FEATURE: Inter-active Menus

[TinCanTech]

EG:

./easytls build

Which type of TLS key do you want to build ?
[1] TLS Auth key
[2] TLS Crypt V1 key
[3] TLS Crypt V2 key for Server
[4] TLS Crypt V2 key for Client
?

[TinCanTech]

This could also be extended to configuring easytls-cryptv2-verify.sh and easytls-cryptv2-client-connect.sh

[TinCanTech]

TODO:

• config menus
• easytls-cryptv2-verify.sh menus
• easytls-cryptv2-clienmt-connect.sh menus

[TinCanTech]

@houmie This should help you out :-)

[houmie]

This sounds promising. I will test this soon. Well done!

[houmie]

Hello mate,

I have just started the testing, the last commit on master is 0b663f221b060dcd1a5576e28824645d1638738d.

Do I still have to do ./easytls --verbose init-tls before I run ./easytls build?

Thanks

[TinCanTech]

build and inline are interactive methods to use easytls.

init-tls will delete all of your current TLS keys and inline files ..

If you are only testing then you can do either.

--verbose is to make debugging a little easier, so you only need it when there is a problem.

[houmie]

Great. I will test everything and report here:

Removal:

./easytls --verbose init-tls
* Note: using Easy-RSA configuration from: ./vars
* Config file hash check OK
* Load Config


WARNING!!!

You are about to remove the EASYTLS_PKI at: /etc/openvpn/easy-rsa/pki/easytls
and initialize a fresh TLS PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes
* Inline-index hash saved OK
* Config file hash saved OK
* CA fingerprint: SHA1 Fingerprint=0B:08:C8:99:12:36:74:DD:7B:57:87:79:9E:47:2E:B0:21:43:93:CD
* CA Identity: 0B08C899123674DD7B5787799E472EB0214393CD
* Config file hash saved OK

Saved CA Identify: /etc/openvpn/easy-rsa/pki/easytls/easytls-ca-identity.txt

init-tls complete; you may now create TLS keys and .inline files.
Your newly created TLS dir is: /etc/openvpn/easy-rsa/pki/easytls


To configure your custom group now, use:
	 'easytls config custom.group YOUR_GROUP

* auto-check
* Inline-index hash check OK
* Disabled-list hash check OK
* auto-check complete.

Option 1:

./easytls build
Easy-TLS Interactive TLS key builder:

Available key types:
[1] TLS Auth key
[2] TLS Crypt V1 key
[3] TLS Crypt V2 key for Server
[4] TLS Crypt V2 key for Client

Select the type of key to build:
1

* Easy-TLS command:
  ./easytls build-tls-auth

TLS auth key created: /etc/openvpn/easy-rsa/pki/easytls/tls-auth.key

and option 2:

./easytls build
Easy-TLS Interactive TLS key builder:

Available key types:
[1] TLS Auth key
[2] TLS Crypt V1 key
[3] TLS Crypt V2 key for Server
[4] TLS Crypt V2 key for Client

Select the type of key to build:
2

* Easy-TLS command:
  ./easytls build-tls-crypt

TLS crypt v1 key created: /etc/openvpn/easy-rsa/pki/easytls/tls-crypt.key

However I will now focus more on option 3 and 4, Since the two top options are rather legacy. ;-)

[houmie]

option 3:

./easytls build
Easy-TLS Interactive TLS key builder:

Available key types:
[1] TLS Auth key
[2] TLS Crypt V1 key
[3] TLS Crypt V2 key for Server
[4] TLS Crypt V2 key for Client

Select the type of key to build:
3

Enter the commonName of your Server certificate:
server_jtjdMPkGoxv9w8PT

* Easy-TLS command:
  ./easytls build-tls-crypt-v2-server server_jtjdMPkGoxv9w8PT

TLS crypt v2 server key created: /etc/openvpn/easy-rsa/pki/easytls/server_jtjdMPkGoxv9w8PT-tls-crypt-v2.key

option 4:
This is a bit confusing:

Easy-TLS Interactive TLS key builder:

Available key types:
[1] TLS Auth key
[2] TLS Crypt V1 key
[3] TLS Crypt V2 key for Server
[4] TLS Crypt V2 key for Client

Select the type of key to build:
4

Enter the commonName of your *Server* certificate:
server_jtjdMPkGoxv9w8PT-tls-crypt-v2

Enter the commonName of your *Client* certificate:
clientDeTestM2

All client TLS-Crypt-V2 keys must use the same Custom Group.

