to include the client metadata in the inline file ?

  The metadata does not contain any security sensitive data but you may prefer to omit it.

  • Default: Y

  Enter (y)es or (n)o: y

====================

To cancel this inter-active menu at any time, press Control-C

• Do you want to include the hardware addresses in the client metadata ?

  • Default: N

  Enter (y)es or (n)o: n

====================

• Easy-TLS command:

  • ./easytls inline-tls-crypt-v2 1

====================

Inline TLS crypt v2 client file created: ./pki/easytls/1.inline

missing error_log Error: Master save hash must only run once

Easy-TLS 2.8.0 (0)

root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ./easytls rehash

Rehash completed successfully.

root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ls ChangeLog dh.pem easytls easytls-conntrac.lib gpl-2.0.txt openssl-easyrsa.cnf README.quickstart.md vars COPYING.md doc easytls-client-connect.sh easytls-cryptv2-verify.sh LICENSE pki SERVER_CN_GENERATED vars.example dev easyrsa easytls-client-disconnect.sh examples mktemp.txt README.md SERVER_NAME_GENERATED x509-types

root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ls /etc/openvpn/easy-rsa/pki/issued/ 1.crt server_NZBaXbaOaOFOyJNV.crt

i leaved those field blank because i didnt had any idea about that ( single filter-address , Custom-Group , Sub-key Name ) and about client name, i must enter that name i have client .ovpn next step ?

[TinCanTech]

@libea18 I have just patched easytls

This should get rid of some of the errors you are seeing. Please try again.

And thanks for your help testing :-)

[libea18]

i will test but i have question i run https://github.com/angristan/openvpn-install script with tls-cryptv1 No problem implementing? ovpnvpn is enable with that script i paste all easy-tls-master files in /etc/openvpn/easy-rsa/ . is right ?

[TinCanTech]

@libea18 spend some time reading the help, it is quite useful.

The very first line of README.md shows you exactly what you need.

[libea18]

i see : Error log: ERROR: verify_tls_init fail Easy-TLS has not been initialised.

Error: main - verify_tls_init

Easy-TLS 2.8.0 (0)

[tkmw1985]

i see : Error log: ERROR: verify_tls_init fail Easy-TLS has not been initialised.

Error: main - verify_tls_init

Easy-TLS 2.8.0 (0)

I can help you if u want

[libea18]

i see : Error log: ERROR: verify_tls_init fail Easy-TLS has not been initialised. Error: main - verify_tls_init Easy-TLS 2.8.0 (0)

I can help you if u want

well ?

[tkmw1985]

what exactly do you need ?

[tkmw1985]

openvp +xor patch+obfsproxy+tls-crypt-v2 is it enough to beat iranian censor ?

[libea18]

i need use tls-cryptv2 on my ovpn config

[tkmw1985]

i can make it for if give me access to ur server

[libea18]

please send me message: eroxs1818@gmail.com

[tkmw1985]

ok a little bit later ! ok ?

[libea18]

ok

[TinCanTech]

Closed via https://github.com/TinCanTech/easy-tls/commit/705b5e57cf71cca129136e3949543d49d6c7f010