Re: [Openvpn-users] Question about tls-crypt and port 443 firewall ducking

[Jason Haar]

On Tue, Jan 3, 2017 at 12:10 AM, Samuli Seppänen  wrote:

> We've discussed traffic obfuscation in the past many times, and have
> always concluded that we don't want to play that cat-and-mouse game in
> the _core_ OpenVPN.
>

I agree - sort of. I'd say the one exception would be to add proxy-over-TLS
support into openvpn. It's merely an extension of existing code but means
those who choose to use it would gain the ability to appear exclusively as
an TCP/TLS transaction - no evidence of vpn traffic at all.

ie, set up squid on your openvpn server with a TLS port (https_port), acl
it down to only be a proxy for localhost:1194 (say). Then configure openvpn
client as


remote localhost:1194 tcp
http-proxy squid.server 443


All anyone would see is the client making a TLS (with SNI) connection to
https://squid.server/ (and lots of traffic...). Would look effectively
identical to Skype, Hangouts, etc. ie large volumes of (assumed) HTTPS
traffic. Could probably configure squid so that it defaults to a real
Apache server, and does the "trick" just for "CONNECT localhost:1194" -
that way even connecting to it would show a website

Hmm, on second thoughts, this would be easier/cleaner to do in Apache via
mod_proxy...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN over ssh tunnel

[Christoph Biedl]

Gert Doering wrote...

> In many companies, using VPNs from desktop machines to connect to untrusted
> networks "outside" is strictly prohibited to avoid unfiltered access in
> revers, and circumventing this is a firing reason.  So better talk to 'em.

Agreed. We don't know the reason behind this blocking. It might be
about encrypted traffic, or about all unknown traffic. Or just
about UDP as some high-traffic, seldom for legal purposes used
applications reportedly use that, and then OpenVPN traffic is just
victim of the circumstances. And never rule out stupid management
decisions to achieve "security" (i.e. a warm feeling of it, nothing
more).

We don't know. But we should be aware the admins will read this.

> (Otherwise, run "ssh -L $localport:$vpnserver:$remoteport $sshserver",
> and point your openvpn to "remote 127.0.0.1 $localport" - TCP only.  
> Alternatively, use "ssh -D $socksport $sshserver" and specify 
> "socks-proxy 127.0.0.1 $socksport" in your openvpn config)

... and read about tcp-in-tcp encapsulation. Also, rumour has it ssh
has an IP tunneling feature as well. If ssh host and tunnel endpoint
are the same machine, that would reduce the number of layers and
eliminate the above problem.

Christoph

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN over ssh tunnel

[Gert Doering]

Hi,

On Mon, Jan 02, 2017 at 03:51:38PM +0530, Tibin Geo k k wrote:
> How to connect OpenVPN through ssh tunnel, I have configured OpenVPN server
> on a ubuntu machine, and it is working fine, recently my network admin
> blocked connection to external vpn.

"talk to your network admin, explain what you want to achieve and how
it fits corporate security policies"

In many companies, using VPNs from desktop machines to connect to untrusted
networks "outside" is strictly prohibited to avoid unfiltered access in
revers, and circumventing this is a firing reason.  So better talk to 'em.

(Otherwise, run "ssh -L $localport:$vpnserver:$remoteport $sshserver",
and point your openvpn to "remote 127.0.0.1 $localport" - TCP only.  
Alternatively, use "ssh -D $socksport $sshserver" and specify 
"socks-proxy 127.0.0.1 $socksport" in your openvpn config)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Question about tls-crypt and port 443 firewall ducking

[Samuli Seppänen]

Il 31/12/2016 20:36, Илья Шипицин ha scritto:
>
> Вт, 20 дек. 2016 г. в 5:13, Kevin Long  >:
>
>
>
> I was just browsing the Mastering OpenVPN book and a paragraph
> jumped out at me which basically said that using OpenVPN on port 443
> is a common way people try to duck firewalls.  Indeed, this is what
> I do.  My clients are all over the place, airports, hotels,
> different countries etc, and we do seem to have better luck on port
> 443 tcp than 1194 tcp or udp.
>
>
>
> But the book states, as I have just learned just recently
> coincidentally,  that OpenVPN traffic (even running on TCP) does not
> really look like normal browser TLS traffic.
>
>
>
>
>
> I saw in the release notes I believe, that the new tls-crypt feature
> helps prevent metadata about auth certificates from being exposed,
> as well as blocking deep-packet inspections of the traffic.
>
>
>
> Could anyone possibly elaborate on this? Will this in practice help
> do mitigate OpenVPN blocking on port 443 in cases where normal TLS
> 443 traffic is permitted?
>
>
>
> Also, could anyone elaborate on tis-crypt being “poor man’s quantum”
> protection
>
>
>
> Thank you again,
>
>
>
> Kevin
>
>
>
>
> I think traffic obfuscation need more attention. OpenVPN becomes more
> and more popular, even http://openvpn.net is prohibited in several
> countries.
>
> we recently tried tls-crypt from China, it does not bypass great wall
> software.

Hi,

We've discussed traffic obfuscation in the past many times, and have 
always concluded that we don't want to play that cat-and-mouse game in 
the _core_ OpenVPN.

That said, there could definitely be a separate project that basically 
bundles OpenVPN with obfuscation software such as obfsproxy. Then _that_ 
project would play the cat-and-mouse game. I would argue that this 
approach would be more effective, as the participants in that project 
would have vested interest in the obfuscation working. I believe many 
VPN providers already implement obfuscation, each reinventing the wheel, 
which typically tends to produce half-baked implementation as well as 
lots of wasted effort in the name of commercial differentiation.

If someone is willing to cobble something together and publish it, I'm 
sure other people will soon follow and the "Obfuscated OpenVPN" project 
will start gaining momentum.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN over ssh tunnel

[Jakob Curdes]

Am 02.01.2017 um 11:21 schrieb Tibin Geo k k:
> How to connect OpenVPN through ssh tunnel, I have configured OpenVPN 
> server on a ubuntu machine, and it is working fine, recently my 
> network admin blocked connection to external vpn.
I think if your network admin blocked connections to external VPN'S you 
should not try to circumvent that; it could have severe personal and 
legal consequences. Typically companies do not encourage their staff to 
remote-control private external servers from their office and during 
worktime
JC

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN over ssh tunnel

[J.Witvliet]

Hi,

What you ask is indeed possible, but imho a waste of time.
If your network admin has the cheek to block openvpn-traffic, he will certainly 
also block ssh later on.

The best advice I can give you, is use the https encapsulation offered bij 
openvpn itself.
It is very unlikely that your admin will also block https…

HW


From: Tibin Geo k k [mailto:kktibin...@gmail.com]
Sent: maandag 2 januari 2017 11:22
To: Openvpn-users@lists.sourceforge.net
Subject: [Openvpn-users] OpenVPN over ssh tunnel

How to connect OpenVPN through ssh tunnel, I have configured OpenVPN server on 
a ubuntu machine, and it is working fine, recently my network admin blocked 
connection to external vpn.

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet 
de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u 
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat 
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband 
houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are 
not the addressee or if this message was sent to you by mistake, you are 
requested to inform the sender and delete the message. The State accepts no 
liability for damage of any kind resulting from the risks inherent in the 
electronic transmission of messages.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN over ssh tunnel

[Tibin Geo k k]

How to connect OpenVPN through ssh tunnel, I have configured OpenVPN server
on a ubuntu machine, and it is working fine, recently my network admin
blocked connection to external vpn.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users