You should configure your Custom Group like so:
  ./easytls config custom.group NAME

If you have configured your Custom Group or do not require a Custom Group
then leave this field blank.

Your current custom group is:

Enter your Custom Group name:

At this point I don't know if I should Ctrl+C and go back to create the group before hand via ./easytls config custom.group NAME or should I carry on and enter the group name, and it would make it for me?

[houmie]

I have carried on, let see if the group is created for me:

Enter your Custom Group name:
mygroup

Each X509 Client certificate can have multiple TLS-Crypt-V2 keys,
these keys are referred to as Sub-keys.

If you do not require a Sub-key then leave this field blank.

Enter your Sub-key name:
mySubKey1

You can lock this key to specific MAC hardware addresses.

Hardware addresses can be in the form of:
* 0123456789ab or 01-23-45-67-89-AB or 01:23:45:67:89:AB

Leave this field blank to continue.

Enter a single MAC hardware address:

May I ask what is the purpose of tying down the key to the MAC address of the server? I suppose this could be useful when you want to lock the key only to one device. Meaning only that device can connect to the server. If that key leaks, and someone would use it on another device, then it will not be able to connect. Am I correct?

[houmie]

I carried on and left the Mac address blank, but it led to the first error:

Leave this field blank to continue.

Enter a single MAC hardware address:


* Easy-TLS command:
  ./easytls --sub-key-name=mySubKey1 --custom-group=mygroup build-tls-crypt-v2-client server_jtjdMPkGoxv9w8PT-tls-crypt-v2 clientDeTestM2

Easy-TLS version: 1.27a

Easy-TLS error:

Easy-TLS requires that the x509 certificate has been built.
Missing srv file: /etc/openvpn/easy-rsa/pki/issued/server_jtjdMPkGoxv9w8PT-tls-crypt-v2.crt

root@ip-172-31-2-8:/etc/openvpn/easy-rsa# ls /etc/openvpn/easy-rsa/pki/issued/
clientDeTestM2.crt           server_jtjdMPkGoxv9w8PT.crt

The filename has to lose -tls-crypt-v2 then it can be found.

[TinCanTech]

You are trying to create a client TLS-Crypt-v2 key and you are asked for the commonName of your server certificate (not TLS key).

eg: Enter the commonName of your *Server* certificate:

You would enter: server_jtjdMPkGoxv9w8PT

When you build a server TLS-Crypt-V2 key you will not be asked for hardware-addresses.

[TinCanTech]

Regarding the custom_group, for the purpose of testing it is not very important but I do take your point. I will add a note that CTRL-C back out to configure your custom group is OK.

Thanks for testing and feedback!

TLS-Crypt-V2 client keys (and sub-keys) are the very point of Easy-TLS, so I will improve that interactive section to make things more clear.

[TinCanTech]

Also, you can verify the client TLS-Crypt-V2 metadata by opening the file for it in easytls/metadata. This file is only available to the Server admin.

The metadata included in the client inline file contains no security sensitive data.
You can also disable the hardware-addresses being copied to the inline file or disable ALL metadata being copied to the inline file.

The metadata is protected by the TLS-Crypt-v2 key itself. It connot be read or tampered with by a client.

[TinCanTech]

@houmie

First, thank you for your help, time and feedback. User feedback is always the best motivator!

For that reason, I have decided to take a slightly different approach.

Easy-TLS is useful for a moment to inline etc. but it is (or could be) very useful for TLS Crypt V2 key management. However, there is no established standard for me to work to, except to try to emulate something like full X509.

Instead, by focusing on the interactive menus, I can educate the user as to these new terms at the same time as using them. Hopefully, by clearing away the confusion of all the command options, the script will be easier to use.

