-
-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FEATURE: Infinite TLS-Crypt-V2 Client keys per Server key #104
Comments
For those of you who understand such things, this is not commonly known as "a key array" |
This is more tricky than it looked at first - |
Not so bad after all ;-) Rebuilding the easytls inline index does not work because rebuilding does not detect |
@houmie this would allow you have multiple TLS CV2 keys per x509 Cert .. interested ? |
Hi @TinCanTech
|
The main benefit which I can see is that you can have multiple VPN profiles all using different TLS CV2 Keys but all using the same x509 cert. So if one key gets matched by DPI another may not ;-) |
Ah yes, makes sense. Sounds intriguing. :-) I'm happy to put some time aside and test this next week, if this is ready. Is there any documentation how this is setup compared to the classic way? |
There is no documentation, other than this issue. Essentially, you would do this:
As a Client you would have something like:
Each Inline file would have your client x509 details plus one sub-key. You would then plug these into an OpenVPN config file compatible with your server and voila! Travellers may find they can use different keys if they are blocked by DPI. There would also be details for other clients of yours and they can all have sub-keys. One unfortunate flaw though is, users cannot remotely create their own TLS Crypt V2 key. |
Awesome. I will get to this 100% and test it. I'm away this week but return on Sunday. I definitely get it done. 👍🏼 |
I am in the process of reviewing the new code for this. It is quite a large change but overall I am quite pleased with it. In the process of writing this I had to extend my test suite and also really drill down into the lower functions to ensure the correct data is returned. It can still be improved but it is getting sweeter ;-) It will be ready for 2021 ! |
Opt: Use TBD Signed-off-by: Richard Bonhomme <[email protected]>
…file Signed-off-by: Richard Bonhomme <[email protected]>
Please let me know if you experience any problems. Please post your logs. |
Hello. Happy new year, mate. |
Alrighty, as promised I'm back. I have setup a fresh server with OpenVPN 2.5.0 installed. I thought I double check the steps with you.
In the old way I would continue creating the client like this:
But I think now instead of that, I should be creating sub-certificate keys straight away?
May you provide more details, please? |
Good morning, Yes that's fine, I'm happy to create the config files for OpenVPN by myself. I just need to understand it better so I can automate it and test them on my end.
Thanks |
Whatever you choose to use on the server, you must also use on the client.
At both ends, instead of specifying Or copy/paste the Inline file into your config file. If you paste it in at the very end of the file then the settings you paste in will over-ride any previous setting. But it makes sense to remove the old settings from your config to keep it tidy. Automating the use of the Inline files seems like over-kill to me. |
Good evening mate, I see. Of course, sorry I should have looked into the inline file to see it for myself. It simply includes all four below, which no longer will be required in the server config.
So far so good. This will not change anything with client.ovpn, correct? In there everything stays the same way. Now to the next test. You mentioned that multiple VPN profiles can now all be using different TLS CV2 Keys but all using the same x509 cert. How can I create a second client ovpn that can do that? That means it will have the same or could you explain the use case, please ? |
That sounds correct. (Except, you do not require the direction parameter
Not sure I understand. Your client must use the correct credentials .. |
Yes, that is the idea.
Sure, The server side is fairly straight forward, you only have the one The client is slightly different when using the Think of it like this:
|
In order to create multiple subkeys do this:
You can have unlimited client keys per server key. All client keys for any specific server key must use the same
|
I first named this option |
Ah very nice. It is now coming together in my head. Allow me to sleep over this and I'll continue tomorrow. I think |
Many thanks for taking time to help me.
I agree because of confusing cert and key in one option. But technically, it is a key which is used in a sub certificate fashion ;-) |
No problem. My pleasure.
ha. :-) The documentation that you just added made it super clear. So I could have one server and three clients for different devices, such as iPhone, Laptop and Android phone. If one of the devices get caught by DPI in future, the other devices will still work. Another scenario is that I could write a native phone app and integrate OpenVPN in it. Then I could include three sub-keys in the same app. The user could then switch between the sub keys on the same phone. So when one of the sub-keys is caught, switching to another sub-key will make it work again. Correct? |
That is the idea.. but beware, it may work, not it will work again. This is the problem with DPI; they have all the power and no matter what we do, it is still possible that this trick can be blocked. But it is quite a nice trick on our side, for a change. |
Hey buddy, Sorry I'm a bit struggling with time. I will finish the testing by this weekend. My plan is to create two sub keys for two separate clients and connect to the same server to see if it all works smoothly. |
There is no rush. You have already helped me a lot and I am grateful for your time. |
I would only ask that you make sure to use |
@houmie I cannot thank you enough for the help and effort you have already made. I have only one further request, please use option 🍰 EG: |
I am thinking, this command could have a |
Hi buddy, I've been testing everything on master via verbose flag. Everything looks solid. But the VPN connection test is still outstanding. I hope to get that done tomorrow morning my time. I have one question: If I create two sub-key-clients:
The server should recognise and accept either one of them. Or the same device could import two OpenVPN profiles one with mySubKey1 included and the other profile with mySubKey2. Have I understood it correctly? |
You have understood correctly. Both of your methods above are valid. All TLS-Cryp-V2 Client keys, regardless of |
Yes, I think this would be useful. 👍🏼 |
Closing in favour of interactive menus |
Easy-TLS can act as a fine-grain control of a single client X509 cert for multiple client nodes.
Something along the lines of:
--sub-cert-node=A3 build-tls-crypt-v2-client s01 c01 tct ab0123456789
This would create a TLS Crypt V2 key called:
c01-A3-tls-crypt-v2.key
The text was updated successfully, but these errors were encountered: