Closed libea18 closed 2 years ago
The script is written for amateurs .. have a go.
well i have ubuntu 18.04 and use angristan script at first i should start which one ? https://github.com/TinCanTech/easy-tls/wiki#getting-started . Iran is severely censored and I want to make a config and send it to my family and friends.
well,
if you want me to beat the Iranian censorship then this is going to cost you more than you expect.
I just want to be able to implement the TLS-Crypt-V2 configuration on my own open vpn config I do not want anything more
Go ahead .. try easytls
.
results :
root@ubuntu-8gb-fsn1-2:/etc/openvpn/easy-rsa# ./easytls
Easy-TLS usage and overview
USAGE: easytls [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, use:
./easytls help COMMAND
For a listing of options that can be supplied before the command, use:
./easytls help options
For a list of abbreviated command names, use:
./easytls help abb
For a list of configurable options, use:
./easytls help config
Here is the list of commands available with a short syntax reminder.
Use the 'help' command above to get full usage details.
build :Inter-active menu to build TLS keys
inline :Inter-active menu to build Inline files
remove :Inter-active menu to remove TLS keys and Inline files
script :Inter-active menu to configure Server scripts
selfsign :Inter-active menu to build and inline self-signed certificates
init | init-tls <hash_algorithm> no-ca
cf | config
|
sss | self-sign-server <server_filename_base> (No-CA mode only)
ssc | self-sign-client <client_filename_base> (No-CA mode only)
|
bta | build-tls-auth
btc | build-tls-crypt
bc2s | build-tls-crypt-v2-server <server_common_name>
bc2c | build-tls-crypt-v2-client
| <server_common_name> <client_common_name> <HW-ADDR> <IP-ADDR>
|
ita | inline-tls-auth <filename_base> <key_direction> [ cmd-opts ]
itc | inline-tls-crypt <filename_base> [ cmd-opts ]
ic2 | inline-tls-crypt-v2 <filename_base> [ cmd-opts ]
|
bc2gc | build-tls-crypt-v2-group-client
| <server_common_name> <client_group_name> <HW-ADDR> <IP-ADDR>
ic2gc | inline-tls-crypt-v2-group-client
| <client_common_name> <client_group_name> [ cmd-opts ]
|
s | status [ cmd-opts ]
rk | remove-tlskey <client_filename_base>
rgk | remove-group-tlskey <client_filename_base> <Group-Name>
ri | remove-inline <filename_base>
rgi | remove-group-inline <Client-Name> <Group-Name>
is | inline-show <filename_base>
| inline-index-rebuild
ix | inline-expire <filename_base>
cx | cert-expire <filename_base> | <ca>
d | disable <filename_base> (Or display the current disabled list)
e | enable <filename_base> (Or display the current disabled list)
| disabled-list-rehash
sid | save-id
ver | version
| upgrade
Easy-TLS also has a useful Howto and wiki with expanded help and examples:
* https://github.com/TinCanTech/easy-tls/blob/master/easytls-howto-ii.md
* https://github.com/TinCanTech/easy-tls/wiki
DIRECTORY STATUS (commands would take effect on these locations)
EASYTLS: /etc/openvpn/easy-rsa
PKI: /etc/openvpn/easy-rsa/pki
TLS: /etc/openvpn/easy-rsa/pki/easytls
root@ubuntu-8gb-fsn1-2:/etc/openvpn/easy-rsa#
LGTM
next step is ?
To cancel this inter-active menu at any time, press Control-C
First, you MUST enter your Server commonName.
This field only requires the certificate commonName, it does not require the complete file name.
Enter the commonName of your Server certificate: server_DTm1qBrtMuSG7P3T
here must enter "server name".key "server name".cert that openvpn created in /etc/openvpn/ ?
To cancel this inter-active menu at any time, press Control-C
Now, enter your Client commonName.
This field only requires the certificate commonName, it does not require the complete file name.
Enter the commonName of your Client certificate:
Configure a custom group.
