Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does not support connecting to server that does not use tls-auth #36

Open
whohoho opened this issue Mar 28, 2020 · 7 comments
Open

Does not support connecting to server that does not use tls-auth #36

whohoho opened this issue Mar 28, 2020 · 7 comments
Labels
enhancement New feature or request

Comments

@whohoho
Copy link
Contributor

whohoho commented Mar 28, 2020

Its not possible to connect to a server that does not use tls-auth

@hannesm
Copy link
Contributor

hannesm commented Mar 28, 2020

this is correct. if you're looking for static pre-shared keys mode, please take a look at #11 (which I'm working on, re-started my efforts yesterday evening).

@hannesm
Copy link
Contributor

hannesm commented Mar 28, 2020

or is there some other authentication mode you'd like to have support for? if it is static pre-shared keys (secret in openvpn configuration), I think this is a duplicate of #11

@whohoho
Copy link
Contributor Author

whohoho commented Mar 28, 2020

no, i am talking about the optional HMAC signature.

When a server does not have that enabled, and it is enabled on the client, the client cannot connect.

https://openvpn.net/community-resources/hardening-openvpn-security/
The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against: DoS attacks or port flooding on the OpenVPN UDP port. Port scanning to determine which server UDP ports are in a listening state.

packet format here: https://build.openvpn.net/doxygen/network_protocol.html

@hannesm
Copy link
Contributor

hannesm commented Mar 28, 2020

ok, and do you actively use such a configuration?

@whohoho
Copy link
Contributor Author

whohoho commented Mar 28, 2020

I don't actively use such a configuration but its quite common to have openvpn configured that way:

Here is 1 example, checking some other ones to see how they are configured:
https://riseup.net/vpn/vpn-red/windows/windows-riseup.ovpn

@whohoho
Copy link
Contributor Author

whohoho commented Mar 28, 2020

another example:

https://github.com/leapcode/bitmask-dev/blob/master/src/leap/bitmask/vpn/helpers/linux/bitmask-root#L133

https://0xacab.org/leap/bitmask-vpn/-/blob/master/helpers/bitmask-root#L133

How bitmask works is, you connect to some http api server, which will then give you a client-certificate that allows you to connect to openvpn.

@cfcs
Copy link
Contributor

cfcs commented Mar 28, 2020

I also think there's value in skipping the computational + bandwidth overhead for an essentially useless HMAC with a global key shared amongst all users. This used to be useful for two things:

  • If you trusted all clients, this could be used to limit exposure to openssl
  • If you had clients behind very simplistic DPI boxes this would make the traffic look less like TLS, but TBH I am not convinced that such boxes exist (they could just check for the x509 certs).

With no openssl, and no examples of DPI boxes that are actually fooled by this, I'd be in favor of not having this be mandatory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Development

No branches or pull requests

3 participants