ANSWERED Setting Up OpenVPN on pfSense for TLS 1.2 servers

[securvark 16]

Hey I've got proper working connections to different AirVPN servers but these are all non-TLS servers.

 

I am now trying to setup a TLS connection, to Castor. I've generated the config and downloaded the new tls-crypt.key file.

 

I assume I need to use that instead of the "ta.key", that used to go into the TLS KEY field where I'd previously pasted the ta.key?

 

Other than that, I'm not sure what other settings I need to change. I've enabled logging to verbose 5 but I'm not getting a lead to what's wrong.

 

Thanks!

[go558a83nk 364]

Your title is misleading.  TLS 1.2 has been in use for some time.  tls-crypt is what's new.

 

Paste in the tls-crypt.key info into the key field, and then below it select the option for authentication and encryption.

 

Then also change the auth digest to SHA512.  that should be what you need to connect.

 

If you aren't already doing it, you should also see performance improvement using AES-256-GCM as data cipher vs CBC

[securvark 16]

Your title is misleading.  TLS 1.2 has been in use for some time.  tls-crypt is what's new.

 

Paste in the tls-crypt.key info into the key field, and then below it select the option for authentication and encryption.

 

Then also change the auth digest to SHA512.  that should be what you need to connect.

 

If you aren't already doing it, you should also see performance improvement using AES-256-GCM as data cipher vs CBC

 

Ah nice, thanks! I had the digest incorrect so it wasn't working. Even with logging on 6 it wasn't clear to me that what was wrong.

 

About the cipher though, that's interesting. Does that count for hardware crypto too? I'm using AES-NI CPU Crypto: Yes (active) with AES-CBC,AES-XTS,AES-GCM,AES-ICM support.

 

If I want to change, do I only pick that in the OpenVPN client settings or do I need to muck about with the custom options box too?

 

Thanks!

[Air4141841 25]

IF i am understanding your question i just accomplished this today to Chamaeleon. only took me 2 days to figure this out...

I wonder how many providers actually support this?

i will try to attach the one option that worked for me as long as you follow the openvpn file configuration

[securvark 16]

 

Your title is misleading.  TLS 1.2 has been in use for some time.  tls-crypt is what's new.

 

Paste in the tls-crypt.key info into the key field, and then below it select the option for authentication and encryption.

 

Then also change the auth digest to SHA512.  that should be what you need to connect.

 

If you aren't already doing it, you should also see performance improvement using AES-256-GCM as data cipher vs CBC

 

Ah nice, thanks! I had the digest incorrect so it wasn't working. Even with logging on 6 it wasn't clear to me that what was wrong.

 

About the cipher though, that's interesting. Does that count for hardware crypto too? I'm using AES-NI CPU Crypto: Yes (active) with AES-CBC,AES-XTS,AES-GCM,AES-ICM support.

 

If I want to change, do I only pick that in the OpenVPN client settings or do I need to muck about with the custom options box too?

 

Thanks!

 

Additionally, I run into this message in my logs:

 

May 28 13:07:39 openvpn 67416 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
 

 

Doesn't that mean that only CBC is supported by the server and my settings for using GCM are ignored?

 

[securvark 16]

Nevermind, increased logging and answered my own question:

 

May 28 13:15:22 openvpn 65594 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 28 13:15:22 openvpn 65594 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
 

[go558a83nk 364]

Sorry, I meant to reply to your post from a couple days ago and somehow it was marked as read and I forgot to.

 

Yeah, I've noticed that servers will say the settings don't match if I'm asking for GCM.  But, it'll connect with a GCM cipher as you've seen.

 

I don't know about your CPU but mine is fastest with GCM so I'm glad to have it.

[JacksonLee 3]

Paste in the tls-crypt.key info into the key field, and then below it select the option for authentication and encryption.

 

Then also change the auth digest to SHA512.  that should be what you need to connect.

 

If you aren't already doing it, you should also see performance improvement using AES-256-GCM as data cipher vs CBC

Hi, I'm a bit lost on this. As soon as I switch to Encryption and Authentication pfSense refused to connect. I guess I have to use different Keys ?

 

Where do I find the tls-crypt.key ? Ive just downloaded a new config file and all I get is (inline) :

ca

cert

key

tls-auth

 

Jun 24 11:26:57 	openvpn 	39318 	UDPv4 link remote: [AF_INET]185.189.112.18:80
Jun 24 11:26:57 	openvpn 	39318 	UDPv4 link local (bound): [AF_INET]89.245.13.38:0
Jun 24 11:26:57 	openvpn 	39318 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.189.112.18:80
Jun 24 11:26:57 	openvpn 	39318 	Initializing OpenSSL support for engine 'rdrand'
Jun 24 11:26:57 	openvpn 	39318 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 24 11:26:57 	openvpn 	39318 	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jun 24 11:26:57 	openvpn 	39318 	mlockall call succeeded
Jun 24 11:26:57 	openvpn 	39200 	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Jun 24 11:26:57 	openvpn 	39200 	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
Jun 24 11:26:57 	openvpn 	39200 	WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6 

That's if, after a timeout it re-tries it.

