On 10/11/17 11:50, Jan Just Keijser wrote:
> Hi Adam,
>
> On 10/11/17 11:18, Adam Wysocki via Openvpn-users wrote:
>> [...]
>
>> David:
>>> Port sharing is a feature for the server side to "hide" OpenVPN behind
>>> an existing SSL/TLS based service (typically https). So packets which
>>> carries an OpenVPN signature will be processed by the OpenVPN process.
>>> Anything else will be sent to the provided IP address and port and the
>>> OpenVPN process will just act as a proxy.
>>>
>>> This happens on _all_ packets - OpenVPN packets and anything else, not
>>> just some or just during the initial handshake.
>> Strange. Are you sure about it? What would be a reason for this with TCP?
>> With UDP I perfectly see why (despite port-sharing being a TCP-only
>> feature), but with TCP? Once a connection is established and it's known
>> that it was an OpenVPN client thas has connected?
>>
>> This seems consistent with this code from socket.c (stream_buf_added()):
>>
>> #if PORT_SHARE
>> if (sb->port_share_state == PS_ENABLED)
>> {
>> if (!is_openvpn_protocol (&sb->buf))
>> {
>> msg (D_STREAM_ERRORS, "Non-OpenVPN client protocol
>> detected");
>> sb->port_share_state = PS_FOREIGN;
>> sb->error = true;
>> return false;
>> }
>> else
>> sb->port_share_state = PS_DISABLED;
>> }
>> #endif
>>
>> To summarize:
>>
>> - if port sharing state is ENABLED
>> - if the protocol is not openvpn, we set state to FOREIGN
>> - if the protocol is openvpn, we set state to DISABLED
>>
>> So it seems it works only on a first data packet, and I guess that states
>> are:
>>
>> - ENABLED - we don't know yet if we're port-sharing, decision is to be
>> made
>> - FOREIGN - we know that the first packet wasn't openvpn one, so from
>> now we're forwarding
>> - DISABLED - we know that the first packet was our, so from now we
>> don't forward
>>
>>
> now you've made me curious so I've just checked it by adding a single line
> msg( M_INFO, "Is it OpenVPN?" );
>
> to ps.c in the function 'is_openvpn_protocol' and indeed, that function
> is called only once, when the client first connects.
> So, port-sharing does not make your problem any worse than it already is ;)
>
Ahh, thanks! I stand corrected. I had missed the detail that the
struct stream_buf actually carried a state which is kept valid and
unchanged within the running session.I agree with JJK's conclusion in this regards. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
