[Openvpn-users] Easy-TLS Update

Fri, 12 Mar 2021 16:19:37 -0800 

Hi,

on the slim chance that anybody here is interested in such things..

Today I confirmed that not only does Easy-TLS fully work in Windows
but also, all the server side scripts function exactly as intended.

This even includes "hardware-lockdown" for clients.
* Note: I know it is not real hardware-lockdown but it is the closest
version of such a thing that is available for OpenVPN Community Edition.

See:
https://github.com/TinCanTech/easy-tls

Thanks
R

--


The client TLS-Crypt-V2 key encrypts this data, shown here in plain text:

# Easy-TLS version 1.27a - TLS crypt v2 key
# CA serial: 40215191D9F4A6E69DCF86339B59FF293DD66B56
# tlskey-serial: e54c87e4588a9fcf9959d8993220fd243842b3a2
# Creation date: 2021-03-12
# Custom-Group: tct-win
# Client Common Name: w-c01
# Sub-key name: hw
# Hardware addresses: +00155DC96E01+


Sample Windblows Server log:
(TLS CRYPT V2 VERIFY SCRIPT OK,
 there is no log entry for --client-connect, because reasons..)
2021-03-13 00:12:17 us=239728 10.10.201.226:33598 TLS: Initial packet from [AF_I 
NET]10.10.201.226:33598, sid=05edc44b 2f56c805
2021-03-13 00:12:17 us=239728 10.10.201.226:33598 Control Channel: using tls-cry 
pt-v2 key
2021-03-13 00:12:17 us=239728 10.10.201.226:33598 Outgoing Control Channel Encry 
ption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-03-13 00:12:17 us=239728 10.10.201.226:33598 Outgoing Control Channel Encry 
ption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-03-13 00:12:17 us=239728 10.10.201.226:33598 Incoming Control Channel Encry 
ption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-03-13 00:12:17 us=255353 10.10.201.226:33598 Incoming Control Channel Encry 
ption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-03-13 00:12:17 us=255353 10.10.201.226:33598 env_block: add PATH=C:\Windows 
\System32;C:\Windows;C:\Windows\System32\Wbem
2021-03-13 00:12:17 us=552228 10.10.201.226:33598 TLS CRYPT V2 VERIFY SCRIPT OK
2021-03-13 00:12:17 us=583478 10.10.201.226:33598 VERIFY OK: depth=1, C=00, ST=t est, L=TEST ,./<>  ?;:@~  []!%^  *()-=  _+| (23) TEST, O=example.org, OU=TEST es 
c { } £ ¬ (4) TEST, CN=EasyTLS-Win, emailAddress=m...@example.net
2021-03-13 00:12:17 us=583478 10.10.201.226:33598 VERIFY KU OK
2021-03-13 00:12:17 us=583478 10.10.201.226:33598 Validating certificate extende 
d key usage
2021-03-13 00:12:17 us=583478 10.10.201.226:33598 ++ Certificate has EKU (str) T 
LS Web Client Authentication, expects TLS Web Client Authentication
2021-03-13 00:12:17 us=599103 10.10.201.226:33598 VERIFY EKU OK
2021-03-13 00:12:17 us=599103 10.10.201.226:33598 VERIFY OK: depth=0, C=00, ST=t est, L=TEST ,./<>  ?;:@~  []!%^  *()-=  _+| (23) TEST, O=example.org, OU=TEST es 
c { } £ ¬ (4) TEST, CN=w-c01, emailAddress=m...@example.net
2021-03-13 00:12:17 us=599103 10.10.201.226:33598 peer info: IV_VER=2.5.1
2021-03-13 00:12:17 us=599103 10.10.201.226:33598 peer info: IV_PLAT=linux
2021-03-13 00:12:17 us=599103 10.10.201.226:33598 peer info: IV_PROTO=6
2021-03-13 00:12:17 us=599103 10.10.201.226:33598 peer info: IV_NCP=2
2021-03-13 00:12:17 us=599103 10.10.201.226:33598 peer info: IV_CIPHERS=AES-256- 
GCM:AES-128-GCM
2021-03-13 00:12:17 us=614728 10.10.201.226:33598 peer info: IV_LZ4=1
2021-03-13 00:12:17 us=614728 10.10.201.226:33598 peer info: IV_LZ4v2=1
2021-03-13 00:12:17 us=614728 10.10.201.226:33598 peer info: IV_LZO=1
2021-03-13 00:12:17 us=614728 10.10.201.226:33598 peer info: IV_COMP_STUB=1
2021-03-13 00:12:17 us=614728 10.10.201.226:33598 peer info: IV_COMP_STUBv2=1 
2021-03-13 00:12:17 us=614728 10.10.201.226:33598 peer info: IV_TCPNL=1
2021-03-13 00:12:17 us=614728 10.10.201.226:33598 peer info: IV_HWADDR=00:15:5d: 
c9:6e:01
2021-03-13 00:12:17 us=614728 10.10.201.226:33598 peer info: IV_SSL=OpenSSL_1.1. 
1j__16_Feb_2021
2021-03-13 00:12:17 us=630353 10.10.201.226:33598 Control Channel: TLSv1.3, ciph 
er TLSv1.3 TLS_AES_256_GCM_SHA384
2021-03-13 00:12:17 us=630353 10.10.201.226:33598 [w-c01] Peer Connection Initia 
ted with [AF_INET]10.10.201.226:33598
2021-03-13 00:12:17 us=630353 w-c01/10.10.201.226:33598 MULTI_sva: pool returned 
 IPv4=10.33.70.6, IPv6=(Not enabled)
2021-03-13 00:12:17 us=630353 w-c01/10.10.201.226:33598 env_block: add PATH=C:\W 
indows\System32;C:\Windows;C:\Windows\System32\Wbem
2021-03-13 00:12:17 us=911603 w-c01/10.10.201.226:33598 OPTIONS IMPORT: reading client specific options from: C:\Users\IEUser\AppData\Local\Temp\\openvpn_cc_0f0 
0ec1e562f6366.tmp
2021-03-13 00:12:17 us=911603 w-c01/10.10.201.226:33598 MULTI: Learn: 10.33.70.6 
 -> w-c01/10.10.201.226:33598
2021-03-13 00:12:17 us=911603 w-c01/10.10.201.226:33598 MULTI: primary virtual I 
P for w-c01/10.10.201.226:33598: 10.33.70.6
2021-03-13 00:12:17 us=911603 w-c01/10.10.201.226:33598 Data Channel: using nego 
tiated cipher 'AES-256-GCM'
2021-03-13 00:12:17 us=911603 w-c01/10.10.201.226:33598 Data Channel MTU parms [ 
 L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
2021-03-13 00:12:17 us=911603 w-c01/10.10.201.226:33598 Outgoing Data Channel: C 
ipher 'AES-256-GCM' initialized with 256 bit key
2021-03-13 00:12:17 us=927228 w-c01/10.10.201.226:33598 Incoming Data Channel: C 
ipher 'AES-256-GCM' initialized with 256 bit key
2021-03-13 00:12:17 us=927228 w-c01/10.10.201.226:33598 SENT CONTROL [w-c01]: 'P USH_REPLY,comp-lzo no,explicit-exit-notify 2,route 10.33.70.1,topology net30,pin g 10,ping-restart 60,ifconfig 10.33.70.6 10.33.70.5,peer-id 0,cipher AES-256-GCM 
' (status=1)




_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to