tls-crypt on DD-WRT: got it working!

[JamBam 1]

General info:

 

- DD-WRT v3.0-r37845M kongac (11/25/18) on a Netgear R7000

- I have configured my R7000 as a Wireless Access Point (see https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point)

 

 

Step 1, generate OpenVPN configuration files

 

- www.airvpn.org => Client Area => Config Generator

- Activate "Advanced Mode"
- Choose your Operating System: Router
- Choose your OpenVPN version: >= 2.4
- Need IPv6?: IPv4 only
- Advanced (right part of the screen): Activate "Separate keys/certs from .ovpn file"

- Protocols: Protocol: TCP; Port: 443; Entry IP: 3; Specs: tls-crypt, tls 1.2

- Choose server

- Generate protocol

- Select ZIP

 

Now you have generated a ZIP file containing the following 5 files:

ca.crt; user.crt; user.key; tls-crypt.key; and a .ovpn file, for example: AirVPN_NL-Alblasserdam_Muscida_TCP-443-Entry3.ovpn.

 

 

Step 2, DD-WRT => Services => VPN => OpenVPN Client

 

Hash Algorithm: SHA512

 

ca.crt goes in "CA Cert"; user.crt goes in "Public Client Cert"; user.key goes in "Private Client Key".

 

The tls-crypt.key goes in "Additional Config" between <tls-crypt> and </tls-crypt>.
Furthermore I´ve put the following two settings in "Additional Config": remote-cert-tls server and auth-nocache.

The contents of "Additional Config" could, for example, look like this:

 

remote-cert-tls server
auth-nocache
<tls-crypt>
content of tls-crypt.key
</tls-crypt>

 

 

 

 

The only dissappointing thing: https://2ip.io/privacy/ still knows I am using a VPN service:

 

 

[philairvpn 1]

On 12/16/2018 at 9:27 AM, JamBam said:

The tls-crypt.key goes in "Additional Config" between <tls-crypt> and </tls-crypt>.

SWEET! THANKS! 

[pseudotimestretch 2]

I followed your method and it says that the client is connected, however all my devices still show my ISP ip adress.

Did i misconfigure something?

[YLwpLUbcf77U 32]

Can someone ELI5 the pro's and con's of this versus a regular UDP OpenVPN client on DD-WRT?

[Staff 9971]

@YLwpLUbcf77U

Hello!

It's not something DD-WRT specific, it's an OpenVPN working mode.

TLS mode is essential to use all the OpenVPN security features, including PFS. We only operate OpenVPN in TLS mode.

When OpenVPN works in TLS mode, TLS Crypt encrypts the whole Control Channel from the very beginning, while TLS Auth does not. Therefore TLS Crypt hides to DPI OpenVPN protocol fingerprint and it's much harder blocking OpenVPN in TLS Crypt mode than blocking OpenVPN in TLS Auth mode.

TLS Crypt and TLS Auth are mutually incompatible, and each OpenVPN daemon working as server can only work with TLS Auth or TLS Crypt. That's why we offer different IP addresses for TLS Crypt and TLS Auth modes: Also note that TLS Auth and TLS Crypt keys are different.

A more elaborated and precise description can be found here (1st answer):
https://serverfault.com/questions/929484/openvpn-2-4-security-differences-between-tls-crypt-and-tls-auth

Kind regards

 

[YLwpLUbcf77U 32]

I did as OP wrote and got DD-WRT connected to AirVPN and confirmed there are no DNS leaks.  However, is there a way I can tell for sure I am on TCP with TLS-Crypt enabled?

 

[Staff 9971]

@YLwpLUbcf77U

Hello!

Yes. To confirm that OpenVPN works over TCP just have a look at the OpenVPN log. To confirm that OpenVPN has used TLS Crypt for negotiation check your TLS key. If it's ta.key then TLS Auth mode was used for negotiation, if it's tls-crypt.key then TLS Crypt was.

Another way is checking the VPN server IP address you connect to. Entry-IP addresses 3 and 4 are reserved to TLS Crypt and won't work with TLS Auth. Entry-IP addresses 1 and 2 are reserved to TLS Auth and won't work with TLS Crypt.

Kind regards
 

[YLwpLUbcf77U 32]

Well, I'm using the TLS-Crypt IP address now to connect and I'm logged in w/o DNS leaks so I think that means TLS Crypt is working.