You can configure a single Custom-Group like so:
$ ./easytls config custom.group NAME
If you want to configure a Custom-Group now then quit this menu.
If you have configured your Custom-Group or do not require a Custom-Group then leave this field blank.
Enter your Custom-Group or leave this blank to continue:
====================
To cancel this inter-active menu at any time, press Control-C
Each X509 Client certificate can have multiple TLS-Crypt-V2 keys, these keys are referred to as Sub-keys. Each Sub-key is used in a separate inline file with the same X509 Client certificate.
Enter the Sub-key Name for your key or leave blank to continue:
====================
To cancel this inter-active menu at any time, press Control-C
You can lock this key to specific filter-addresses.
Hardware-addresses can be in the form of:
IP-addresses can be in the form of:
This field can contain any mixture of valid filter-addresses, however, each filter-address MUST be entered individually.
Enter a single filter-address or leave blank to continue:
====================
Easy-TLS command:
====================
TLS crypt v2 client key created: /etc/openvpn/easy-rsa/pki/easytls/1-tls-crypt-v2.key
====================
To cancel this inter-active menu at any time, press Control-C
Do you want to build a corresponding inline-file ?
Enter (y)es or (n)o: y
====================
To cancel this inter-active menu at any time, press Control-C
Do you have the private key for this X509 certificate ?
Enter (y)es or (n)o: y
====================
To cancel this inter-active menu at any time, press Control-C
Do you want to include the client metadata in the inline file ?
The metadata does not contain any security sensitive data but you may prefer to omit it.
Enter (y)es or (n)o: y
====================
To cancel this inter-active menu at any time, press Control-C
Do you want to include the hardware addresses in the client metadata ?
Enter (y)es or (n)o: n
====================
Easy-TLS command:
====================
Inline TLS crypt v2 client file created: /etc/openvpn/easy-rsa/pki/easytls/1.inline
missing error_log Error: Master save hash must only run once
Easy-TLS 2.8.0 (0) root@ubuntu-8gb-fsn1-2:/etc/openvpn/easy-rsa#
and see Error in the end
Nice error. I will have figure out what is going wrong.
I have hetzner server I can give you access for test your project if you want🙏🏼
also when i enter ./easytls-cryptv2-verify.sh
:
Easy-TLS version: 2.8.0 ERROR: Path to CA directory is required, see help root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa#
./easytls build
:
i start with * Available TLS-key types:
[1] TLS-Auth key - Legacy HMAC pre-shared key [2] TLS-Crypt-V1 key - Basic TLS-crypt-v1 pre-shared key [3] TLS-Crypt-V2 key for Server - Advanced TLS-Crypt-v2 Server key [4] TLS-Crypt-V2 key for Client - Advanced TLS-Crypt-v2 Client key [5] TLS-Crypt-V2 GROUP Client key - Advanced TLS-Crypt-v2 GROUP Client key
Select the type of TLS-key to build: 3
====================
To cancel this inter-active menu at any time, press Control-C
This field only requires the certificate commonName, it does not require the complete file name.
Enter the commonName of your Server certificate: server_NZBaXbaOaOFOyJNV
====================
Easy-TLS command:
====================
TLS crypt v2 server key created: ./pki/easytls/server_NZBaXbaOaOFOyJNV-tls-crypt-v2.key
====================
To cancel this inter-active menu at any time, press Control-C
Do you want to build a corresponding inline-file ?
Enter (y)es or (n)o: y
====================
To cancel this inter-active menu at any time, press Control-C
Do you have the private key for this X509 certificate ?
Enter (y)es or (n)o: n
====================
To cancel this inter-active menu at any time, press Control-C
No Diffie-Hellman parameters file was found!
If you need to use a custom Diffie-Hellman parameters file then enter the file location and name.
Otherwise, quit this menu and use Easy-RSA to create your Diffie-Hellman parameters file.
If you leave this blank then the Diffie-Hellman parameters file will NOT be add to the inline-file.
