First of all, I will explain what we are trying to develop. Basically, our idea
is to make OpenVPN works at kernel level, not at user level, and use the linux
cryptoapi instead of openssl. We will not use de /dev/net/tun (that is user
level space) and will create some new interfaces (something like openvpn0,
openvpn1, etc.).
We have being studying the OpenVPN source code but we get a little overwhelmed.
It is not easy to understand all the sources. We need some help, especially to
understand correctly the OpenVPN protocol. How the encrypted packet is formed?
How the packet is desencrypted? If you add some extra data to the packet? etc,
etc...
In a few words, we need the OpenVPN protocol.
We use this simple static-home.conf (Using Blowfish and SHA1 by default)
#
# Sample OpenVPN configuration file for
# home using a pre-shared static key.
#
# '#' or ';' may be used to delimit comments.
dev tun
ifconfig 10.1.0.2 10.1.0.1
up ./client.up
secret static.key
port 5000
verb 3
#
These are our doubts:
1- In the web page (http://openvpn.net/security.html) it says:
"In static key mode, a pre-shared key is generated and shared between both
OpenVPN peers before the tunnel is started. This static key contains 4
independent keys: HMAC send, HMAC receive, encrypt, and decrypt. By default in
static key mode, both hosts will use the same HMAC key and the same encrypt/
decrypt key. However, using the direction parameter to --secret, it is possible
to use all 4 keys independently."
We genereted this static key:
# 2048 bit OpenVPN static key
#
-BEGIN OpenVPN Static key V1-
4fb804ced58655f5e0ab11d455477fec
4131d3ad3995d7d194ebc2d9bed39628
62f548089a5c485f3c0ef64aff5860a0
ad9c54ee9ec9e795e08b7b5118e5a8da
f2bc492fd3dd2f6cb94b3b0d62e324db
bcd662ef2127466ca08147ddb0326eb4
1f7c46dfa4c2dd766fb2e62eb76ef44c
75247095c87f1178942fb9e7a2917d31
75ac5d60ef8d25dcc72b4dc81df900f2
56fad6dc6c2341590db6fe126ce20fec
8be8a609b25fd8a45ec47045ef03971a
7858b4ff929a9822d636f4a3a1da343a
2c424958e4ef8526776c18f34aaf82b0
77f153221cb453467beb0d154b0f0ca6
f68e53bfb5f7f1d94496340c0010f319
d5e0619ee4b50fc0f129e1bbf76d3e8a
-END OpenVPN Static key V1-
Question: This is a 256 bytes key, which part of this key is used for HMAC and
which for encryption/decryption? (We do not use de --secret option)
2- We test OpenVPN like this:
First we send a paquet without OpenVPN running. This is the structure of the
packet we get with Ethereal. We use the following command:
#echo "hola" | nc example.com 80
Unencrypted Packet
--
Total length=57 bytes
+---+
| IP HEADER | IP Header length = 20 bytes
|---|
| TCP HEADER| TCP Header length = 32 bytes
|---|
| DATA | DATA length = 5 bytes
| |
| hola. |
+---+
Then we start OpenVPN with this command:
#openvpn --config static-home.conf --cipher none
We run:
#echo "hola" | nc 10.1.0.1 80
And we get this
OpenVPN Unencrypted Packet
--
Total length=113 bytes
+---+
| IP HEADER | IP Header length = 20 bytes
|---|
| UDP HEADER| UDP Header length = 8 bytes
|---|
| Original IP HEADER | Orig. IP Header length = 20 bytes
|---|
| Original TCP HEADER | Orig. TCP Header length = 32 bytes
|---|
| HMAC | HMAC length = 20 bytes
|---|
| IV| IV length = ?
|---|
| Sequence number | Sequence numbre length = 8 bytes
|---|
| DATA | DATA length = 5 bytes
| hola. |
+---+
(http://openvpn.net/security.html)
"The plaintext of the encrypted envelope is formatted as follows:
64 bit sequence number
payload data, i.e. IP packet or Ethernet frame"
Question: What's the meaning of the sequence number field before the DATA? What
contains?
Question: What length does the IV have?
Question: Are correct the lengths we put?
Question: Is correct the packet structure?
Something must be wrong because if you add all the lengths (20 + 8 + 20 + 32 +
20 + 8 + 5) you will get 113 (total packet length) but you did not add the IV
length.
And finally we restart OpenVPN with this command:
#openvpn --config static-home.conf
We run:
#echo "hola" | nc 10.1.0.1 80
And we get this
OpenVPN Encrypted Packet
-
