Re: [Openvpn-users] Openvpn -- unable to generate keys
> To find out what went wrong, you need to have some understanding of > certificates and the openssl application and scripts. There are other > tools that will allow you to create and maintain a CA depending on > your requirements, one thing holds true however: The CA must not be on > your production system nor on any other vulnerable system, best is a > completely offline systems behind thick concrete walls. That said, I > am using a portable version of XCA on a memory stick. And another very important point: write down the CA password in a place where you can find it again. I am speaking with experience :-)) . JC -- CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Does OpenVPN use the TLS heartbeat extension? (OpenSSL Security Advisory CVE-2014-0160)
> Thank you James. I reached the same conclusion myself. I've been > working on it since early this morning. > > This means that most consumer VPN services are at least vulnerable to > getting their private TLS key stolen, and also usernames, passwords, > session keys and so on. As you pointed out, tls-auth is irrelevant if > the attacker knows the key, which is the case for consumer VPNs. Wait, I do not think that this is true. The Attacker has the key for TLS-Auth only if he previously gained access to the client system in another way [which probably means he has access to the unencrypted network traffic anyway]. If he just has the network stream he will not be able to decipher the TLS communication without the key which is never transferred via the network (unless it has been transferred via network when installing it... ). Another interesting question: everybody is talking about Perfect Forward Secercy to avoid deciphering past communications; are we sure OpenVPN implements this? I do not think this is a configurable item !? Best regards, Jakob Curdes -- Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Does OpenVPN use the TLS heartbeat extension? (OpenSSL Security Advisory CVE-2014-0160)
Am 08.04.2014 15:13, schrieb Joe Patterson: > I think that what's being referred to here is that a VPN service with > multiple independent clients could have one nefarious client who used > a valid client key/cert to establish a session, then used that session > plus this vulnerability to compromise the server's private key, plus > usernames, passwords, and session keys of other clients of that VPN > service. But I think this only holds if the ***Server*** openssl library is still vulnerable. The client never gets the server's private key, so it cannot be proliferated in this way. Naturally we all need to update the servers ASAP, but can we continue to use clients with old openssl DLL's? JC -- Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Successful private key extraction from OpenVPN using Heartbleed
Actually, I think for most installations it is worse than your sentence "we believe it may severely impact those who have not already upgraded" may sound like. The problem is that even for installations that were upgraded immediately after the disclosure of the openssl bug we cannot be sure that private keys etc. might not have been stolen BEFORE the hole was publicly known. There are strong hints that knowledge of the problem was present long before last tuesday. So it probably means that any OpenVPN installation that was not protected by a TA key (or where the TA key is distributed to lots of users) needs to recreate the certificates used for the server and the clients. Perhaps you or the openvpn developers can elaborate a bit on what can be found in the respective memory area; I understand you managed to get a private key or parts of it; what about password hashes used by plugins e.g.? Because this could mean that these passwords, which might be used in very different contexts if e.g. we talk about a PAM plugin, need to be changed too. And this would open attack vectors that are nor related to OpenVPN anymore. Regards, Jakob Curdes > Hi openvpn-users, > > We have successfully extracted private key material multiple times > from an OpenVPN server by exploiting the Heartbleed Bug. The material > we found was sufficient for us to recreate the private key and > impersonate the server. > > As you may know, OpenVPN has an SSL/TLS mode where certificates are > used for authentication. OpenVPN multiplexes the SSL/TLS session used > for authentication and key exchange with the actual encrypted tunnel > data stream. The default TLS library for OpenVPN is OpenSSL. Since > OpenVPN uses the OpenSSL library but merely passes through the TLS > traffic to OpenSSL, this means that OpenVPN is exploitable using > Heartbleed, in theory. However, until now there hasn't been any solid > evidence that private key material can be extracted from OpenVPN just > like it has from some web servers. > > This was the server setup we used: > Ubuntu 12.04 (VM using KVM) > OpenVPN 2.2.1 > OpenSSL 1.0.1-4ubuntu5.11 > > Our exploit is decently weaponized, and while the code is an > abomination that even Eris would be embarrassed to present, we believe > it may severely impact those who have not already upgraded. Therefore, > we will not be publishing the code. Nevertheless, you should assume > that other teams with more nefarious