pfSense UI doesn't support inline keys - tls-crypt-v2

Dyspareunia · Jul 19, 2021, 4:23 PM

Hi All,

Trying to put in a tls-crypt-v2 key in the additional options area of the VPN client setup.

The UI appears to rebuild the config.ovpn every time the connection is started. It's not parsing the tls-crypt key properly, after the initial start it breaks itself. Pretty sure this is a bug.

What the config looks like after the initial import of the .ovpn config file:

<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
{REDACTED}
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>

What it looks like after 1 restart:

push-peer-info<tls-crypt-v2>-----BEGIN OpenVPN tls-crypt-v2 client key-----
{REDACTED}
</tls-crypt-v2>-----END OpenVPN tls-crypt-v2 client key-----

This causes the entire thing to stop working, as expected:

Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client6/config.ovpn:32: <tls-crypt-v2>-----BEGIN (2.5.2)

Any thoughts on how to work around this? Is tls-crypt-v2 not supported by pfSense? I know the OpenVPN version installed does, but it appears the UI can't handle it.

Thanks,

jimp · Jul 19, 2021, 5:57 PM

Every line in the Custom options box must end in a semicolon because browsers can't be trusted to insert and maintain the proper newlines in forms.

So it's ugly, but until we have a GUI for that, you could probably get it to work by adding ; on the end of each line

<tls-crypt-v2>;
-----BEGIN OpenVPN tls-crypt-v2 client key-----;
keydataline1;
keydataline2;
keydataline3;
[...]
keydatalinen;
-----END OpenVPN tls-crypt-v2 client key-----;
</tls-crypt-v2>;

jimp · Jul 19, 2021, 5:58 PM

@dyspareunia said in pfSense UI doesn't support inline keys - tls-crypt-v2:

Is tls-crypt-v2 not supported by pfSense?

Not yet.

Dyspareunia · Jul 19, 2021, 6:33 PM

@jimp Unfortunatly this doesn't appear to work either.

This is what was parsed after saving with semicolons on each line. It also fails to decode the key since it appears a full line break is added each time a semicolon is added.

2SqpB4MWAUg=;
-----END OpenVPN tls-crypt-v2 client key-----;</tls-crypt-v2>;

Jul 19 12:24:24 pfSense openvpn[94312]: ERROR: OpenVPN tls-crypt-v2 client key pem decode failed
Jul 19 12:24:24 pfSense openvpn[94312]: ERROR: invalid tls-crypt-v2 client key format

I also tried creating a 'tls-crypt' file in /var/etc/openvpn/client6 and using that with:

tls-crypt-v2 /var/etc/openvpn/client6/tls-crypt

It doesn't appear to work either? Even tho this is how other keys are handled. I'm not sure, but perhaps it's openvpn itself that doesn't support this piece.

Finally, I tried modifying the config file itself and setting it as immutable, but I think that pfSense attempts to write that config on startup and fails, it catches that exception and doesn't attempt to start the connection? When I do this I don't even see activity in the logs so I figure this must be the case.

P.S. Is there an enhancement request in for tls-crypt support? Looks like I'll have to find some sort of workaround for this one, curious if I should be thinking long term or short term?

jimp · Jul 19, 2021, 6:43 PM

The GUI supports TLS crypt, you can set TLS Key Usage Mode to TLS Encryption and Authentication but that is only tls-crypt not tls-crypt-v2.

I don't think there is a Redmine entry open asking for TLS Crypt v2. It might be a little tricky to add since there are specific keys for client vs server when that wasn't needed in the past, though.

OpenVPN should support it, on a 2.5.2 box I see the directive in OpenVPN itself:

: openvpn --help | grep -- '^--tls-crypt-v2'
--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.
--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the

But trying to edit the files or make them immutable is going to break more than it helps.

Pippin · Jul 19, 2021, 6:49 PM

Here is a description:
tls-crypt-v2

And here a tool:
Easy-TLS

jimp · Jul 19, 2021, 6:55 PM

I'm aware of it and how it works, it's just not as simple as switching from the existing TLS auth key to TLS crypt since you need specific keys for the specific modes and presumably some way to validate that.

Currently it only needs to change the directive, the new way is a bit more involved so would need a bit more code to account for it.

Dyspareunia · Jul 20, 2021, 2:15 AM

Thanks all for the input! I'm no expert but since I believe that tls crypt v2 keys are client specific, I can see how that would complicate things with user management in pfSense. Either way I'd like to thank you all for everything you do! pfSense is an amazing project!

To update in-case others find this in the future, I was able to find a solution. =)

While ssh'd into the router I created a new file tls-crypt-v2 and populated it with my key. I then pointed to that file in the Custom Options box instead of trying to put it inline.

tls-crypt-v2 /var/etc/openvpn/client6/tls-crypt-v2

The difficulty I was having was actually mostly due to an auth digest algorithm mis-match. I will note that I'm still unable to establish a UDP connection this way, and have ended up using a TCP connection instead. May be unrelated, but figured I'd point it out just in case.

johnpoz · Jan 6, 2022, 3:29 PM

@dyspareunia said in pfSense UI doesn't support inline keys - tls-crypt-v2:

VPN client setup.

@jimp I think there might be a bit of confusion, maybe on my part. But looks OP is taking about pfsense being a client to some vpn server.

Example I run openvpn access server on vps, and pfsense is a client to that.. So there really is no need for user management keys on pfsense. The v2 key would be for the user account being used to connect as a client from pfsense to some server. This key would be provided by the openvpn server pfsense is connecting to.

So while it might be pita to get something working for pfsense as the server, and its clients using v2 of the tls crypt.. With pfsense as a client it shouldn't?

I know this thread is a bit old - but I was just playing around with my vps, and access server settings and had toggled to use v2, and got my pc working just fine with it.. But noticed my pfsense as client went offline.. Just flipped it back to tls-crypt for now vs v2..

Marci · Feb 12, 2024, 4:57 PM

@Dyspareunia said in pfSense UI doesn't support inline keys - tls-crypt-v2:

tls-crypt-v2 /var/etc/openvpn/client6/tls-crypt-v2

Just wanted to say Thank you for this post. I was not able to add tls-crypt-v2 in the pfsense client creation GUI but with your approach it worked for me