Jump to content
Not connected, Your IP: 3.138.113.44

Recommended Posts

1. What is if someone stole the .ovpn file and import it to his router. Let's assume I wouldnt be connected. Is he able to connect to AirVPN with my config file?

2. What is if someone stole te .ovpn and has the private key. Could he decrypt the data (together with public key) ? Actually, if I don't create new keys, the private key is always the same. So if someone in in the possession of the private key, he can read the whole traffic?

Thanks in adavance for making it clearer for me!
 

Share this post


Link to post
7 hours ago, BKK20 said:

1. What is if someone stole the .ovpn file and import it to his router. Let's assume I wouldnt be connected. Is he able to connect to AirVPN with my config file?


Yes, and even if you are connected.
 
7 hours ago, BKK20 said:

2. What is if someone stole te .ovpn and has the private key. Could he decrypt the data (together with public key) ? Actually, if I don't create new keys, the private key is always the same. So if someone in in the possession of the private key, he can read the whole traffic?


The private key is used for authentication against a server since a server cannot know who a client is (= whether the account the private key is linked to is paid or not). This is not a decryption key for the traffic, those are AES keys which are by default renegotiated every 60 minutes.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
23 hours ago, OpenSourcerer said:

The private key is used for authentication against a server since a server cannot know who a client is (= whether the account the private key is linked to is paid or not). This is not a decryption key for the traffic, those are AES keys which are by default renegotiated every 60 minutes.


Thanks so much! But the Private/Public Key method will be used to exchange the AES key. Is he not able to see the new renegiotiated AES key ?

Share this post


Link to post
1 hour ago, BKK20 said:

But the Private/Public Key method will be used to exchange the AES key. Is he not able to see the new renegiotiated AES key ?


No, they are strictly for authenticating OpenVPN clients against the servers. The key negotiation is using the Diffie-Hellman Key Exchange algorithm and is based on a general randomness, perhaps best described by the color mixing illustration on the Wikipedia page for this algorithm:

https://upload.wikimedia.org/wikipedia/commons/4/46/Diffie-Hellman_Key_Exchange.svg

Alice will be the client, Bob will be the server. Eve will be the evil eavesdropper/cracker/whatever. Alice and Bob both agree on a common color which is known to both. They choose a random secret color which they keep to themselves and add them to the common color, creating two different mixtures of color. Those mixtures are exchanged. Now when Alice adds her secret color to the mixture she received from Bob and Bob does the same with his color to Alice's mix, they end up having the same final color. That is the key used in encrypting and decrypting messages.
Eve will know the common color and the mixtures they exchanged. She can try every conceivable color on both mixtures to find out both secret colors which will hopefully lead to something able to decrypt messages. The big catch: She's got 60 minutes for that. At this point I'd wish her best of luck.

Now, spoken in maths, the common color are a few values of variables agreed upon. The secret they keep to themselves is another variable used in a more less simple mathematical equation. They exchange their result of that. When they use their own secret variable on the other's result in a similar equation, both will get the same result – the symmetric encryption key, since AES is a symmetric cipher.
Eve will know the common variables and the result. She can try all the values for this in a brute-force fashion and hope to find a key able to decipher their messages correctly. The big catch: It's easy to use that formula in a straightforward way. It's a mathematically more difficult thing to calculate the secret variable while hoping to find a key that will successfully decrypt messages. All that within 60 minutes. Best of luck.

The only real thing someone can "do" to you if he/she got your keys is take up all the connection slots for themselves so that you keep getting disconnected. But you can stop this by simply invalidating your key pair in the client area – and slot abuse is no more. :)

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Thanks for your good explanation! But two questions are left :)
1. What does AirVPN do with RSA 4096? As I understand DH and Aes will be used.  For what is RSA needed?
2. When I create a config file, I am able to choose with Tsl1.3 and without. What's exactly the difference? TLS is needed anyway.

 

Share this post


Link to post
43 minutes ago, BKK20 said:

1. What does AirVPN do with RSA 4096? As I understand DH and Aes will be used.  For what is RSA needed?


As written before, RSA keys are used to authenticate your client against an AirVPN server. Since it's an asymmetric cipher (= you and the server have different RSA keys), mathematically difficult to calculate and even more difficult to break, it's perfect for a use case like authentication. Perhaps it gets clearer if you know that the alternative in the context of OpenVPN would be username/password. :)
 
43 minutes ago, BKK20 said:
2. When I create a config file, I am able to choose with Tsl1.3 and without. What's exactly the difference? TLS is needed anyway.

