openvpn: T2075: add support for OpenVPN tls-crypt file option

Encrypt and authenticate all control channel packets with the key from keyfile. Encrypting (and authenticating) control channel packets: * provides more privacy by hiding the certificate used for the TLS connection * makes it harder to identify OpenVPN traffic as such * provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy)
author: Christian Poessinger <christian@poessinger.com> 2020-02-27 18:44:12 +0100
committer: Christian Poessinger <christian@poessinger.com> 2020-02-27 18:44:12 +0100
commit: 93d33b06b59a514485467ced5a48dc997a235c6c (patch)
tree: 13a6226c14463ecbefaec6d96f92f87e4c9a926d /src/conf_mode
parent: e054dee8b8ab81f7f85bb93bd25110affa38fcd0 (diff)
download: vyos-1x-93d33b06b59a514485467ced5a48dc997a235c6c.tar.gz
vyos-1x-93d33b06b59a514485467ced5a48dc997a235c6c.zip
1 files changed, 17 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 6bd269e97..622543b58 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -161,6 +161,10 @@ cert {{ tls_cert }}
 key {{ tls_key }}
 {% endif %}
 
+{%- if tls_crypt %}
+tls-crypt {{ tls_crypt }}
+{% endif %}
+
 {%- if tls_crl %}
 crl-verify {{ tls_crl }}
 {% endif %}
@@ -318,6 +322,7 @@ default_config_data = {
     'tls_crl': '',
     'tls_dh': '',
     'tls_key': '',
+    'tls_crypt': '',
     'tls_role': '',
     'tls_version_min': '',
     'type': 'tun',
@@ -633,6 +638,11 @@ def get_config():
          openvpn['tls_key'] = conf.return_value('tls key-file')
          openvpn['tls'] = True
 
+    # File containing key to encrypt control channel packets
+    if conf.exists('tls crypt-file'):
+         openvpn['tls_crypt'] = conf.return_value('tls crypt-file')
+         openvpn['tls'] = True
+
     # Role in TLS negotiation
     if conf.exists('tls role'):
          openvpn['tls_role'] = conf.return_value('tls role')
@@ -800,6 +810,9 @@ def verify(openvpn):
             if not openvpn['tls_key']:
                 raise ConfigError('Must specify "tls key-file"')
 
+        if openvpn['tls_auth'] and openvpn['tls_crypt']:
+            raise ConfigError('TLS auth and crypt are mutually exclusive')
+
         if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_ca_cert']):
             raise ConfigError('Specified ca-cert-file "{}" is invalid'.format(openvpn['tls_ca_cert']))
 
@@ -815,6 +828,10 @@ def verify(openvpn):
             if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']):
                 raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key']))
 
+        if openvpn['tls_crypt']:
+            if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['tls_crypt']):
+                raise ConfigError('Specified TLS crypt-file "{}" is invalid'.format(openvpn['tls_crypt']))
+
         if openvpn['tls_crl']:
             if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']):
                 raise ConfigError('Specified crl-file "{} not valid'.format(openvpn['tls_crl']))
author	Christian Poessinger <christian@poessinger.com>	2020-02-27 18:44:12 +0100
committer	Christian Poessinger <christian@poessinger.com>	2020-02-27 18:44:12 +0100
commit	93d33b06b59a514485467ced5a48dc997a235c6c (patch)
tree	13a6226c14463ecbefaec6d96f92f87e4c9a926d /src/conf_mode
parent	e054dee8b8ab81f7f85bb93bd25110affa38fcd0 (diff)
download	vyos-1x-93d33b06b59a514485467ced5a48dc997a235c6c.tar.gz vyos-1x-93d33b06b59a514485467ced5a48dc997a235c6c.zip