If you do have questions or ideas please let me know but for now you can relax ;-)

[houmie]

@TinCanTech

No problem my friend. I love this project and happy to help testing it whenever you need it. :-)

[TinCanTech]

If the OpenVPN client picks a different sub key each time before establishing a connection to the same server, will the footprint of the internet packets change accordingly compared to the previous connection? (Think of DPI

That is the idea. Each client key is unique and so the initial handshake should look different to a scanner, if a different client key is used.

Thanks for testing and feedback!

[houmie]

I think --batch should skip those confirmations.

Mhhh no, it doesn't react to it and shows the help menu. Can't find --batch in help either.

[houmie]

If you need anything else specifically tested, let me know. :-)

[TinCanTech]

Can't find --batch in help either.

easy-tls/easytls

Line 287 in ac4158c

-b|--batch : Set automatic (no-prompts when possible) mode.

Try like so:

./easytls --batch --custom-group=houmie --sub-key-name=subKey3 --openvpn=/usr/sbin/openvpn build-tls-crypt-v2-client $SERVER $CLIENT

And using short options:

./easytls -b --g=houmie --k=subKey3 --openvpn=/usr/sbin/openvpn build-tls-crypt-v2-client $SERVER $CLIENT

easy-tls/easytls

Line 296 in ac4158c

-g|--custom-group=XYZ

easy-tls/easytls

Line 305 in ac4158c

-k|--sub-key-name=Name

Also, you should not need to specify --openvpn= if it is in the standard system path.

[TinCanTech]

If you need anything else specifically tested, let me know. :-)

I would like to know your feedback regarding each of the inter-active menus. build, inline, remove and script but take your time and thanks again :-) (Remember: use -b|--batch to avoid confirmations)

[houmie]

Ah yes. Apologies. I did something silly. My SSH session was broken, and when I went back to server I forgot to set $CLIENT and $SERVER variables, and hence it didn't work. I thought it was because of --batch :-D

I confirm --batch works.

[TinCanTech]

If you need anything else specifically tested, let me know. :-)

I would like to know your feedback regarding each of the inter-active menus.

As per the issue title: Add build and inline interactive menus

But I am only teasing you. All your help and feedback is invaluable!

1 user test is infinity % more than 0 user tests 💯

[houmie]

Alrighty: Let's test build

This is the case where the server crypt2 key already exists:

root@de-test:/etc/openvpn/easy-rsa# ./easytls build

Easy-TLS Inter-active TLS-key builder.

====================

To cancel this inter-active menu at any time, press Control-C

* Available TLS-key types:

  [1] TLS-Auth key                   - Legacy HMAC pre-shared key
  [2] TLS-Crypt-V1 key               - Basic TLS-crypt-v1 pre-shared key
  [3] TLS-Crypt-V2 key for Server    - Advanced TLS-Crypt-v2 Server key
  [4] TLS-Crypt-V2 key for Client    - Advanced TLS-Crypt-v2 Client key

  Select the type of TLS-key to build: 3

** Build TLS-Crypt-V2 key for Server

====================

* This field only requires the certificate commonName,
  it does not require the complete file name.

  Enter the commonName of your Server certificate: server_FTgXGQfCD5rtfGol

====================

* Easy-TLS command:

    ./easytls build-tls-crypt-v2-server server_FTgXGQfCD5rtfGol

====================

Easy-TLS version: 1.27a

Easy-TLS error:

No extra help is configured

Server file already exists: /etc/openvpn/easy-rsa/pki/easytls/server_FTgXGQfCD5rtfGol-tls-crypt-v2.key

I have now renamed it and tried again:

root@de-test:/etc/openvpn/easy-rsa# ./easytls build

Easy-TLS Inter-active TLS-key builder.

====================

To cancel this inter-active menu at any time, press Control-C

* Available TLS-key types:

  [1] TLS-Auth key                   - Legacy HMAC pre-shared key
  [2] TLS-Crypt-V1 key               - Basic TLS-crypt-v1 pre-shared key
  [3] TLS-Crypt-V2 key for Server    - Advanced TLS-Crypt-v2 Server key
  [4] TLS-Crypt-V2 key for Client    - Advanced TLS-Crypt-v2 Client key

  Select the type of TLS-key to build: 3

** Build TLS-Crypt-V2 key for Server

====================

* This field only requires the certificate commonName,
  it does not require the complete file name.

