Skip to content

build tls crypt v2 key

Jump to bottom Edit New page
TinCanTech edited this page Jan 8, 2022 · 20 revisions

This page describes how to build a TLS-Crypt-v2 key

How TLS-Crypr-V2 keys work (Brief)

Use OpenVPN to build a TLS-Crypt-V2 Server key. This key has no prerequisites, it is Free.
Use OpenVPN to build a TLS-Crypt-V2 Client key, which is encrypted by the Server key.
Only the server can unwrap a client TLS-Crypt-V2 key, the client cannot.
See: https://github.com/OpenVPN/openvpn/blob/master/doc/tls-crypt-v2.txt

Build a SERVER GROUP TLS-Crypt-V2 key (Recommended)

A SERVER GROUP key is a unique type of key because it is not associated with any X509 certificate. It is free to be used by any and all of your servers. (It has similar usage to a Certificate-Authority Key ca.key)

  • Command line:
    • ./easytls build-tls-crypt-v2-group-server <server-GROUP-name>
  • Abbreviation: bc2gs
  • Notes:
    • <server-GROUP-name> can be any name at all. I recommend something which encompasses your entire organisation.
    • To --inline this key, you must first have an X509 Server certificate to associate it with.
      This is similar, in principle, to the Three Branches of Government. (lol)
      1. Build a free server-GROUP TLS-Key, which can be used by any Server.
      2. Build a Server X509-Certificate, which will be used by a server.
      3. Create an association between the TLS-key and X509-Certificate via an inline file.

Build a SERVER TLS-Crypt-V2 key (Has limitations)

This type of key is identical to a SERVER GROUP key, with the exception that Easy-TLS associates this key with a specific X509 Server certificate. (Due to my lack of time, it was found to be simpler to create SERVER GROUP keys, instead of rewriting code, to allow moving these keys around. I recommend that you use a SERVER GROUP key)

  • Command line:
    • ./easytls build-tls-crypt-v2-server <server-name>
  • Abbreviation: bc2s
  • Options:
    • --inline - Create a corresponding inline file.

Build a CLIENT GROUP TLS-Crypt-V2 key

  • Command line:
    • ./easytls build-tls-crypt-v2-group-client <server-|group|-name> <client-name>
  • Abbreviation: bc2c
  • Options:
    • --inline Create a corresponding .inline file.
    • --sub-key=<NAME> Create a TLS-Crypt-V2-Client-Sub-key file.
    • --custom-group=<GROUP-NAME> Use a Custom-Group
    • You can also add multiple filter-address fields to this key.

Build a CLIENT TLS-Crypt-V2 key

  • Command line:
    • ./easytls build-tls-crypt-v2-server <server-|group|-name> <client-name>
  • Abbreviation: bc2c
  • Options:
    • --inline Create a corresponding .inline file.
    • --sub-key=<NAME> Create a TLS-Crypt-V2-Client-Sub-key file.
    • --custom-group=<GROUP-NAME> Use a Custom-Group
    • You can also add multiple filter-address fields to this key.

Needs updating

Add a custom sidebar
Clone this wiki locally