JamBam 1 Posted ... General info: - DD-WRT v3.0-r37845M kongac (11/25/18) on a Netgear R7000- I have configured my R7000 as a Wireless Access Point (see https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point) Step 1, generate OpenVPN configuration files - www.airvpn.org => Client Area => Config Generator- Activate "Advanced Mode"- Choose your Operating System: Router- Choose your OpenVPN version: >= 2.4- Need IPv6?: IPv4 only- Advanced (right part of the screen): Activate "Separate keys/certs from .ovpn file"- Protocols: Protocol: TCP; Port: 443; Entry IP: 3; Specs: tls-crypt, tls 1.2- Choose server- Generate protocol- Select ZIP Now you have generated a ZIP file containing the following 5 files:ca.crt; user.crt; user.key; tls-crypt.key; and a .ovpn file, for example: AirVPN_NL-Alblasserdam_Muscida_TCP-443-Entry3.ovpn. Step 2, DD-WRT => Services => VPN => OpenVPN Client Hash Algorithm: SHA512 ca.crt goes in "CA Cert"; user.crt goes in "Public Client Cert"; user.key goes in "Private Client Key". The tls-crypt.key goes in "Additional Config" between <tls-crypt> and </tls-crypt>.Furthermore I´ve put the following two settings in "Additional Config": remote-cert-tls server and auth-nocache.The contents of "Additional Config" could, for example, look like this: remote-cert-tls serverauth-nocache<tls-crypt>content of tls-crypt.key</tls-crypt> The only dissappointing thing: https://2ip.io/privacy/ still knows I am using a VPN service: 1 philairvpn reacted to this Quote Share this post Link to post
philairvpn 1 Posted ... On 12/16/2018 at 9:27 AM, JamBam said: The tls-crypt.key goes in "Additional Config" between <tls-crypt> and </tls-crypt>. SWEET! THANKS! Quote Share this post Link to post
pseudotimestretch 2 Posted ... I followed your method and it says that the client is connected, however all my devices still show my ISP ip adress. Did i misconfigure something? Quote Share this post Link to post
YLwpLUbcf77U 32 Posted ... Can someone ELI5 the pro's and con's of this versus a regular UDP OpenVPN client on DD-WRT? Quote Share this post Link to post
Staff 10050 Posted ... @YLwpLUbcf77U Hello! It's not something DD-WRT specific, it's an OpenVPN working mode. TLS mode is essential to use all the OpenVPN security features, including PFS. We only operate OpenVPN in TLS mode. When OpenVPN works in TLS mode, TLS Crypt encrypts the whole Control Channel from the very beginning, while TLS Auth does not. Therefore TLS Crypt hides to DPI OpenVPN protocol fingerprint and it's much harder blocking OpenVPN in TLS Crypt mode than blocking OpenVPN in TLS Auth mode. TLS Crypt and TLS Auth are mutually incompatible, and each OpenVPN daemon working as server can only work with TLS Auth or TLS Crypt. That's why we offer different IP addresses for TLS Crypt and TLS Auth modes: Also note that TLS Auth and TLS Crypt keys are different. A more elaborated and precise description can be found here (1st answer):https://serverfault.com/questions/929484/openvpn-2-4-security-differences-between-tls-crypt-and-tls-auth Kind regards 1 YLwpLUbcf77U reacted to this Quote Share this post Link to post
YLwpLUbcf77U 32 Posted ... I did as OP wrote and got DD-WRT connected to AirVPN and confirmed there are no DNS leaks. However, is there a way I can tell for sure I am on TCP with TLS-Crypt enabled? Quote Share this post Link to post
Staff 10050 Posted ... @YLwpLUbcf77U Hello! Yes. To confirm that OpenVPN works over TCP just have a look at the OpenVPN log. To confirm that OpenVPN has used TLS Crypt for negotiation check your TLS key. If it's ta.key then TLS Auth mode was used for negotiation, if it's tls-crypt.key then TLS Crypt was. Another way is checking the VPN server IP address you connect to. Entry-IP addresses 3 and 4 are reserved to TLS Crypt and won't work with TLS Auth. Entry-IP addresses 1 and 2 are reserved to TLS Auth and won't work with TLS Crypt. Kind regards Quote Share this post Link to post
YLwpLUbcf77U 32 Posted ... Well, I'm using the TLS-Crypt IP address now to connect and I'm logged in w/o DNS leaks so I think that means TLS Crypt is working. Quote Share this post Link to post