From 93d33b06b59a514485467ced5a48dc997a235c6c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 27 Feb 2020 18:44:12 +0100 Subject: openvpn: T2075: add support for OpenVPN tls-crypt file option Encrypt and authenticate all control channel packets with the key from keyfile. Encrypting (and authenticating) control channel packets: * provides more privacy by hiding the certificate used for the TLS connection * makes it harder to identify OpenVPN traffic as such * provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy) --- src/conf_mode/interfaces-openvpn.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'src') diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 6bd269e97..622543b58 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -161,6 +161,10 @@ cert {{ tls_cert }} key {{ tls_key }} {% endif %} +{%- if tls_crypt %} +tls-crypt {{ tls_crypt }} +{% endif %} + {%- if tls_crl %} crl-verify {{ tls_crl }} {% endif %} @@ -318,6 +322,7 @@ default_config_data = { 'tls_crl': '', 'tls_dh': '', 'tls_key': '', + 'tls_crypt': '', 'tls_role': '', 'tls_version_min': '', 'type': 'tun', @@ -633,6 +638,11 @@ def get_config(): openvpn['tls_key'] = conf.return_value('tls key-file') openvpn['tls'] = True + # File containing key to encrypt control channel packets + if conf.exists('tls crypt-file'): + openvpn['tls_crypt'] = conf.return_value('tls crypt-file') + openvpn['tls'] = True + # Role in TLS negotiation if conf.exists('tls role'): openvpn['tls_role'] = conf.return_value('tls role') @@ -800,6 +810,9 @@ def verify(openvpn): if not openvpn['tls_key']: raise ConfigError('Must specify "tls key-file"') + if openvpn['tls_auth'] and openvpn['tls_crypt']: + raise ConfigError('TLS auth and crypt are mutually exclusive') + if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_ca_cert']): raise ConfigError('Specified ca-cert-file "{}" is invalid'.format(openvpn['tls_ca_cert'])) @@ -815,6 +828,10 @@ def verify(openvpn): if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']): raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key'])) + if openvpn['tls_crypt']: + if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['tls_crypt']): + raise ConfigError('Specified TLS crypt-file "{}" is invalid'.format(openvpn['tls_crypt'])) + if openvpn['tls_crl']: if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']): raise ConfigError('Specified crl-file "{} not valid'.format(openvpn['tls_crl'])) -- cgit v1.2.3