Enter the DH file name:
====================
Easy-TLS command:
====================
Inline TLS crypt v2 server file created: ./pki/easytls/server_NZBaXbaOaOFOyJNV.inline
missing error_log Error: Master save hash must only run once
Easy-TLS 2.8.0 (0)
root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ./easytls build EASYTLS_PKI: ./pki/easytls EASYTLS_FASTER_HASH: ./pki/easytls/data/easytls-faster.hash gen'd:c0b24040445d19c16becab643681833b37ba7f0d917bf56194691a7e7f6e8640 <==> saved:951f65ff7446a190f66f2b7 56c224ebed44879ce7c352385084677de5cec98a9 TIP: Use './easytls rehash' to correct this hash.
ERROR: verify_master_hash - match_two_hashes
Error: verify_master_hash
Easy-TLS 2.8.0 (0) root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ./easytls rehash
Rehash completed successfully.
i leaved those field blank because i didnt had any idea about that . ( Enter the DH file name )
root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ./easytls build
Easy-TLS Inter-active TLS-key builder Menu.
====================
To cancel this inter-active menu at any time, press Control-C
Available TLS-key types:
[1] TLS-Auth key - Legacy HMAC pre-shared key [2] TLS-Crypt-V1 key - Basic TLS-crypt-v1 pre-shared key [3] TLS-Crypt-V2 key for Server - Advanced TLS-Crypt-v2 Server key [4] TLS-Crypt-V2 key for Client - Advanced TLS-Crypt-v2 Client key [5] TLS-Crypt-V2 GROUP Client key - Advanced TLS-Crypt-v2 GROUP Client key
Select the type of TLS-key to build: 4
Build TLS-Crypt-V2 key for Client
====================
To cancel this inter-active menu at any time, press Control-C
First, you MUST enter your Server commonName.
This field only requires the certificate commonName, it does not require the complete file name.
Enter the commonName of your Server certificate: server_NZBaXbaOaOFOyJNV
====================
To cancel this inter-active menu at any time, press Control-C
Now, enter your Client commonName.
This field only requires the certificate commonName, it does not require the complete file name.
Enter the commonName of your Client certificate: 1
====================
To cancel this inter-active menu at any time, press Control-C
Configure a custom group.
You can configure a single Custom-Group like so:
$ ./easytls config custom.group NAME
If you want to configure a Custom-Group now then quit this menu.
If you have configured your Custom-Group or do not require a Custom-Group then leave this field blank.
Enter your Custom-Group or leave this blank to continue:
====================
To cancel this inter-active menu at any time, press Control-C
Each X509 Client certificate can have multiple TLS-Crypt-V2 keys, these keys are referred to as Sub-keys. Each Sub-key is used in a separate inline file with the same X509 Client certificate.
Enter the Sub-key Name for your key or leave blank to continue:
====================
To cancel this inter-active menu at any time, press Control-C
You can lock this key to specific filter-addresses.
Hardware-addresses can be in the form of:
IP-addresses can be in the form of:
This field can contain any mixture of valid filter-addresses, however, each filter-address MUST be entered individually.
Enter a single filter-address or leave blank to continue:
====================
Easy-TLS command:
====================
TLS crypt v2 client key created: ./pki/easytls/1-tls-crypt-v2.key
====================
To cancel this inter-active menu at any time, press Control-C
Do you want to build a corresponding inline-file ?
Enter (y)es or (n)o: y
====================
To cancel this inter-active menu at any time, press Control-C
Do you have the private key for this X509 certificate ?
Enter (y)es or (n)o: y
====================
To cancel this inter-active menu at any time, press Control-C
Do you want to include the client metadata in the inline file ?
The metadata does not contain any security sensitive data but you may prefer to omit it.
Enter (y)es or (n)o: y
====================
To cancel this inter-active menu at any time, press Control-C
Do you want to include the hardware addresses in the client metadata ?