purposes have already created > weaponized exploits for OpenVPN. Just to be clear, we don't intend to > use this exploit ourselves. We merely developed it to examine the > practical impact on OpenVPN as part of our incident investigation. > > To our knowledge there is currently one published proof of concept > script that checks an OpenVPN server's vulnerability to Heartbleed. > > It should be noted that OpenVPN provides a feature called tls-auth > where a HMAC key is used to authenticate the packets that are > themselves part of the TLS handshake sequence. This protects against > Heartbleed to the extent that the HMAC key is kept secret. This means > that while a small business may benefit from using tls-auth because > only the employees have access to the key, a public VPN service such > as ours does not, because anyone who is a customer has access to the > key. > > Private questions that are not requests for the exploit can be emailed > to stromb...@insto.org or ad...@mullvad.net (PGP: 0x2C62E8AE). > > Best regards, > Fredrik Strömberg > Co-founder of Mullvad > > -- > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] heartbleed and openvpn
Am 21.04.2014 06:07, schrieb fausto milinazzo: > In using the heartbleed exploit to obtain the root certificate and > personal keys from an openvpn server was it necessary to have use a > valid certificate? I would guess that to determine whether a > particular server is vulnerable does not require a valid certificate > so it may be possible to carry out such an attack without a valid > certificate. As far as I understand it, the exploit happens during the negotiation of parameters for the connection and thus does not require a valid certificate, i.e. any system trying to establish a connection was able to look into the exposed part of the process memory. Anyway the problem is not the certificate but the fact that the server host key and/or other credentials may have been stolen. If you have a small installation and TLS auth in place, you may get away with leaving things as they are, but the general recommendation in this case is to replace host keys, certificates, and other credentials used in the process. Best regards, Jakob Curdes -- Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN client log file filling up hard drives on random computers
> Would the server config file affect the log level on the client side? No. Some server side configuration items might do, though, in conjunction with a non-matching client side configuration. JC -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN over ssh tunnel
Am 02.01.2017 um 11:21 schrieb Tibin Geo k k: > How to connect OpenVPN through ssh tunnel, I have configured OpenVPN > server on a ubuntu machine, and it is working fine, recently my > network admin blocked connection to external vpn. I think if your network admin blocked connections to external VPN'S you should not try to circumvent that; it could have severe personal and legal consequences. Typically companies do not encourage their staff to remote-control private external servers from their office and during worktime JC -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN Client 2FA problem with Backslash
Hello all,
we are trying to implement 2FA for several existing Firebox SSL VPNs
(which essentially uses OpenVPN on server and client side). The remote
users all use the Windows OpenVPN client. This works perfectly without
2FA, and it works also if you do not need to specify the authentication
domain on user logon. But for the migration it is necessary to do that
as I cannot convert all users at once - the domain you enter in the
username field is then "authpoint" instead of something like
"company.private". In the 2FA process, the OpenVPN client then opens a
text window where you can enter a TOTP token or a "p" for a push
request. This all works with the default domain set, but not when
specifying a domain with a backslash:
Thu Mar 10 10:35:31 2022 VERIFY OK: depth=0, O=WatchGuard_Technologies,
OU=Fireware, CN=Fireware SSLVPN Server
Thu Mar 10 10:35:31 2022 Control Channel: TLSv1.2, cipher TLSv1.2
ECDHE-RSA-CHACHA20-POLY1305, peer certificate: 2048 bit RSA, signature:
RSA-SHA256
Thu Mar 10 10:35:31 2022 [Fireware SSLVPN Server] Peer Connection
Initiated with [AF_INET]1.2.3.4:443
Thu Mar 10 10:35:32 2022 MANAGEMENT: >STATE:1646904932,GET_CONFIG,,
Thu Mar 10 10:35:32 2022 SENT CONTROL [Fireware SSLVPN Server]:
'PUSH_REQUEST' (status=1)
Thu Mar 10 10:35:32 2022 AUTH: Received control message:
AUTH_FAILED,CRV1:R,E:1796:Yoirtuqeprtiqrew4==:*Type "p" to receive a
push notification or type your one-time password*
Thu Mar 10 10:35:32 2022 SIGUSR1[soft,auth-failure] received, process
restarting
Thu Mar 10 10:35:32 2022 MANAGEMENT:
>STATE:1646904932,RECONNECTING,auth-failure,
Thu Mar 10 10:35:32 2022 Restart pause, 5 second(s)
*Thu Mar 10 10:35:40 2022 Previous command sent to management failed:
ERROR: Options warning: Bad backslash ('\') usage in TCP:0: remember
that backslashes are treated as shell-escapes and if you need to pass
backslash characters as part of a Windows filename, you sho*
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'username "Auth"
"*authpoint\UserName*"'
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'password [...]'
