Asuswrt-Merlin on AC66U and HMAC

[jansimonson]

Using Asuswrt-Merlin 3.0.0.4.374.35_4 on my AC66U I have successfully set up an openVPN tunnel using the router as a client. However to hardening my tunnel I would also like to use HMAC. There is an option to activate HMAC on the client setup page, but I can't find any place to input the ta.key. I then tried to put the ta.key manually into the /etc/openvpn/client1 directory but with no luck as there is no option "tls-auth ta.key 1" in the config.ovpn file even when the "Extra HMAC authorization" is set to "outgoing (1)".

Also, the client1 directory is erased when the client is taken offline and recreated again when the client is activated. So the files in it must be stored somewhere else and this is of course the place to put the ta.key. Unfortunately I can't find that place. I have activated the JFFS option, but there is nothing of interest there.

Is it at all possible to use HMAC, and if so how? Where are the config, key and cert files stored permanently?

Thanks for a very nice software!

 

[sinshiva]

the ta key is the same as a static key. set extra hmac auth to bi directional.

 

[jansimonson]

the ta key is the same as a static key. set extra hmac auth to bi directional.

Thank you for your answer. Yes, the ta.key is a static key. However, that doesn't answer the question where to input it for a _client_ in the gui or somewhere else manually.
Checking https://www.privateinternetaccess.c...on/1125/asus-rt-ac66u-openvpn-setup-guide-/p1 it seems as if there was a field for static key in version 3.0.0.4_270.26b (4 fields for clients), but in the current version, 3.0.0.4.374.35_4, this field is missing (only 3 fields for clients).

 

[sinshiva]

hi, tried inserting the keys into an ovpn file in an inline configuration? think you can drop in ovpn files for everything now

 

[RMerlin]

Asus moved the static field to the Static authentication, erroneously thinking that that field wasn't used in TLS mode. I added it back on the server page, but only added it to the client page after the last release. You will have to wait for the next release, or manually enter it (importing an ovpn file might work).

 

[peterg21]

Thank you for your answer. Yes, the ta.key is a static key. However, that doesn't answer the question where to input it for a _client_ in the gui or somewhere else manually.
Checking https://www.privateinternetaccess.c...on/1125/asus-rt-ac66u-openvpn-setup-guide-/p1 it seems as if there was a field for static key in version 3.0.0.4_270.26b (4 fields for clients), but in the current version, 3.0.0.4.374.35_4, this field is missing (only 3 fields for clients).

I know Merlin has answered you but I am not following his response very clearly. At the outset, let me say that I am using an N66U and have an OpenVPN client with Expressvpn. I have tried two firmwares and both work fine for me, namely 374.34_2-sdk5 (ignore the sdk5 bit in this and the next firmware), just using the old broadcom driver) and 374.35_4-sdk5.

With the 34_2, yes it has the 4 fields under TLS. Using 35_4, I inputted 3 fields there (only 3 there), save and applied. I then went to the drop down box alongside authorization mode and chose Static Key. I then clicked on "Content modification of keys ..." and input the ta.key there. I saved and then applied it. I then changed the drop down box to TLS and applied it.

I then connect and disconnect the client VPN at will and no problem.

Since you are using 35_4 why can you not do what I did? Is there something different with the VPN section with respect to the AC66U as opposed to the N66U?

If I am totally out to lunch forgive me.

 

[jansimonson]

With the 34_2, yes it has the 4 fields under TLS. Using 35_4, I inputted 3 fields there (only 3 there), save and applied. I then went to the drop down box alongside authorization mode and chose Static Key. I then clicked on "Content modification of keys ..." and input the ta.key there. I saved and then applied it. I then changed the drop down box to TLS and applied it.

I then connect and disconnect the client VPN at will and no problem.

Since you are using 35_4 why can you not do what I did? Is there something different with the VPN section with respect to the AC66U as opposed to the N66U?

What a clever way to get around the problem! I followed your instructions and it worked like a charm also on the AC66U. I believe that the N66U and AC66U are very similar, exept of course for the wireless radio.

Thank you very much for taking the time to help me!