  Enter the commonName of your Server certificate: server_FTgXGQfCD5rtfGol

====================

* Easy-TLS command:

    ./easytls build-tls-crypt-v2-server server_FTgXGQfCD5rtfGol

====================

TLS crypt v2 server key created: /etc/openvpn/easy-rsa/pki/easytls/server_FTgXGQfCD5rtfGol-tls-crypt-v2.key

I'm now looking into the other menus.

[houmie]

Actually Now let's try building the client.

root@de-test:/etc/openvpn/easy-rsa# ./easytls build

Easy-TLS Inter-active TLS-key builder.

====================

To cancel this inter-active menu at any time, press Control-C

* Available TLS-key types:

  [1] TLS-Auth key                   - Legacy HMAC pre-shared key
  [2] TLS-Crypt-V1 key               - Basic TLS-crypt-v1 pre-shared key
  [3] TLS-Crypt-V2 key for Server    - Advanced TLS-Crypt-v2 Server key
  [4] TLS-Crypt-V2 key for Client    - Advanced TLS-Crypt-v2 Client key

  Select the type of TLS-key to build: 4

** Build TLS-Crypt-V2 key for Client

====================

* This field only requires the certificate commonName,
  it does not require the complete file name.

  Enter the commonName of your *Server* certificate: server_FTgXGQfCD5rtfGol

====================

* This field only requires the certificate commonName,
  it does not require the complete file name.

  Enter the commonName of your *Client* certificate: DeTest

====================

* All TLS-Crypt-V2 Client keys which are created by the same Server key
  MUST use the same Custom-Group.

  You can configure a single Custom-Group like so:

    $ ./easytls config custom.group NAME

  If you want to configure a Custom-Group then use CTRL-C now.

  If you have configured your Custom-Group or do not require a Custom-Group
  then leave this field blank.

  Your current Custom-Group is: houmie

  Enter your Custom-Group NAME
  or leave this blank to accept the current Custom-Group:

====================

* Each X509 Client certificate can have multiple TLS-Crypt-V2 keys,
  these keys are referred to as Sub-keys.  Each Sub-key is used in
  a separate inline file with the same X509 Client certificate.

  Do not set Sub-key for a Server file, only Clients can use Sub-keys.

  Leave blank to continue.

  Enter the Sub-key Name for your key: s1

====================

* You can lock this key to specific MAC hardware addresses.

  Hardware addresses can be in the form of:

    * 0123456789ab or 01-23-45-67-89-AB or 01:23:45:67:89:AB

  If you do not require hardware address lock-down
  then leave this field blank.

  Enter a single MAC hardware address
  or leave blank to continue:

====================

* Easy-TLS command:

    ./easytls --sub-key-name=s1 build-tls-crypt-v2-client server_FTgXGQfCD5rtfGol DeTest

====================

Custom-Group field for metadata: houmie

Type the word 'yes' to continue, or any other input to abort.

  Is the Custom-Group field correct ? yes

Sub-key-name field for metadata: s1

Type the word 'yes' to continue, or any other input to abort.

  Is the Sub-key-name correct ? yes

TLS crypt v2 client key created: /etc/openvpn/easy-rsa/pki/easytls/DeTest-s1-tls-crypt-v2.key

====================

* Do you want to build a corresponding inline file ?

  Enter (y)es or (n)o: y

====================

* Do you want to include the client metadata in the inline file ?

  The metadata does not contain any security sensitive data but
  you may prefer to omit it.

  (For Server inline files, this is ignored)

  Enter (y)es or (n)o: y

====================

* Do you want to include the hardware addresses in the client metadata ?

  Enter (y)es or (n)o: n

====================

* Easy-TLS command:

    ./easytls inline-tls-crypt-v2 DeTest

====================

Inline TLS crypt v2 file created: /etc/openvpn/easy-rsa/pki/easytls/DeTest-s1.inline

This was also very straight forward. Both files look ok.