This sounds like I need to escape the backslash, but if I do this the
Auth fails completely before the 2FA part comes into the picture. I fear
that the normal user authentication part and the 2FA code treat
backslashes differently... how can I get this going, if at all? Should I
contact the openvpn-devel list for this?
Best regards and thank you for hints,
Jakob Curdes
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Client 2FA problem with Backslash
Am 10.03.2022 um 12:22 schrieb Jan Just Keijser:
Thu Mar 10 10:35:32 2022 Restart pause, 5 second(s)
*Thu Mar 10 10:35:40 2022 Previous command sent to management failed:
ERROR: Options warning: Bad backslash ('\') usage in TCP:0: remember
that backslashes are treated as shell-escapes and if you need to pass
backslash characters as part of a Windows filename, you sho*
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'username "Auth"
"*authpoint\UserName*"'
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'password [...]'
This sounds like I need to escape the backslash, but if I do this the
Auth fails completely before the 2FA part comes into the picture. I
fear that the normal user authentication part and the 2FA code treat
backslashes differently... how can I get this going, if at all?
Should I contact the openvpn-devel list for this?
before getting into whether this is a bug or not : most
Windows-based authentication systems also accept authpoint/Username
(i.e. forward slash).
Other than that, this does seem to be one for the -devel list, as I
suspect that in manage.c the "parse_line" call does not differentiate
between file paths (for which \\ is needed) and a "domain\username" call.
Alternatively, you might be able to get away with specifying
username@FQDN as well.
Hello Jan, hello all,
thank you for these ideas - I had already tried the forward slash,
without success. I now also tried "@", but this does not work either; I
suspect the server side (i.e. the WatchGaurd auth module) does not
understand the login then. Ok, so I will ask on the -devel list. If I
have a solution I will add it here. Thank you.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Client 2FA problem with Backslash
Hello Selva, hello all, If you are using OpenVPN-GUI for Windows, looks like a bug. I guess, by text window, you mean the challenge-response dialog that the GUI pops up for 2FA. Yes exactly. Username is first input in the username/password dialog and that seems to succeed with the backslash in it. You should be able to see that the username is passed to management with the backslash replaced by "\\" (escaped). Then the challenge response dialog is shown when AUTH_FAILED with challenge is received where the user types the response. In that round the username is submitted again and that seems to be failing. Looks like a bug in the GUI -- we are not expanding the string when submitted from that dialog. generally we use ManagementCommandFromInput() to submit user input and that does the escaping, but for this username which is not input by user but passed in by the server, we send it directly without escaping. Will fix if that is indeed the case. This sounds like a perfect description of what I am seeing. I can send you complete logs off-list. As a quick fix, username@domain instead of domain\username may work with your server. Sadly no, the authentication is passed back by the embedded openvpn server to the WatchGuard Auth engine, which seems to choke one verything but "\" . This is no problem when you have just one authentication method, as then you just specify the username. But when using AD directly as well as the 2FA servive "AuthPoint", in a transition period, you cannot do this with the OpenVPN client as you would prepend the AD domain or the "authpoint" domain to the username, which then leads to the error in the second auth round. Best regards, Jakob Curdes ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Do most commercial firewall appliances and VPN routers have OpenVPN-powered SSL VPN?