Any help is much appreciated

[JacksonLee 3]

Check Attachments, this is how it's currently configured.

[go558a83nk 364]

 

Paste in the tls-crypt.key info into the key field, and then below it select the option for authentication and encryption.

 

Then also change the auth digest to SHA512.  that should be what you need to connect.

 

If you aren't already doing it, you should also see performance improvement using AES-256-GCM as data cipher vs CBC

Hi, I'm a bit lost on this. As soon as I switch to Encryption and Authentication pfSense refused to connect. I guess I have to use different Keys ?

 

Where do I find the tls-crypt.key ? Ive just downloaded a new config file and all I get is (inline) :

ca

cert

key

tls-auth

 

Jun 24 11:26:57 	openvpn 	39318 	UDPv4 link remote: [AF_INET]185.189.112.18:80
Jun 24 11:26:57 	openvpn 	39318 	UDPv4 link local (bound): [AF_INET]89.245.13.38:0
Jun 24 11:26:57 	openvpn 	39318 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.189.112.18:80
Jun 24 11:26:57 	openvpn 	39318 	Initializing OpenSSL support for engine 'rdrand'
Jun 24 11:26:57 	openvpn 	39318 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 24 11:26:57 	openvpn 	39318 	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jun 24 11:26:57 	openvpn 	39318 	mlockall call succeeded
Jun 24 11:26:57 	openvpn 	39200 	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Jun 24 11:26:57 	openvpn 	39200 	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
Jun 24 11:26:57 	openvpn 	39200 	WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6 

That's if, after a timeout it re-tries it.

Any help is much appreciated

 

You need to download tls-crypt configs from the config generator.

[JacksonLee 3]

 

 

Hi, I'm a bit lost on this. As soon as I switch to Encryption and Authentication pfSense refused to connect. I guess I have to use different Keys ?

Paste in the tls-crypt.key info into the key field, and then below it select the option for authentication and encryption.

 

Then also change the auth digest to SHA512.  that should be what you need to connect.

 

If you aren't already doing it, you should also see performance improvement using AES-256-GCM as data cipher vs CBC

 

Where do I find the tls-crypt.key ? Ive just downloaded a new config file and all I get is (inline) :

ca

cert

key

tls-auth

 

Jun 24 11:26:57 	openvpn 	39318 	UDPv4 link remote: [AF_INET]185.189.112.18:80
Jun 24 11:26:57 	openvpn 	39318 	UDPv4 link local (bound): [AF_INET]89.245.13.38:0
Jun 24 11:26:57 	openvpn 	39318 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.189.112.18:80
Jun 24 11:26:57 	openvpn 	39318 	Initializing OpenSSL support for engine 'rdrand'
Jun 24 11:26:57 	openvpn 	39318 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 24 11:26:57 	openvpn 	39318 	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jun 24 11:26:57 	openvpn 	39318 	mlockall call succeeded
Jun 24 11:26:57 	openvpn 	39200 	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Jun 24 11:26:57 	openvpn 	39200 	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
Jun 24 11:26:57 	openvpn 	39200 	WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6 

That's if, after a timeout it re-tries it.

Any help is much appreciated

You need to download tls-crypt configs from the config generator.

LoL, I scrolled a few times till I realized that there is a tls 1.2 section just for this.. doh !

 

thanks

[ableounceony 6]

WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1602'
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'

Besides the GCM/CBC cipher warnings (which I, too, confirmed appear to be spurious since the log later says both incoming and outgoing are using GCM), the above are the warnings I'm seeing.  In the order I listed them, above:

 

- 'auth':  in the ovpn I just downloaded, the last line is "auth sha512."  So, I assume that's where the "remote" side of that warning comes from.  But, in my pfSense OpenVPN client configuration, I've got "Auth digest algorithm" set to "SHA512 (512-bit)."  Shouldn't that be the "local" side of the warning?

 

- 'link-mtu':  I'm totally lost with this one.  I can't find any setting mentioning MTU anywhere in pfSense.  Nor do I see MTU in the ovpn file.  Any idea what's going on with this?

 

- 'auth-nocache':  I assume adding "--auth-nocache" to the Custom Options in my OpenVPN client will fix this.  Any downsides?

 

- 'keydir':  I assume this refers to "--key-direction".  According to the man page for OpenVPN, "--key-direction" isn't required for tls-crypt.  I *do* have it in my Custom Options, so I assume I should remove it.  But, the odd thing is that the warning says the local keydir is 0, whereas I've got "key-direction 1" in Custom Options.  Suggestions?

[nczyk 0]

So I cannot get the crypt portion working.....

Do I add the ta.key AND tls-crypt.key to the TLS Key field?

I've tried each individually, and both and cannot get it working.  

I've updated my device/keys to sha512 and it shows active in the client area.

[go558a83nk 364]

So I cannot get the crypt portion working.....

Do I add the ta.key AND tls-crypt.key to the TLS Key field?

I've tried each individually, and both and cannot get it working.  

I've updated my device/keys to sha512 and it shows active in the client area.

 

You've followed post 2 in this thread exactly?

 

1) Use tls-crypt.key

2) tls key usage mode needs to be authentication and encryption

3) auth digest algorithm needs to be sha512