[houmie]

I found one bug it seems:

root@de-test:/etc/openvpn/easy-rsa# ./easytls inline

Easy-TLS Inter-active Inline-file builder.

====================

To cancel this inter-active menu at any time, press Control-C

* Available Inline-file types:

  [1] Inline with TLS Auth key
  [2] Inline with TLS Crypt v1 key
  [3] Inline with TLS Crypt v2 key
  [4] Remove Inline-file

  Select the type of Inline-file to build: 4
Quit!

:)

[TinCanTech]

You have inadvertently found two bugs! The one above is fixed.

However, by your action:

Server file already exists: ...
I have now renamed it and tried again:

You have exposed a weakness in the indexing process, which I completely over-looked! And now I am going to have to write a new layer of verification to stop that happening in future! The problem is, by renaming the server key, you have effectively destroyed the integrity of the inline-index .. Thanks! 🗡️

But seriously, thanks for testing and feedback, your help is invaluable. 🍻

Edit: FTR, the way Easy-TLS is supposed to work is to use: ./easytls remove
That way, the inline-index is kept in-tact.

[houmie]

No problem. Any time. :)

[houmie]

Good morning,

Alrighty, let's go through some scenarios:

root@de-test:/etc/openvpn/easy-rsa# ./easytls init-tls


WARNING!!!

You are about to remove the EASYTLS_PKI at: /etc/openvpn/easy-rsa/pki/easytls
and initialize a fresh TLS PKI here.

Type the word 'yes' to continue, or any other input to abort.

  Confirm removal: yes

Saved CA Identity: /etc/openvpn/easy-rsa/pki/easytls/data/easytls-ca-identity.txt

init-tls complete; you may now create TLS keys and .inline files.
  Your newly created TLS dir is:

    /etc/openvpn/easy-rsa/pki/easytls

To configure your Easy-TLS custom group now, use:

    'easytls config custom.group YOUR_GROUP'

root@de-test-m2:/etc/openvpn/easy-rsa#

Build

root@de-test:/etc/openvpn/easy-rsa# ./easytls build

Easy-TLS Inter-active TLS-key builder.

====================

To cancel this inter-active menu at any time, press Control-C

* Available TLS-key types:

  [1] TLS-Auth key                   - Legacy HMAC pre-shared key
  [2] TLS-Crypt-V1 key               - Basic TLS-crypt-v1 pre-shared key
  [3] TLS-Crypt-V2 key for Server    - Advanced TLS-Crypt-v2 Server key
  [4] TLS-Crypt-V2 key for Client    - Advanced TLS-Crypt-v2 Client key

  Select the type of TLS-key to build: 3

** Build TLS-Crypt-V2 key for Server

====================

* This field only requires the certificate commonName,
  it does not require the complete file name.

  Enter the commonName of your Server certificate: server_IFdvDMhAuLvj3mOF

====================

* Easy-TLS command:

    ./easytls build-tls-crypt-v2-server server_IFdvDMhAuLvj3mOF

====================

TLS crypt v2 server key created: /etc/openvpn/easy-rsa/pki/easytls/server_IFdvDMhAuLvj3mOF-tls-crypt-v2.key

[houmie]

inline without having a client in place

I'm not sure about Diffy-Hellman. I don't think I've ever used it before. What benefit would be there in sense of Crypt-2?
I also said 'y' and yet left the filename as empty. It still accepted it. Is this expected?

root@de-test:/etc/openvpn/easy-rsa# ./easytls inline

Easy-TLS Inter-active Inline-file builder.

====================

To cancel this inter-active menu at any time, press Control-C

* Available Inline-file types:

  [1] Inline with TLS Auth key
  [2] Inline with TLS Crypt v1 key
  [3] Inline with TLS Crypt v2 key

  Select the type of Inline-file to build: 3

** Build TLS-Crypt-v2 inline-file

====================

* This field only requires the certificate commonName,
  it does not require the complete file name.

