possible to generate HMAC ta.key (tls-auth) with tunnelblick?

[pault...@gmail.com]

Hi,

I understand tunnelblick includes easy-rsa and I was able to generate certificates etc in the terminal, but how can I generate a HMAC key?  As described here:

https://openvpn.net/index.php/open-source/documentation/howto.html#security

or also here:

http://lockup.wordpress.com/configure-openvpn/

It appears that I need to install openvpn, but the openvpn page that describes how to install on mac just redirects to tunnelbrick...

Do you have to do something crazy, like described here, using macports?  Might as well just use virtualbox to run a linux instance to generate the key :(

http://remonpel.nl/2012/02/set-up-an-openvpn-server-on-your-mac/

[jkbull...gmail.com]

You can generate the key on your Mac -- Tunnelblick includes the "openvpn" program that you need to perform the "openvpn --genkey --secret ta.key" command in the first article you linked to.

Quick version: use the following commands:

cd ~/Library/Application\ Support/Tunnelblick/easy-rsa/keys

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.4/openvpn genkey --secret ta.key

cd ..

(But if you have installed something other than Tunnelblick 3.4beta36, you may need to use a version of OpenVPN other than 2.3.4; see below).

Much more detailed instructions:

You need to figure out which version of OpenVPN to use to generate the key -- most versions of Tunnelblick include at least two versions of OpenVPN. Probably you want to use the latest version of Tunnelblick and the latest version of OpenVPN. So make sure you have downloaded and installed the latest beta version of Tunnelblick by double-clicking the Tunnelblick icon in the disk image.

Then open a Finder window, find the /Applications folder, and find Tunnelblick.app in /Applications. Control-click on Tunnelblick.app and click on "Show Package Contents". That will show a "Contents" folder. Double-click "Contents", double-click "Resources", then double-click "openvpn". That "openvpn" folder will contain a folder for each version of OpenVPN that your copy of Tunnelblick includes (and a symlink named "default" which you can ignore).

Double-click the folder with the latest name ("openvpn-2.3.4", currently). You will see two items, "openvpn" and "openvpn-down-root.so".

Open a Terminal window with the easy-rsa folder (for example, by using the "Open easy-rsa in Terminal" button on the "Utilities" panel of Tunnelbick's "VPN Details…" window).

Then type the following into the Terminal window:

cd keys

so that "keys" is the working directory.

Drag the "openvpn" file from the Finder window to the Terminal window. That will copy the full path of the "openvpn" file and a space to the Terminal window.

Then type (or copy/paste) the following to the Terminal window:

--genkey --secret ta.key

At that point, the line in Terminal will look like the following, with X.Y.Z replaced with digits:

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.4/openvpn --genkey --secret ta.key

Press the "enter" or "return" key to start the key generation.

When key generation is complete, type

cd ..

To return to the easy-rsa folder.

The "ta.key" file will be in the "keys" folder.

[jkbull...gmail.com]

I have added a wiki page, Generating HMAC Signatures, which is a bit more polished.

[Paul Tanger]

Ah, great!  All I really needed was the openvpn path, and I never would have guessed it was inside the Tunnelblick.app!  

Also, nice wiki writeup - just a small typo I noticed:

the command should be --genkey with two dashes before genkey

Thanks for the quick & detailed reply!

Because I'm curious and haven't tested this, does the ta.key need to be generated with the same version of openvpn as the other certificates etc?

[jkbull...gmail.com]

Thanks -- I've added the missing "--" before genkey.

As far as I know, it makes no difference which version of OpenVPN is used to generate the key as long as that version of OpenVPN has --genkey (which may be all versions of OpenVPN; I don't know). But that's something better answered by an OpenVPN or OpenSSL expert.

I suppose it is possible that a new version of OpenVPN using a new version of the OpenSSL libraries (which are built into OpenVPN by Tunnelblick) could generate a key which couldn't be processed by an old version of OpenVPN using an old version of OpenSSL if, for example, a large key length is not supported by the old version of OpenSSL. Since you may not control the version of OpenSSL used by OpenVPN on a client machine, that could be a problem. But maybe the ta.key is always 2048 bits, in which case maybe all versions of OpenSSL can process it. (Note the two maybes in the preceding sentence.)

It probably won't hurt to generate the ta.key with the same version of OpenVPN/OpenSSL, though, so do it if you can.

On Tuesday, September 23, 2014 8:00:47 AM UTC-4, Paul Tanger wrote:

Ah, great!  All I really needed was the openvpn path, and I never would have guessed it was inside the Tunnelblick.app!  

Also, nice wiki writeup - just a small typo I noticed:

the command should be --genkey with two dashes before genkey

Thanks for the quick & detailed reply!

Because I'm curious and haven't tested this, does the ta.key need to be generated with the same version of openvpn as the other certificates etc?