please add tls-crypt option in openvpn

[yon]

my openvpn 2.5 using tls-crypt ta.key, pfsense has this option, but opnsense has no this.
now i using opnsense can't connect to remote openvpn when no tls-crypt.

so please add tls-crypt support.

[Gauss23]

You can use the advanced settings box for the moment:

Code: [Select]

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
Your static key here
-----END OpenVPN Static key V1-----
</tls-crypt>
Works for me.

[yon]

i creat ta.key file put in etc and config it advanced settings, uncheck default tls option. vpn can up.

but i can't ping and route connect tunnel inside ipv4 and ipv6 remote ip.

VPN still can't normal work.

Code: [Select]

ifconfig 10.16.0.2 10.16.0.1
ifconfig-ipv6 2a0d:2408:512:a::3/124 2a0d:2408:512:a::2


[Gauss23]

With that amount of information you won't get any help.

Please post your OpenVPN config (without public IP/FQDN and without tls crypt).
Screenshot would be the best option.

[yon]

Code: [Select]

ping 2a0d:2408:512:a::2
ping: cannot resolve 2a0d:2406:512:a::2: Unknown server error

pull-filter ignore peer-id
ifconfig-ipv6 2a0d:2408:512:a::3/124 2a0d:2408:512:a::2
reneg-sec 86400
persist-key
persist-tun
link-mtu 1500
ifconfig 10.16.0.2 10.16.0.1
auth-nocache
ping-timer-rem
remote-cert-tls server
tls-version-min 1.3
sndbuf 0
rcvbuf 0
tls-crypt /etc/openvpn/ta.key
now ipv4 can ping, but ipv6 can't ping and route.

[Gauss23]

Try it with

Code: [Select]

ping6 2a0d:2408:512:a::2

[yon]

Try it with

Code: [Select]

ping6 2a0d:2408:512:a::2

ok, this command ping6 work. Thanks.   

[TheChickenMan]

You can use the advanced settings box for the moment:

Code: [Select]

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
Your static key here
-----END OpenVPN Static key V1-----
</tls-crypt>
Works for me.

I've been using this method as well but the big warning about "this feature being removed in the future" is kind of scary. Would be nice if there was just a supported field for this information in the UI.

[akha666]

  What is the bad luck, I've registered to start post about this issue. But first I search for it, to not duplicate the thread.
I had this setting in pfSense
TLS Key Usage Mode
TLS keydir direction
any workaround?, I wish to add this feature.

[3spi]

Trying to do the exact same thing. As TheChickenMan replied, I also filled in my ta.key there.

My VPN client in OpnSense is generating this as output in the logging:
2021-03-28T17:42:43   openvpn[27646]: PO_CTL rwflags=0x0001 ev=6 arg=0x00000000
2021-03-28T17:42:42   openvpn[27646]: PO_CTL rwflags=0x0001 ev=6 arg=0x00000000
2021-03-28T17:42:41   openvpn[27646]: PO_CTL rwflags=0x0001 ev=6 arg=0x00000000
2021-03-28T17:42:40   openvpn[27646]: PO_CTL rwflags=0x0001 ev=6 arg=0x00000000
2021-03-28T17:42:39   openvpn[27646]: PO_CTL rwflags=0x0001 ev=6 arg=0x00000000
2021-03-28T17:42:38   openvpn[27646]: PO_CTL rwflags=0x0001 ev=6 arg=0x00000000

The connection status stays on "connecting". It doesn't look to go any further. Also my virtual SSL VPN adapter in the dashbord doesn't show an IP. Could this ta.key be the problem as well?