Archive > 15.1 Legacy Series

[SOLVED] OpenVPN xor patch

(1/3) > >>

pierrefrancois:
Hello everyone,

I mostly use OpenVPN as a client to be able to overcome some local information access limitation. I live in a place where DPI make it difficult to access internet and now makes it very difficult to use OpenVPN so I've been looking for way to fight it. I've stumbled on a user made patch to enable scrambling of OpenVPN packet : https://github.com/clayface/openvpn_xorpatch
I've decided to give it a try and it turns out that it works quite well so I though I would share the way to recompile openvpn to have this function until (if it's possible) the patch is included in the default OPNsense install

Pre-requisite
A working installation of FreeBSD 10.1 with an updated port tree and working Internet connection
To test it, an already working site to site OpenVPN setting or an OpenVPN provider that support scramble obfuscate

First, let's put the XOR patch among the OpenVPN port files
#wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
#unzip master.zip
#cp openvpn_xorpatch-master/openvpn_xor.patch /usr/port/security/openvpn/files

Edit Makefile in your favorite editor
At the beginning of the file add the following line
EXTRA_PATCHES+=     ${FILESDIR}/openvpn_xor.patch:-p1

Now we have to select the compilation options
#make config
PW_SAVE is mandatory for login with user/password
Select other options at your discretion

Recommended to select OpenSSL for SSL/TLS

Validate the options then build with the following:
#make install

the patched openvpn is located in /usr/local/sbin/openvpn
you can copy this file to your OPNsense box with scp with x.x.x.x as your box IP address
#scp /usr/local/sbin/openvpn root@x.x.x.x:/usr/local/sbin/openvpn

now in the OpenVPN advanced configuration (to be the same on both client and server) add a line
scramble obfuscate <XOR string>

Hope it helps

franco:
Hi pierrefrancois,

thanks for the suggestion and step-by-step guide. I'll push that into the ports tree as a separate OpenVPN option with the proper FreeBSD port style so that we may be able to push it into the FreeBSD ports tree. :)

Keeping track of this via: https://github.com/opnsense/ports/issues/9


Cheers,
Franco

franco:
Will use tunnelblick's version beginning with OPNsense 15.1.10.2 or 15.1.11, whichever comes first:

https://code.google.com/p/tunnelblick/wiki/cOpenvpn_xorpatch

Commits:

https://github.com/opnsense/ports/commit/ecab736b62f33189a549235434b04498daaffd7c
https://github.com/opnsense/tools/commit/f87635ed524beedebe827953f8b24f5e51627805

Will open a FreeBSD ports PR to see if they will merge it upstream.

Thanks again for mentioning this. :)

pierrefrancois:
Hello Franco,

that's great, I also agree with the usage of the tunnelblick patch instead, I wasn't aware of the buffer overflow issue before today.
I'm quite new to BSD so I wasn't sure on how to make a PR to have it in the upstream, thanks for this also.

DoubleJ:
First I want to say that adding this patch to opnsense is awesome. I've waited many years for one of the router distributions to incorp this feat. Except for dd-wrt, you are the only one to provide this!

Still a question: I want to create a site-2-site connection between 2 opnsense boxes, using this feature. Setting the scramble option at client side I have the advanced configuration box in the UI, however the server options in the UI do not have this advanced config option. How can I specify the scramble option for a server? Manually via cli in a config file?

Thnx in advance.
 

Navigation

[0] Message Index

[#] Next page

Go to full version