Solved Get openvpn andorid app to work

[octopus]

Hi

I have to ask you, I don't get OpenVPN for Android (Arne Schwabe’s app, 0.7.61) working with tls-crypt-v2.
My three computers can connect and working.
I think my certs generating working, need be generated with server cert.

Or are the any working android app working with tls-crypt-v2.

Get this errors:

Control Channel: using tls-crypt-v2 key
tls_crypt_v2_unwrap_client_key: client key authentication error
Can not unwrap tls-crypt-v2 client key
TLS Error: can not extract tls-crypt-v2 client key from [AF_INET]90.129.202.238:22238 (via [AF_INET]15x.1xx.11x.7x%eth0)

 

[Ripshod]

Try the official OpenVPN Connect app - currently 3.7.1 (10568).
Works a treat here.

 

[octopus]

Try the official OpenVPN Connect app - currently 3.7.1 (10568).
Works a treat here.

Have you tls-crypt-v2 working?

 

[Ripshod]

Have you tls-crypt-v2 working?

Direct from the server:

 

[octopus]

Direct from the server:
View attachment 67566

I have my VPN-server working on my router.
But can't get android client to work with tls-crypt-v2.
It's working fine with OpenVPN 2.6.14 on my PC.

 

[Crimliar]

I've had the time to have a bit of a play with this today. I cannot get the app that you are using to work to save my life. The Official (and its free) Android OpenVpn Connect (suggested by Ripsod) app works like a charm!

*Okay, scrub that, I have got the app you've been trying to use to work, but gaaahhhhh!

 

[octopus]

I get this error in server when trying to connect from android.
Everything working from computer.
I have tls-crypt-v2 key set in file.

Control Channel: using tls-crypt-v2 key
tls_crypt_v2_unwrap_client_key: client key authentication error
Can not unwrap tls-crypt-v2 client key
TLS Error: can not extract tls-crypt-v2 client key from [AF_INET]90.1x9.2x2.x38:20944 (via [AF_INET]1xx.1x4.11x.7x%eth0)

@RMerlin
Do you have hints/or suggestions on this?

@Crimliar @Ripshod

 

[Ripshod]

I have had a look at the config file and I see nothing at all to force tls-crypt-v2. How do you deduce that it should be available, the OpenVPN server on these routers is somewhay stripped down?

 

[octopus]

I have had a look at the config file and I see nothing at all to force the tls-crypt-v2 cipher. How do you deduce that it should be available, the OpenVPN server on these routers is somewhay stripped down?

I have manually generated all keys, wrote a script and get server working. There is no drop down implementation.

tls-crypt-v2 /jffs/openvpn/tls-crypt-v2-server.key

 

[Ripshod]

There's nothing much more I can help with then as you're operating outside of my experience.
Give OpenVPN Connect a try - if you still cannot connect from outside your network there's something wrong with your configuration.

 

[octopus]

There's nothing much more I can help with then as you're operating outside of my experience.
Give OpenVPN Connect a try - if you still cannot connect from outside your network there's something wrong with your configuration.

Okey, thanks
I just threw out a question here in case anyone has experience
My server works perfectly, can connect with openvpn from pc.
There is nothing wrong with the configuration, it seems like the apps can't handle it in anyway.

 

[RMerlin]

Can not unwrap tls-crypt-v2 client key

Check the syntax in your client config. Are you providing the key content in a <tls-crypt-v2></tls-crypt-v2> block?

I've never used tls-crypt-v2 (and only briefly toyed with v1 just to ensure it worked back in the day).

 

[octopus]

@RMerlin

Is't possible you can implement TLS2 crypt drop down menu in server? Seems there is already in client.

Then we could use "Static Key" field.

No need to fully implement tls-crypt-v2 as it's need individual key for the client


I have this in android client.

<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
>>> KEY <<<
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>

 

[RMerlin]

s't possible you can implement TLS2 crypt drop down menu in server?

Not planned at this time. The current OpenVPN implementation is already too complicated as it is, I don't want to make things even more confusing by adding even more options.

 

[octopus]

Not planned at this time. The current OpenVPN implementation is already too complicated as it is, I don't want to make things even more confusing by adding even more options.

That should only change in config file:

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
>>> KEY <<<
-----END OpenVPN Static key V1-----
</tls-crypt>
TO:
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 server key-----
>>> KEY <<<
-----END OpenVPN tls-crypt-v2 server key-----
</tls-crypt-v2>

instead of in config.ovpn server config file:
tls-crypt-v2 /jffs/openvpn/tls-crypt-v2-server.key

EDIT: Tested client and "tls-crypt-v2 static.key" and drop down is working.
No need to point to an separate file.

Okay, that was only a suggestion since client already have it implemented.

 

[octopus]

Okey, some write up. I get it to work!

Seems android is picky and need to restart everytime I change in .ovpn file.

>>> REMEMBER tls-crypt-v2 need to generate separate key to every clients as they are unique to every clients <<<

Here is the config if someone need it, google point it here.

client
dev tun
proto udp
remote your.address.com 1194
resolv-retry infinite
nobind
persist-tun
verify-x509-name your.address.com name
cipher AES-256-GCM
explicit-exit-notify 2
auth-nocache
tls-crypt-v2 static.key
verb 3

<ca>
-----BEGIN CERTIFICATE-----
>>> KEY <<<
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
>>> KEY <<<
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN CERTIFICATE-----
>>> KEY <<<
-----END RSA PRIVATE KEY-----
</key>

<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
>>> KEY <<<
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>

@Ripshod @Crimliar @RMerlin

 

[RMerlin]

tls-crypt-v2 need to generate separate key to every clients as they are unique to every clients

That was one of the reasons why I didn't implement server support, as it would be a lot of work to also implement some form of client key management.

 

[octopus]

That was one of the reasons why I didn't implement server support, as it would be a lot of work to also implement some form of client key management.

I don't want you implement it to fullo.
I only wan't when choose from drop down menu change it to in tls-crypt-v2 so we can use it in Keys and Certificates, nothing more.


TLS control channel security
(tls-auth / tls-crypt / tls-crypt-v2)

tls-crypt-v2 static.key

-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
TO:
-----BEGIN OpenVPN tls-crypt-v2 server key-----
-----END OpenVPN tls-crypt-v2 server key-----

I hope I have explain it well....