-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/03/11 20:09, Vineet Kumar wrote: > Thanks for your replies. > > So, > - without --tls-auth > - with tcp as the transport > if we want to make openvpn purely SSL then are these the complete set > of things to take care of?: > 1. Move all P_CONTROL_* messages to be encapsulated in SSL > 2. Stop adding reliability layer over SSL > > Let's say, theoretically, that the above 2 steps are taken care of > (easier said than don, for sure). Will the resulting VPN setup then > pass through transparent SSL proxies unbroken?
That sounds pretty much correct. To be on the very safe side, it would probably be better then to use OpenSSL's built in socket read/write functions as well. As that infrastructure takes care of the proper defined SSL handshake. This might be overkill though, if you're able to perform the SSL handshake exactly the same way using the socket functions in OpenVPN. So the key point is to make the wire traffic look exactly like the SSL wire protocol is defined. It could be a good exercise to see if the DTLS links from Markus Kötter passes such a firewall/proxy - both using TCP and UDP. If that works better, then see how adaptable this solution is compared to the implementation in OpenVPN. We can not remove the support for the current OpenVPN wire format - as we need to be compatible (at least as long as we are on OpenVPN 2.x) for older clients. kind regards, David Sommerseth > On Fri, Mar 11, 2011 at 1:35 AM, David Sommerseth > <openvpn.l...@topphemmelig.net> wrote: > On 11/03/11 10:04, Gert Doering wrote: > | Hi, > | > | On Thu, Mar 10, 2011 at 05:04:48PM -0800, Vineet Kumar wrote: > |> Also, doesn't this make openvpn different from other SSL VPNs which > |> advertise the fact that they are truly SSL? > | > | Well, OpenVPN is "truly SSL", but it's not "using https as a browser would > | do to hide the fact that there is a VPN inside"... > > Kind of. Gert is basically correct. But it is important to understand that > OpenVPN doesn't use the SSL wire protocol directly, like the majority of SSL > applications does. So all the SSL packets from OpenVPN are encapsulated in > a > kind of OpenVPN container. Which is why some strict proxies or deep packet > inspection firewalls might not allow OpenVPN traffic. > > The reason for this is that OpenVPN is primarily written for the UDP > protocol. > ~ While SSL itself is very TCP oriented. To my knowledge, there are no UDP > transport support in OpenSSL. So OpenVPN uses OpenSSL differently, > intercepting the network connections and sending the data through OpenVPN's > own network socket infrastructure. If OpenVPN's HMAC support (--tls-auth) > is > enabled, some extra bytes are added on top of the SSL packet itself. > > Of course, it would probably be possible (I have not investigated this) to > add > a feature which restricts OpenVPN to use the core SSL protocol, without > this > encapsulation on top of the SSL packets. However, when such a feature is > enabled, it would restrict the usage of TCP. In addition, the --tls-auth > feature would not be useful in at all. > > > kind regards, > > David Sommerseth >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk16dxsACgkQDC186MBRfrpzGACfQfYfHf1nGfsAu99zXyskv18v 15MAoKmSPvIEAp0TqWSMp53VxzIgfIAw =2X67 -----END PGP SIGNATURE-----
