Skip to content

build tls crypt v2 key

Jump to bottom Edit New page
TinCanTech edited this page Jan 9, 2022 · 20 revisions

This page describes how to build a TLS-Crypt-v2 key

How TLS-Crypr-V2 keys work (Brief)

Use OpenVPN to build a TLS-Crypt-V2 Server key. This key has no prerequisites, it is Free.
Use OpenVPN to build a TLS-Crypt-V2 Client key, which is encrypted by the Server key.
Only the server can unwrap a client TLS-Crypt-V2 key, the client cannot.
See: https://github.com/OpenVPN/openvpn/blob/master/doc/tls-crypt-v2.txt

Build a SERVER GROUP TLS-Crypt-V2 key (Recommended)

A SERVER GROUP key is a unique type of key because it is not associated with any X509 certificate. It is free to be used by any and all of your servers. (It has similar usage to a Certificate-Authority Key ca.key)

  • Command line:
    • ./easytls build-tls-crypt-v2-group-server <server-GROUP-name>
  • Abbreviation: bc2gs
  • Parameters:
    • <server-GROUP-name> - Any single contiguous word.
      I recommend something which encompasses your entire organisation.
  • Notes:
    • To --inline this key, you must first have an X509 Server certificate to associate it with.
      This is similar, in principle, to the Three Branches of Government. (lol)
      1. Build a free server-GROUP TLS-Key, which can be used by any Server.
      2. Build a Server X509-Certificate, which will be used by a server.
      3. Create an association between the TLS-key and X509-Certificate via an inline file.

Build a SERVER TLS-Crypt-V2 key (Has limitations)

This type of key is identical to a SERVER GROUP key, with the exception that Easy-TLS associates this key with a specific X509 Server certificate. (Due to my lack of time, it was found to be simpler to create SERVER GROUP keys, instead of rewriting code, to allow moving these keys around. I recommend that you use a SERVER GROUP key)

  • Command line:
    • ./easytls build-tls-crypt-v2-server <server-name>
  • Abbreviation: bc2s
  • Parameters:
    • <server-name> - X509 Certificate Common-Name of your Server.
  • Options:
    • --inline - Create a corresponding inline file.

Build a CLIENT GROUP TLS-Crypt-V2 key

  • Command line:
    • ./easytls build-tls-crypt-v2-group-client <server-|GROUP|-name> <client-GROUP-name>
  • Abbreviation: bc2c
  • Parameters:
    • <server-|group|-name> - <server-GROUP-name> or X509 Certificate <server-name>.
    • <client-GROUP-name> - Any single contiguous word.
      I recommend something memorable, such as Familty or Friends etc.
  • Options:
    • --inline Create a corresponding .inline file.
    • --sub-key=<NAME> Create a TLS-Crypt-V2-Client-Sub-key file.
    • --custom-group=<GROUP-NAME> Use a Custom-Group
    • You can also add multiple filter-address fields to this key. However, this is unlikely to be value for a GROUP key.

Build a CLIENT TLS-Crypt-V2 key

  • Command line:
    • ./easytls build-tls-crypt-v2-server <server-|group|-name> <client-name>
  • Abbreviation: bc2c
  • Options:
    • --inline Create a corresponding .inline file.
    • --sub-key=<NAME> Create a TLS-Crypt-V2-Client-Sub-key file.
    • --custom-group=<GROUP-NAME> Use a Custom-Group
    • You can also add multiple filter-address fields to this key.

Needs updating

Add a custom sidebar
Clone this wiki locally