Switch to tls-crypt instead from tls-auth

Hey there,

We are happy users of the Pritunl VPN Server.
However, lately, some of our employees have reported that their VPN access has been blocked more often than in previous years in different countries.
We are trying to find a way to continue providing VPN access and avoid situations when an employee is unable to connect to our server.

Our first idea was to:

1. Use the 443/tcp port
2. Use tls-crypt (or tls-crypt2) to mimic HTTPS traffic

This should make VPN traffic look like HTTPS traffic and help bypass most restrictions.
However, it’s not possible to configure the Pritunl VPN Server to use tls-crypt. Instead, Pritunl VPN Server enables tls-auth by default, which is similar, but it looks like it’s not enough to eliminate the issue (because tls-auth does not encrypt the TLS control channel).

More about the differences here.

We think it would be useful to introduce a new VPN server option called “tls security” with the following choices:

• None
• tls-auth
• tls-crypt
• tls-crypt2

In fact, it seems that we can switch to tls-crypt without any changes in the code, except for renaming corresponding variables and strings.
Therefore, it might be a good idea to make tls-crypt the new default choice for new installations.

What do you think about this?

This will be available in the next release with the command sudo pritunl set vpn.tls_mode '"tls-auth"', it may in the future be added as a server option which would replace this global option.

Great news! Thank you!

Hi @zach ,
is this feature with tls-crypt not added yet?

Hi @pznamensky ,
how did you obfuscate the TLS connection?

This option may only be available in the unstable releases.

I typed “sudo pritunl set vpn.tls_mode ‘“tls-crypt”’” But when connecting I get the error “TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:xxxxxx”
How to configure this correctly?

I never checked the usage of tls-crypt in that option. It will require additional changes to generate a different key. It’s possible this will be done in the future but there is currently no support for setting that option to tls-crypt.

I have the latest version of pritunl v1.32.3805.95 installed. I entered the command in the console sudo pritunl set vpn.tls_mode ‘“tls-crypt”’. Then I restarted pritunl and mongo - sudo systemctl restart mongod pritunl. Then I created a new profile in the web interface and my VPN works. But I would like tls-crypt-v2 to work. Maybe I need to write my own plugin for this?
upd: tls-crypt only works with the openvpn client, with the pritunl client it produces errors, example:

TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:178.34.160.199:7740

@zach any ideas on how to make tls-crypt-v2 work with pritunl and make tls-crypt work with the pritunl client?

We are having the exact same issue. Is it atleast on the roadmap by any chance?

It will be added in the future but there is no support for it currently.

I beileve PR mentioned in this thread resolves the tls-crypt issue. Can we make it reviewed/merged/released soon?

That will only add support to the client, the server will still need changes.

We already tested it with server version pritunl v1.32.3805.95 by setting sudo pritunl set vpn.tls_mode ‘tls-crypt’ with the local build of electron client PR and I can confirm it works. The server side apparently can handle the tls-crypt key generation and include it in the OVPN Profile.

But I believe tls-crypt-v2 still requires implementation on both server and client

I completely agree!

Checked tls-crypt and tls-crypt-v2 option, and found, that some of ISP(MTS RUS in some regios) learned to block connection even if this option enabled - connection established, but after several control packets, all traffci blocks. So, when this rules applyed widely it wont be a silver bullet