[SOLVED] OpenVPN xor patch

Started by pierrefrancois, May 08, 2015, 04:39:19 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 08, 2015, 04:39:19 AM Last Edit: May 08, 2015, 09:51:35 AM by franco
Hello everyone,

I mostly use OpenVPN as a client to be able to overcome some local information access limitation. I live in a place where DPI make it difficult to access internet and now makes it very difficult to use OpenVPN so I've been looking for way to fight it. I've stumbled on a user made patch to enable scrambling of OpenVPN packet : https://github.com/clayface/openvpn_xorpatch
I've decided to give it a try and it turns out that it works quite well so I though I would share the way to recompile openvpn to have this function until (if it's possible) the patch is included in the default OPNsense install

Pre-requisite
A working installation of FreeBSD 10.1 with an updated port tree and working Internet connection
To test it, an already working site to site OpenVPN setting or an OpenVPN provider that support scramble obfuscate

First, let's put the XOR patch among the OpenVPN port files
#wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
#unzip master.zip
#cp openvpn_xorpatch-master/openvpn_xor.patch /usr/port/security/openvpn/files

Edit Makefile in your favorite editor
At the beginning of the file add the following line
EXTRA_PATCHES+=     ${FILESDIR}/openvpn_xor.patch:-p1

Now we have to select the compilation options
#make config
PW_SAVE is mandatory for login with user/password
Select other options at your discretion

Recommended to select OpenSSL for SSL/TLS

Validate the options then build with the following:
#make install

the patched openvpn is located in /usr/local/sbin/openvpn
you can copy this file to your OPNsense box with scp with x.x.x.x as your box IP address
#scp /usr/local/sbin/openvpn root@x.x.x.x:/usr/local/sbin/openvpn

now in the OpenVPN advanced configuration (to be the same on both client and server) add a line
scramble obfuscate <XOR string>

Hope it helps
May 08, 2015, 09:06:16 AM #1
Hi pierrefrancois,

thanks for the suggestion and step-by-step guide. I'll push that into the ports tree as a separate OpenVPN option with the proper FreeBSD port style so that we may be able to push it into the FreeBSD ports tree. :)

Keeping track of this via: https://github.com/opnsense/ports/issues/9


Cheers,
Franco
May 08, 2015, 09:51:25 AM #2
Will use tunnelblick's version beginning with OPNsense 15.1.10.2 or 15.1.11, whichever comes first:

https://code.google.com/p/tunnelblick/wiki/cOpenvpn_xorpatch

Commits:

https://github.com/opnsense/ports/commit/ecab736b62f33189a549235434b04498daaffd7c
https://github.com/opnsense/tools/commit/f87635ed524beedebe827953f8b24f5e51627805

Will open a FreeBSD ports PR to see if they will merge it upstream.

Thanks again for mentioning this. :)
May 08, 2015, 11:30:16 AM #3
Hello Franco,

that's great, I also agree with the usage of the tunnelblick patch instead, I wasn't aware of the buffer overflow issue before today.
I'm quite new to BSD so I wasn't sure on how to make a PR to have it in the upstream, thanks for this also.

August 10, 2015, 02:32:50 PM #4
First I want to say that adding this patch to opnsense is awesome. I've waited many years for one of the router distributions to incorp this feat. Except for dd-wrt, you are the only one to provide this!

Still a question: I want to create a site-2-site connection between 2 opnsense boxes, using this feature. Setting the scramble option at client side I have the advanced configuration box in the UI, however the server options in the UI do not have this advanced config option. How can I specify the scramble option for a server? Manually via cli in a config file?

Thnx in advance.
August 10, 2015, 04:46:52 PM #5
So far I haven't been able to get this into FreeBSD ports, but I will keep trying.

I've added an issue for this, thanks for noticing: https://github.com/opnsense/core/issues/310

Good thing is our OpenVPN pages are undergoing a rework right now I do hope we can squeeze this in hopefully next week.
August 10, 2015, 04:59:49 PM #6
It seems that Remote Access types do have this feature, but it is removed for Site-2-Site. I am not sure why as of yet. Maybe that helps...
August 10, 2015, 05:43:13 PM #7
The fix to unhide the settings has been applied. Since we're reworking the OpenVPN pages you'll have to use the development package of 15.7.8 when that comes out on Wednesday:

https://forum.opnsense.org/index.php?topic=917.0

Please report back if this works for you as intended. :)
August 13, 2015, 06:10:00 AM #8
Tested it in my test environment with the development release from yesterday: 15.7_628-amd64 with peer-2-peer(shared key) and it works. Advanced config is there and takes the scramble option. Great job!
August 13, 2015, 09:57:15 AM #9
Awesome, thanks for testing!! Will be in 15.7.9 by default.
November 20, 2015, 07:43:52 PM #10
The patch has just now been added to the FreeBSD ports collection. Thanks for everyone involved for making that happen!! :)
November 23, 2015, 10:23:17 AM #11
Thanks to you Franco for submitting the patch  :)
November 24, 2015, 10:39:32 PM #12
Just doing the grunt work. The real ideas com from users like you. :)
Print
Go Up Pages1
User actions