Jump to content
Not connected, Your IP: 52.205.167.104
JamBam

tls-crypt on DD-WRT: got it working!

Recommended Posts

General info:

 

- DD-WRT v3.0-r37845M kongac (11/25/18) on a Netgear R7000

- I have configured my R7000 as a Wireless Access Point (see https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point)

 

 

Step 1, generate OpenVPN configuration files

 

- www.airvpn.org => Client Area => Config Generator

- Activate "Advanced Mode"
- Choose your Operating System: Router
- Choose your OpenVPN version: >= 2.4
- Need IPv6?: IPv4 only
- Advanced (right part of the screen): Activate "Separate keys/certs from .ovpn file"

- Protocols: Protocol: TCP; Port: 443; Entry IP: 3; Specs: tls-crypt, tls 1.2

- Choose server

- Generate protocol

- Select ZIP

 

Now you have generated a ZIP file containing the following 5 files:

ca.crt; user.crt; user.key; tls-crypt.key; and a .ovpn file, for example: AirVPN_NL-Alblasserdam_Muscida_TCP-443-Entry3.ovpn.

 

 

Step 2, DD-WRT => Services => VPN => OpenVPN Client

 

Hash Algorithm: SHA512

 

ca.crt goes in "CA Cert"; user.crt goes in "Public Client Cert"; user.key goes in "Private Client Key".

 

The tls-crypt.key goes in "Additional Config" between <tls-crypt> and </tls-crypt>.
Furthermore I´ve put the following two settings in "Additional Config": remote-cert-tls server and auth-nocache.

The contents of "Additional Config" could, for example, look like this:

 

remote-cert-tls server
auth-nocache
<tls-crypt>
content of tls-crypt.key
</tls-crypt>

 

 

 

 

The only dissappointing thing: https://2ip.io/privacy/ still knows I am using a VPN service:

 

 

Share this post


Link to post
On 12/16/2018 at 9:27 AM, JamBam said:

The tls-crypt.key goes in "Additional Config" between <tls-crypt> and </tls-crypt>.


SWEET! THANKS! 

Share this post


Link to post
@YLwpLUbcf77U

Hello!

It's not something DD-WRT specific, it's an OpenVPN working mode.

TLS mode is essential to use all the OpenVPN security features, including PFS. We only operate OpenVPN in TLS mode.

When OpenVPN works in TLS mode, TLS Crypt encrypts the whole Control Channel from the very beginning, while TLS Auth does not. Therefore TLS Crypt hides to DPI OpenVPN protocol fingerprint and it's much harder blocking OpenVPN in TLS Crypt mode than blocking OpenVPN in TLS Auth mode.

TLS Crypt and TLS Auth are mutually incompatible, and each OpenVPN daemon working as server can only work with TLS Auth or TLS Crypt. That's why we offer different IP addresses for TLS Crypt and TLS Auth modes: Also note that TLS Auth and TLS Crypt keys are different.

A more elaborated and precise description can be found here (1st answer):
https://serverfault.com/questions/929484/openvpn-2-4-security-differences-between-tls-crypt-and-tls-auth

Kind regards

 

Share this post


Link to post

I did as OP wrote and got DD-WRT connected to AirVPN and confirmed there are no DNS leaks.  However, is there a way I can tell for sure I am on TCP with TLS-Crypt enabled?

 

Share this post


Link to post
@YLwpLUbcf77U

Hello!

Yes. To confirm that OpenVPN works over TCP just have a look at the OpenVPN log. To confirm that OpenVPN has used TLS Crypt for negotiation check your TLS key. If it's ta.key then TLS Auth mode was used for negotiation, if it's tls-crypt.key then TLS Crypt was.

Another way is checking the VPN server IP address you connect to. Entry-IP addresses 3 and 4 are reserved to TLS Crypt and won't work with TLS Auth. Entry-IP addresses 1 and 2 are reserved to TLS Auth and won't work with TLS Crypt.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...