Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
15.1 Legacy Series
»
[SOLVED] OpenVPN xor patch
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] OpenVPN xor patch (Read 59180 times)
pierrefrancois
Newbie
Posts: 16
Karma: 4
[SOLVED] OpenVPN xor patch
«
on:
May 08, 2015, 04:39:19 am »
Hello everyone,
I mostly use OpenVPN as a client to be able to overcome some local information access limitation. I live in a place where DPI make it difficult to access internet and now makes it very difficult to use OpenVPN so I've been looking for way to fight it. I've stumbled on a user made patch to enable scrambling of OpenVPN packet :
https://github.com/clayface/openvpn_xorpatch
I've decided to give it a try and it turns out that it works quite well so I though I would share the way to recompile openvpn to have this function until (if it's possible) the patch is included in the default OPNsense install
Pre-requisite
A working installation of FreeBSD 10.1 with an updated port tree and working Internet connection
To test it, an already working site to site OpenVPN setting or an OpenVPN provider that support scramble obfuscate
First, let's put the XOR patch among the OpenVPN port files
#wget
https://github.com/clayface/openvpn_xorpatch/archive/master.zip
#unzip master.zip
#cp openvpn_xorpatch-master/openvpn_xor.patch /usr/port/security/openvpn/files
Edit Makefile in your favorite editor
At the beginning of the file add the following line
EXTRA_PATCHES+= ${FILESDIR}/openvpn_xor.patch:-p1
Now we have to select the compilation options
#make config
PW_SAVE is mandatory for login with user/password
Select other options at your discretion
Recommended to select OpenSSL for SSL/TLS
Validate the options then build with the following:
#make install
the patched openvpn is located in /usr/local/sbin/openvpn
you can copy this file to your OPNsense box with scp with x.x.x.x as your box IP address
#scp /usr/local/sbin/openvpn root@x.x.x.x:/usr/local/sbin/openvpn
now in the OpenVPN advanced configuration (to be the same on both client and server) add a line
scramble obfuscate <XOR string>
Hope it helps
«
Last Edit: May 08, 2015, 09:51:35 am by franco
»
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: OpenVPN xor patch
«
Reply #1 on:
May 08, 2015, 09:06:16 am »
Hi pierrefrancois,
thanks for the suggestion and step-by-step guide. I'll push that into the ports tree as a separate OpenVPN option with the proper FreeBSD port style so that we may be able to push it into the FreeBSD ports tree.
Keeping track of this via:
https://github.com/opnsense/ports/issues/9
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: OpenVPN xor patch
«
Reply #2 on:
May 08, 2015, 09:51:25 am »
Will use tunnelblick's version beginning with OPNsense 15.1.10.2 or 15.1.11, whichever comes first:
https://code.google.com/p/tunnelblick/wiki/cOpenvpn_xorpatch
Commits:
https://github.com/opnsense/ports/commit/ecab736b62f33189a549235434b04498daaffd7c
https://github.com/opnsense/tools/commit/f87635ed524beedebe827953f8b24f5e51627805
Will open a FreeBSD ports PR to see if they will merge it upstream.
Thanks again for mentioning this.
Logged
pierrefrancois
Newbie
Posts: 16
Karma: 4
Re: [SOLVED] OpenVPN xor patch
«
Reply #3 on:
May 08, 2015, 11:30:16 am »
Hello Franco,
that's great, I also agree with the usage of the tunnelblick patch instead, I wasn't aware of the buffer overflow issue before today.
I'm quite new to BSD so I wasn't sure on how to make a PR to have it in the upstream, thanks for this also.
Logged
DoubleJ
Newbie
Posts: 20
Karma: 2
Re: [SOLVED] OpenVPN xor patch
«
Reply #4 on:
August 10, 2015, 02:32:50 pm »
First I want to say that adding this patch to opnsense is awesome. I've waited many years for one of the router distributions to incorp this feat. Except for dd-wrt, you are the only one to provide this!
Still a question: I want to create a site-2-site connection between 2 opnsense boxes, using this feature. Setting the scramble option at client side I have the advanced configuration box in the UI, however the server options in the UI do not have this advanced config option. How can I specify the scramble option for a server? Manually via cli in a config file?
Thnx in advance.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: [SOLVED] OpenVPN xor patch
«
Reply #5 on:
August 10, 2015, 04:46:52 pm »
So far I haven't been able to get this into FreeBSD ports, but I will keep trying.
I've added an issue for this, thanks for noticing:
https://github.com/opnsense/core/issues/310
Good thing is our OpenVPN pages are undergoing a rework right now I do hope we can squeeze this in hopefully next week.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: [SOLVED] OpenVPN xor patch
«
Reply #6 on:
August 10, 2015, 04:59:49 pm »
It seems that Remote Access types do have this feature, but it is removed for Site-2-Site. I am not sure why as of yet. Maybe that helps...
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: [SOLVED] OpenVPN xor patch
«
Reply #7 on:
August 10, 2015, 05:43:13 pm »
The fix to unhide the settings has been applied. Since we're reworking the OpenVPN pages you'll have to use the development package of 15.7.8 when that comes out on Wednesday:
https://forum.opnsense.org/index.php?topic=917.0
Please report back if this works for you as intended.
Logged
DoubleJ
Newbie
Posts: 20
Karma: 2
Re: [SOLVED] OpenVPN xor patch
«
Reply #8 on:
August 13, 2015, 06:10:00 am »
Tested it in my test environment with the development release from yesterday: 15.7_628-amd64 with peer-2-peer(shared key) and it works. Advanced config is there and takes the scramble option. Great job!
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: [SOLVED] OpenVPN xor patch
«
Reply #9 on:
August 13, 2015, 09:57:15 am »
Awesome, thanks for testing!! Will be in 15.7.9 by default.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: [SOLVED] OpenVPN xor patch
«
Reply #10 on:
November 20, 2015, 07:43:52 pm »
The patch has just now been added to the FreeBSD ports collection. Thanks for everyone involved for making that happen!!
Logged
pierrefrancois
Newbie
Posts: 16
Karma: 4
Re: [SOLVED] OpenVPN xor patch
«
Reply #11 on:
November 23, 2015, 10:23:17 am »
Thanks to you Franco for submitting the patch
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: [SOLVED] OpenVPN xor patch
«
Reply #12 on:
November 24, 2015, 10:39:32 pm »
Just doing the grunt work. The real ideas com from users like you.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
15.1 Legacy Series
»
[SOLVED] OpenVPN xor patch