I know from personal hands-on that the WatchGuard SSL VPN is an Open VPN variant. You can even use the OpenVPN client to connect to it, or their own client. Regards, Jakob Am 14.11.2022 um 16:24 schrieb Gert Doering: Hi, On Mon, Nov 14, 2022 at 10:51:29PM +0800, Turritopsis Dohrnii Teo En Ming wrote: Do most commercial firewall appliances and VPN routers have OpenVPN-powered SSL VPN? Is there an official list? "most" is a very uncertain term :-) I'd say there is quite a number of Linux- or FreeBSD-based VPN/Firewall appliances on the market, and those that do SSL VPN are very often OpenVPN based. On the other side, Cisco ASA, Fortinet, and such brethen are usually "we can make your own mistakes!!" proprietary implementations... gert ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users -- Jakob Curdes Anschrift iS information systems oHG Donnerschweer Str. 89-91 D-26123 Oldenburg Tel.: (0)441 - 92 31 99 0 Fax: (0)441 - 92 31 99 99 Web: www.info-systems.de <https://www.info-systems.de> Firmierung und Handelsregisterangaben finden Sie unter diesem Link: Firmendaten <https://www.info-systems.de/legal/> ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
Am 23.01.2024 um 13:32 schrieb Peter Davis via Openvpn-users: Hello, I want to use OpenVPN and HTTPS. I found the following article: (...) server 20.20.0.0 255.255.255.0 First of all, from where did you take that IP network? This is not a private network range as far as I know. When you use a public network range, many things will not work at all or not work reliably. You need to use a private IP network (192.168., 172.17, 10.x) for your internal networks. Hope this helps, JC ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Critical OpenVPN Zero-Day Flaws Affecting Millions of Endpoints Across the Globe
Hi, these vulnerabilities are already fixed in the current versions since March 2024, so if you keep your software up to date, there is no threat. Also they are limited to Windws environments and not easy to exploit. See: https://openvpn.net/security-advisories/ So the subject of your mail seems at least a bit exaggerated. Regards, JC Am 13.05.2024 um 14:59 schrieb Turritopsis Dohrnii Teo En Ming via Openvpn-users: Subject: Critical OpenVPN Zero-Day Flaws Affecting Millions of Endpoints Across the Globe Good day from Singapore, I have just read this article and I would like to share it with all of you here. Article: Critical OpenVPN Zero-Day Flaws Affecting Millions of Endpoints Across the Globe Link: https://cybersecuritynews.com/openvpn-zero-day-flaws/ Thank you. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com GIMP also stands for Government-Induced Medical Problems. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN and CWE-316?
Hello all, in Germany we are reading articles like this one: https://www.heise.de/news/Schwere-Luecke-bei-kritischen-Anwendungen-Klartextpasswoerter-im-Prozessspeicher-9830774.html https://www.secuvera.de/blog/studie-klartextpassworter-in-passwortspeichern/ which mentions CWE-316: "Cleartext Storage of Sensitive Information in Memory" (I could not find an english discussion about openvpn, but reddit has this: https://www.reddit.com/r/1Password/comments/1eqdllw/cwe316_cleartext_storage_of_sensitive_information/?rdt=39150) The original seccuvera article states that OpenVPN (I assume they mean the Windows client) is "vulnerable" to this weakness and leaves data like emails, passwords and 2FA codes in the main memory after the program is closed. I have not tested this myself so I canot say if that is true. If it is true, is this already known and could it be addressed somehow? Some password managers that have also been tested seem to clear all these data when the program is closed. Regards, Jakob ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