  Enter the commonName of your  certificate: clientDeTestM2

====================

* Each X509 Client certificate can have multiple TLS-Crypt-V2 keys,
  these keys are referred to as Sub-keys.  Each Sub-key is used in
  a separate inline file with the same X509 Client certificate.

  Do not set Sub-key for a Server file, only Clients can use Sub-keys.

  Leave blank to continue.

  Enter the Sub-key Name for your key: sub1key

====================

* Do you have the private key for this X509 certificate ?

  Enter (y)es or (n)o: y




====================

* Do you want to inline the Diffy-Hellman parameter file ?

  Only Servers can use Diffy-Hellman parameter file.

  Enter (y)es or (n)o: y

====================

* If you need to use a custom Diffy-Hellman parameters file then
  enter the file location and name.

  Leave this blank to use the default Easy-TLS DH file.

  Enter the DH file name:

====================

* Do you want to include the client metadata in the inline file ?

  The metadata does not contain any security sensitive data but
  you may prefer to omit it.

  (For Server inline files, this is ignored)

  Enter (y)es or (n)o: y

====================

* Do you want to include the hardware addresses in the client metadata ?

  Enter (y)es or (n)o: n

====================

* Easy-TLS command:

    ./easytls --sub-key-name=sub1key inline-tls-crypt-v2 clientDeTestM2 add-dh

====================

Easy-TLS version: 1.27a

Easy-TLS error:

No extra help is configured

TLS key file does not exist: /etc/openvpn/easy-rsa/pki/easytls/clientDeTestM2-sub1key-tls-crypt-v2.key

[houmie]

Creating a client abruptly ends when selecting don't create an inline:

root@de-test:/etc/openvpn/easy-rsa# ./easytls build

Easy-TLS Inter-active TLS-key builder.

====================

To cancel this inter-active menu at any time, press Control-C

* Available TLS-key types:

  [1] TLS-Auth key                   - Legacy HMAC pre-shared key
  [2] TLS-Crypt-V1 key               - Basic TLS-crypt-v1 pre-shared key
  [3] TLS-Crypt-V2 key for Server    - Advanced TLS-Crypt-v2 Server key
  [4] TLS-Crypt-V2 key for Client    - Advanced TLS-Crypt-v2 Client key

  Select the type of TLS-key to build: 4

** Build TLS-Crypt-V2 key for Client

====================

* This field only requires the certificate commonName,
  it does not require the complete file name.

  Enter the commonName of your *Server* certificate: server_IFdvDMhAuLvj3mOF

====================

* This field only requires the certificate commonName,
  it does not require the complete file name.

  Enter the commonName of your *Client* certificate: clientDeTestM2

====================

* All TLS-Crypt-V2 Client keys which are created by the same Server key
  MUST use the same Custom-Group.

  You can configure a single Custom-Group like so:

    $ ./easytls config custom.group NAME

  If you want to configure a Custom-Group then use CTRL-C now.

  If you have configured your Custom-Group or do not require a Custom-Group
  then leave this field blank.

  Your current Custom-Group is:

  Enter your Custom-Group NAME
  or leave this blank to accept the current Custom-Group: myCustom

====================

* Each X509 Client certificate can have multiple TLS-Crypt-V2 keys,
  these keys are referred to as Sub-keys.  Each Sub-key is used in
  a separate inline file with the same X509 Client certificate.

  Do not set Sub-key for a Server file, only Clients can use Sub-keys.

  Leave blank to continue.

  Enter the Sub-key Name for your key: mysub1

====================

* You can lock this key to specific MAC hardware addresses.

  Hardware addresses can be in the form of:

    * 0123456789ab or 01-23-45-67-89-AB or 01:23:45:67:89:AB

  If you do not require hardware address lock-down
  then leave this field blank.

  Enter a single MAC hardware address
  or leave blank to continue:

====================

* Easy-TLS command:

    ./easytls --sub-key-name=mysub1 --custom-group=myCustom build-tls-crypt-v2-client server_IFdvDMhAuLvj3mOF clientDeTestM2

====================

Custom-Group field for metadata: myCustom

Type the word 'yes' to continue, or any other input to abort.

