tls-crypt-v2 with openvpn service

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek: :angel: :clap: :crazy: :eh: :lolno: :problem: :shh: :shifty: :sick: :silent: :think: :thumbdown: :thumbup: :wave: :wtf: :yawn:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

If you wish to attach one or more files enter the details below.

Maximum filesize per attachment: 130 MiB.

Expand view Topic review: tls-crypt-v2 with openvpn service

Re: tls-crypt-v2 with openvpn service

by cryptomon » Sat Nov 20, 2021 5:33 am

Thanks for the feedback

Re: tls-crypt-v2 with openvpn service

by df » Fri Nov 19, 2021 2:15 am

Yea, "openvpn[]: Options error: --tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode" means you can only have tls-crypt or tls-crypt-v2, but not both.
If you're in a directory that contains a bunch of .ovpn configs with the old <tls-crypt> tags, you can use something like this to replace them all with tls-crypt-v2:

wget -qO/tmp/tlskey https://cryptostorm.is/tlscryptv2 # first download a tls-crypt-v2 key
find . -type f -name '*.ovpn' -exec sed -e '/<tls-crypt>/,/<\/tls-crypt>/d' -e '/<\/ca>/a <tls-crypt-v2>\n<\/tls-crypt-v2>' -i {} \; -exec sed -e '/<tls-crypt-v2>/r /tmp/tlskey' -i {} \;

Re: tls-crypt-v2 with openvpn service

by cryptomon » Sat Nov 13, 2021 7:18 pm

Okay the solution I've found after following the guidelines for the manual method was that when applying the command

Code: Select all

openvpn --config whatever.ovpn --tls-crypt-v2 tcv2.key
which in my case was as shown above using override.conf service file, one must have also deleted the existing key in the given config file. I did this using the sed command

Code: Select all

sed -i '/<tls-crypt>/,/<\/tls-crypt>/d' "<whatever>.conf"

tls-crypt-v2 with openvpn service

by cryptomon » Tue Nov 09, 2021 11:09 am

Summary:
Following the blog https://cryptostorm.is/blog/tlscryptv2 for tls-crypt-v2 setup using the command line in bash under "For everyone else". I use the steps given as:

Code: Select all

wget -O tcv2.key https://cryptostorm.is/tlscryptv2
openvpn --config whatever.ovpn --tls-crypt-v2 tcv2.key
except for the fact i need to modify the connect using a service file.
openvpn-client@.service
where my override.conf file is modified to be

Code: Select all

[Service]
ExecStart=
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --tls-crypt-v2 tcv2.key
However, I git this error:'
openvpn[]: Options error: --tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode

I'm applying something wrong here. Is the openvpn command above meant to replace the tls-crypt-v1 certificate or do I still need to modify the .conf file? Not sure why I get this error, if someone might have a suggestion?

Top