Switch to tls-crypt instead from tls-auth

Hey there,

We are happy users of the Pritunl VPN Server.
However, lately, some of our employees have reported that their VPN access has been blocked more often than in previous years in different countries.
We are trying to find a way to continue providing VPN access and avoid situations when an employee is unable to connect to our server.

Our first idea was to:

  1. Use the 443/tcp port
  2. Use tls-crypt (or tls-crypt2) to mimic HTTPS traffic

This should make VPN traffic look like HTTPS traffic and help bypass most restrictions.
However, it’s not possible to configure the Pritunl VPN Server to use tls-crypt. Instead, Pritunl VPN Server enables tls-auth by default, which is similar, but it looks like it’s not enough to eliminate the issue (because tls-auth does not encrypt the TLS control channel).

More about the differences here.

We think it would be useful to introduce a new VPN server option called “tls security” with the following choices:

  • None
  • tls-auth
  • tls-crypt
  • tls-crypt2

In fact, it seems that we can switch to tls-crypt without any changes in the code, except for renaming corresponding variables and strings.
Therefore, it might be a good idea to make tls-crypt the new default choice for new installations.

What do you think about this?

This will be available in the next release with the command sudo pritunl set vpn.tls_mode '"tls-auth"', it may in the future be added as a server option which would replace this global option.

Great news! Thank you!

Hi @zach ,
is this feature with tls-crypt not added yet?

Hi @pznamensky ,
how did you obfuscate the TLS connection?

This option may only be available in the unstable releases.

I typed “sudo pritunl set vpn.tls_mode ‘“tls-crypt”’” But when connecting I get the error “TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:xxxxxx”
How to configure this correctly?

I never checked the usage of tls-crypt in that option. It will require additional changes to generate a different key. It’s possible this will be done in the future but there is currently no support for setting that option to tls-crypt.