  Is the Custom-Group field correct ? yes

Sub-key-name field for metadata: mysub1

Type the word 'yes' to continue, or any other input to abort.

  Is the Sub-key-name correct ? yes

TLS crypt v2 client key created: /etc/openvpn/easy-rsa/pki/easytls/clientDeTestM2-mysub1-tls-crypt-v2.key

====================

* Do you want to build a corresponding inline file ?

  Enter (y)es or (n)o: no

root@de-test:/etc/openvpn/easy-rsa#

[TinCanTech]

Hi,

1. Building the server key - Works ok.
2. Inlining a client without a key - Fails as expected.
3. Not inlining after building a key - Terminates as expected.

I agree with you that inlining a client should not bother with Diffe-Hellman and that is easy to fix.

I guess there are still some sharp edges which can be smoothed off but your testing did not reveal any errors. Unless I missed it ?

Thank you so much for your time and feedback, having a second opinion is invaluable!

[TinCanTech]

@houmie If you get time, please let me know if it now looks any better.

[houmie]

Hey @TinCanTech,

No worries. Happy to help. Let me pull the latest and fire it off again.

[houmie]

1. Running easytls build when server crypt key already exists, fails as expected. Doesn't get overwritten:
   Server file already exists: /etc/openvpn/easy-rsa/pki/easytls/server_IFdvDMhAuLvj3mOF-tls-crypt-v2.key
2. Running easytls init and confirming correctly leads to deletion of server key. Subsequent easytls build allows me to create a new server key as expected.
3. ./easytls build for client creation suceeded. No Diffie Hoffman this time around. Inline successfully created: Inline TLS crypt v2 file created: /etc/openvpn/easy-rsa/pki/easytls/clientDeTestM2-ss1.inline

[houmie]

4. Creating a second subkey this time with Hardware address validation lead to a weirdness.

====================

* You can lock this key to specific MAC hardware addresses.

  Hardware addresses can be in the form of:

    * 0123456789ab or 01-23-45-67-89-AB or 01:23:45:67:89:AB

  If you do not require hardware address lock-down
  then leave this field blank.

  Enter a single MAC hardware address
  or leave blank to continue: DRFTGY

====================

* You can lock this key to specific MAC hardware addresses.

  Hardware addresses can be in the form of:

    * 0123456789ab or 01-23-45-67-89-AB or 01:23:45:67:89:AB

  If you do not require hardware address lock-down
  then leave this field blank.

  Enter a single MAC hardware address
  or leave blank to continue: 0123456789ab

====================

* You can lock this key to specific MAC hardware addresses.

  Hardware addresses can be in the form of:

    * 0123456789ab or 01-23-45-67-89-AB or 01:23:45:67:89:AB

  If you do not require hardware address lock-down
  then leave this field blank.

  Enter a single MAC hardware address
  or leave blank to continue:

====================

* Easy-TLS command:

    ./easytls --custom-group=bubu build-tls-crypt-v2-client server_IFdvDMhAuLvj3mOF clientDeTestM2  DRFTGY 0123456789ab

====================

Easy-TLS version: 1.27a

Easy-TLS error:

Hardware Address must be 12 digits exactly!

Invalid Hardware Address: DRFTGY

First entry: DRFTGY
Second entry: 0123456789ab
Third entry: blank

Only then it comes back complaining that first entry was invalid. Then it breaks the loop. No chance to recover. Not a biggie at all. Just mentioning.

[TinCanTech]

Not a biggie at all. Just mentioning

That is exactly why I ask for your feedback ;-)

I can do the hardware-address validation at the user input point, instead of the key-gen routine.

Thanks again 👍

[TinCanTech]

If you fancy having another shot, I really appreciate your input.

The build/inline menus should now verify the certificate and its usage before continuing and not bomb out on an error.

I've tested it fairly thoroughly but there is always something I've over looked ;-)

[houmie]

Yeah sure, no problem. Sorry I fell asleep last night. I will report back as soon as I can get to it again. :-)

Yeah it's easier for someone else to test the code, than yourself. Otherwise you follow the established known paths and won't find the issues.