How to enable TLS-Crypt (Not just TLS-Auth)

Expedited · April 28, 2025, 7:35pm

I have 2 Opal SFT1200 and I have set using OpenVPN protocol. I can see TLS-Auth toggle in server configuration but how do I enable TLS-Crypt instead?

So far, I have tried putting in "tls-crypt ta.key" and changing the tag from tls-auth to tls-crypt in the .ovpn file (for the client) and I also added "tls-crypt /etc/openvpn/ta.key" on client's /etc/openvpn/ovpn/server.ovpn so the server expects it. It doesn't work. Is there something I am missing?

Here is the log from client when failing to connect:
Apr 28 13:37:13 Attempting to establish TCP connection with VPN server (My Server IP)
Apr 28 13:37:13 TCP connection established with VPN server
Apr 28 13:37:13 Connection reset, restarting
Apr 28 13:37:13 Received SIGHUP (soft, connection-reset), process restarting
Apr 28 13:37:13 OpenVPN 2.5.7 mipsel-openwrt-linux-gnu starting up
Apr 28 13:37:13 Library versions: OpenSSL 1.1.1i, LZO 2.10
Apr 28 13:37:13 Restart pause: 2 seconds

hansome · April 29, 2025, 12:46pm

Two sides:

server:

sed -i '/tls-auth/tls-crypt/g' /lib/netifd/proto/ovpnserver.sh
ifup ovpnserver

client:
change .ovpn to
<t/ls-auth> to

Expedited · April 30, 2025, 12:45am

Hey man, thanks for your reply! Which file do I make that change to in server and for client, are you saying I have to use <t/ls-auth> tags? I think your response got corrupted and should the tags contain a secret key?

bruce · April 30, 2025, 8:55am

Hi,

Please wait, it is a national holiday, some staff in holiday, I have reminded handsome, will reply later.

Expedited · April 30, 2025, 9:29pm

Thanks mate

hansome · May 2, 2025, 7:50am

Sorry for not expressing clear.
For the ta key parameter, we hardcoded as tls-auth, if you want to change to tls-crypt, you heed to change server code, and the exported .ovpn client config file.

Server, use terminal command to change code:

sed -i '/tls-auth/tls-crypt/g' /lib/netifd/proto/ovpnserver.sh
# restart server interface
ifup ovpnserver

Client conf file: edit to substitute tls-auth by tls-crypt

image475×422 20.3 KB

Yes it's corruted due to HTML tag, I didn't notice that.

burhan12624 · July 29, 2025, 4:04pm

Hello,

is it the same method for client side config?
I want to use tls-crypt on router as client but I'm also getting connection reset error.

root@GL-MT3000:~# sed -i 's/tls-auth/tls-crypt/g' /lib/netifd/proto/ovpnclient.sh

I ran this but it's not working

hansome · July 30, 2025, 1:20am

For the client side, only need to edit .ovpn config file. Is there a part?

burhan12624 · July 30, 2025, 12:35pm

Hi Hansome,

Here is the config I am using: (it's always stuck at connectiong)

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
pull
route-delay 2
route-metric 1
redirect-gateway
comp-lzo
auth-user-pass
#cipher AES-256-GCM
#auth-nocache
#remote-cert-tls server
#block-outside-dns
#tun-mtu 1350

-----BEGIN CERTIFICATE-----
DATA
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
DATA
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
DATA
-----END PRIVATE KEY-----

key-direction 1

-----BEGIN OpenVPN Static key V1-----
DATA
-----END OpenVPN Static key V1-----

proto tcp
remote 5.133.177.130 443

hansome · August 1, 2025, 11:31am

I tweaked a config based on yours, found you may need to add "auth SHA256" parameter
and comment out "key-direction 1"

May I know your ovpn conf provider?

burhan12624 · August 2, 2025, 9:39am

hi Hansome,

I tried what you suggested but it's still stuck at 'connecting'.

My provider is VPNUK

hansome · August 24, 2025, 11:02am

Sorry I missed that, I’ll PM you with more details