Enter (y)es or (n)o: n
====================
Easy-TLS command:
====================
Inline TLS crypt v2 client file created: ./pki/easytls/1.inline
missing error_log Error: Master save hash must only run once
Easy-TLS 2.8.0 (0)
root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ./easytls rehash
Rehash completed successfully.
root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ls ChangeLog dh.pem easytls easytls-conntrac.lib gpl-2.0.txt openssl-easyrsa.cnf README.quickstart.md vars COPYING.md doc easytls-client-connect.sh easytls-cryptv2-verify.sh LICENSE pki SERVER_CN_GENERATED vars.example dev easyrsa easytls-client-disconnect.sh examples mktemp.txt README.md SERVER_NAME_GENERATED x509-types
root@ubuntu-8gb-hel1-2:/etc/openvpn/easy-rsa# ls /etc/openvpn/easy-rsa/pki/issued/ 1.crt server_NZBaXbaOaOFOyJNV.crt
i leaved those field blank because i didnt had any idea about that ( single filter-address , Custom-Group , Sub-key Name ) and about client name, i must enter that name i have client .ovpn next step ?
i will test but i have question i run https://github.com/angristan/openvpn-install script with tls-cryptv1 No problem implementing? ovpnvpn is enable with that script i paste all easy-tls-master files in /etc/openvpn/easy-rsa/ . is right ?
@libea18 spend some time reading the help, it is quite useful.
The very first line of README.md shows you exactly what you need.
i see : Error log: ERROR: verify_tls_init fail Easy-TLS has not been initialised.
Error: main - verify_tls_init
Easy-TLS 2.8.0 (0)
i see : Error log: ERROR: verify_tls_init fail Easy-TLS has not been initialised.
Error: main - verify_tls_init
Easy-TLS 2.8.0 (0)
I can help you if u want
i see : Error log: ERROR: verify_tls_init fail Easy-TLS has not been initialised. Error: main - verify_tls_init Easy-TLS 2.8.0 (0)
I can help you if u want
well ?
what exactly do you need ?
openvp +xor patch+obfsproxy+tls-crypt-v2 is it enough to beat iranian censor ?
i need use tls-cryptv2 on my ovpn config
i can make it for if give me access to ur server
please send me message: eroxs1818@gmail.com
ok a little bit later ! ok ?
ok
Hi, I'm an amateur and want to install TLS-Crypt-V2 on my config First I installed the script https://github.com/angristan/openvpn-install and found that the openvpn version is 2.4.4. Then download version 2.5 from https://github-wiki-see.page/m/SRingler98/how2guides/wiki/How-to-install-and-compile-openvpn-version-2.5.2-on-Ubuntu-20.04 . I installed 02 and then ran the angristan script and ran the configuration I wanted based on --tls-crypt. But I have no other idea to implement TLS-Crypt-V2 I am in Iran and there is severe filtering. I need this Information I have:
root @ ubuntu-8gb-fsn1-2: / etc / openvpn / easy-rsa # openvpn --version OpenVPN 2.5.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH / PKTINFO] [AEAD] Built on 6 April 2022 Library Versions: OpenSSL 1.1.1 September 11, 2018, LZO 2.08 Originally developed by James Greece Copyright (C) 2002-2018 OpenVPN Inc sales@openvpn.net Compile definition of time: enable_async_push = no Enable_Comp_Stub = no Enable_Crypto_Ofb_Cfb = Yes Enable_Debug = Yes Enable_Def_Auth = Yes enable_dlopen = enable_dlopen_self unknown = Enable_Dlopen_Self_Static unknown = Unknown enable2 enable yes enable_ yes_2 = Yes Enable_Pam_Dlopen = no Enable_Pedantic = no Enable_Pf = Yes Enable_Pkcs11 = no Enable_Plugin_Auth_Pam = yes enable_plugin_down_root = yes enable_plugins = yes enable_port_share = yes enable_selinux = no enable_shared = no enable_shared = yes enable_shared_wm_st active yes good enable enable_s enable_werror = no enable_win32dll = no enable_x509_altIXname with_n
If you can tell me the right script so I can go step by step, thank you for helping me go step by step. If necessary, I will give you money to give me enough training to do the job. You can also send me an email if you want eroxs1818@gmail.com