tls-crypt-v2 with openvpn service

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)
cryptomon
Posts: 37
Joined: Fri Feb 23, 2018 7:32 am

tls-crypt-v2 with openvpn service

Post by cryptomon » Tue Nov 09, 2021 11:09 am

Summary:
Following the blog https://cryptostorm.is/blog/tlscryptv2 for tls-crypt-v2 setup using the command line in bash under "For everyone else". I use the steps given as:

Code: Select all

wget -O tcv2.key https://cryptostorm.is/tlscryptv2
openvpn --config whatever.ovpn --tls-crypt-v2 tcv2.key
except for the fact i need to modify the connect using a service file.
openvpn-client@.service
where my override.conf file is modified to be

Code: Select all

[Service]
ExecStart=
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --tls-crypt-v2 tcv2.key
However, I git this error:'
openvpn[]: Options error: --tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode

I'm applying something wrong here. Is the openvpn command above meant to replace the tls-crypt-v1 certificate or do I still need to modify the .conf file? Not sure why I get this error, if someone might have a suggestion?

cryptomon
Posts: 37
Joined: Fri Feb 23, 2018 7:32 am

Re: tls-crypt-v2 with openvpn service

Post by cryptomon » Sat Nov 13, 2021 7:18 pm

Okay the solution I've found after following the guidelines for the manual method was that when applying the command

Code: Select all

openvpn --config whatever.ovpn --tls-crypt-v2 tcv2.key
which in my case was as shown above using override.conf service file, one must have also deleted the existing key in the given config file. I did this using the sed command

Code: Select all

sed -i '/<tls-crypt>/,/<\/tls-crypt>/d' "<whatever>.conf"

User avatar
df
Site Admin
Posts: 495
Joined: Thu Jan 01, 1970 5:00 am

Re: tls-crypt-v2 with openvpn service

Post by df » Fri Nov 19, 2021 2:15 am

Yea, "openvpn[]: Options error: --tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode" means you can only have tls-crypt or tls-crypt-v2, but not both.
If you're in a directory that contains a bunch of .ovpn configs with the old <tls-crypt> tags, you can use something like this to replace them all with tls-crypt-v2:

wget -qO/tmp/tlskey https://cryptostorm.is/tlscryptv2 # first download a tls-crypt-v2 key
find . -type f -name '*.ovpn' -exec sed -e '/<tls-crypt>/,/<\/tls-crypt>/d' -e '/<\/ca>/a <tls-crypt-v2>\n<\/tls-crypt-v2>' -i {} \; -exec sed -e '/<tls-crypt-v2>/r /tmp/tlskey' -i {} \;

cryptomon
Posts: 37
Joined: Fri Feb 23, 2018 7:32 am

Re: tls-crypt-v2 with openvpn service

Post by cryptomon » Sat Nov 20, 2021 5:33 am

Thanks for the feedback

Post Reply