On 23/01/13 11:21, 77 77 wrote: > Hi all, > > I wrote a patch to obfuscate OpenVPN's traffic to avoid protocol > identification. Compared with other traffic obfuscation methods like > using static keys or obfsproxy, it only adds one more config parameter, > and supports both TCP and UDP. If OpenVPN releases support this, lots of > devices will benefit from traffic obfuscation without installing > additional softwares -- for exsample, the newly released OpenVPN Connect > for iOS or Openvpn for Android. > > The patch is based on openvpn-2.2.1, but works fine with openvpn-2.2.2.
Gert said one very important thing about openvpn 2.2. Even though, he said to bring it up to openvpn-2.3 or git-master .... I'm saying git-master is the natural point. If you need to have it in openvpn-2.3, backporting it from git-master is far easier than going the other way. I've looked quickly at your patch. And the first instinct is that, yes, this looks reasonably well. This is also a feature which I think will be very useful in the coming future. Just a few comments ... - Have you looked at the obfsproxy project from TOR? That does pretty much a similar thing and does work together with OpenVPN (but only via TCP, as it uses the socks5 proxy mode of obfsproxy). Could it be considered a better approach to integrate tighter against obfsproxy? obfsproxy provides a more "plug-in" oriented approach where there obfuscator logic can be changed at runtime, and doesn't necessarily depend on a encryption/obfuscation key. What you basically do is to RC4 encrypt the data. - Have you looked into issues related with the RC4 algorithm? IIRC, the first 256 bytes of a RC4 stream should always be discarded and the keying material should at minimum be hashed, otherwise weaknesses in RC4 makes it easier to crack the encryption. I know and understand that this is purely for obfuscation, but this encrypting isn't even obfuscation if you can crack the key fairly easily. Which again makes me think of obfsproxy, which have established a fairly well stabilised code base for traffic obfuscation. - Have your patch been tested in both UDP and TCP mode? - What is the purpose of the obfuscation_preprocess_incomming_link() and obfuscation_preprocess_outgoing_link() functions? Why isn't obfuscation_process_incoming() or obfuscation_process_outgoing() used directly? - In OpenVPN 2.3 (including git-master) we also added support for PolarSSL as an alternative to OpenSSL. It would be good if the code base could add PolarSSL support by using the SSL wrapper layer we now have implemented. For further information on the OpenVPN development methods, please look here: <https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation> And if you're not familiar with git ... here's a git crash course, which hopefully will help you get started quicker. <https://community.openvpn.net/openvpn/wiki/GitCrashCourse> Our code repositories can be found here: <https://community.openvpn.net/openvpn/wiki/CodeRepositories> -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