Sorry, where? I just looked and couldn't find it.
TLS 1.3 added some features and improved or removed others. In general, weak cipher suites (as in, in the past someone was publically able to break it) were removed and the protocol was made more robust against attacks. The new version is especially important for the web, less so for OpenVPN (all secured against manipulation, anyway), but it's possible to use 1.3 with it and the ChaCha20 cipher.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
10 hours ago, OpenSourcerer said:

As written before, RSA keys are used to authenticate your client against an AirVPN server. Since it's an asymmetric cipher (= you and the server have different RSA keys), mathematically difficult to calculate and even more difficult to break, it's perfect for a use case like authentication. Perhaps it gets clearer if you know that the alternative in the context of OpenVPN would be username/password.


I think I got it. :) So, RSA is only used for the authentification. That means that the private key in my .ovpn will be used with the encryption method RSA? for the authentification process? 
I have my own VPN server as well. There I use OpenVPN and enter a private key password before the connection will be established to the VPN. But in this .ovpn file is also a private key. Does it mean that two methods are used? Password + RSA?
 
On 12/22/2020 at 10:14 PM, OpenSourcerer said:

The only real thing someone can "do" to you if he/she got your keys is take up all the connection slots for themselves so that you keep getting disconnected. But you can stop this by simply invalidating your key pair in the client area – and slot abuse is no more.

I have seen that its possible to change the keys. If I renew the keys does it mean I change the keys for the authentifaction method? AirVPN also write that I should add new keys for each device. Why? As you also wrote I could use the same .ovpn file for all devices with the same key.
 
10 hours ago, OpenSourcerer said:

Sorry, where? I just looked and couldn't find it.
TLS 1.3


Sorry, it was not TLS 1.3, it's 1.2
image.thumb.png.4411a986a984b94ca6eb447597ba1946.png
I can create a config file with tls-crypt 1.2 or without any specific specs. Whats the difference?

Thanks in advance!

Share this post


Link to post
1 hour ago, BKK20 said:

That means that the private key in my .ovpn will be used with the encryption method RSA? for the authentification process? 


The private key is part of the encryption method RSA, so yes.
 
1 hour ago, BKK20 said:

There I use OpenVPN and enter a private key password before the connection will be established to the VPN. But in this .ovpn file is also a private key. Does it mean that two methods are used? Password + RSA?


In this case, the profile contains the RSA key encrypted with your password. It's a safer way of storing the key if you don't fully trust the storage location, e.g. a SMB share or NFS export used by others. People can download the profile and try to use it with OpenVPN but will find that the password is needed to decrypt it in the first place.
 
1 hour ago, BKK20 said:

If I renew the keys does it mean I change the keys for the authentifaction method?


Yes, the key will be fundamentally different.
 
1 hour ago, BKK20 said:

AirVPN also write that I should add new keys for each device. Why? As you also wrote I could use the same .ovpn file for all devices with the same key.


Every account can have five concurrent connections to AirVPN. In theory, you can connect with the same key multiple times but you can't do that to the same OpenVPN daemon (as in, connect to the same server with the same connection settings). If you use different keys, you make your life easier:
  • The aforementioned restrictions don't apply, connect up to five times to the same server using UDP/443 for example without issue.
  • You can name the keys, for example "my PC", "Android" or "Mom". If you see an active session in your client area, you will know which device is using it – or who, naming those keys is at your discretion and is only shown in the client area.
  • A triviality: If someone manages to get hold of your key and you used that key on all your devices, and you now must go and renew the key, you need to reimport the new key everywhere. If you had five different keys for all the devices, you only would have needed to reimport the one compromised key on one device.
3 hours ago, BKK20 said:

I can create a config file with tls-crypt 1.2 or without any specific specs. Whats the difference?


More specifically, the difference between tls-auth and tls-crypt. The nameless option is tls-auth. tls-crypt is more secure because it prevents a few attack vectors against the whole process of creating a TLS session between two communication parties (like an OpenVPN server and client). If you're not using a very old OpenVPN version (pre-2.4), always use tls-crypt.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...