A patch(https://github.com/clayface/openvpn_xorpatch/raw/master/openvpn_xor.patch ,
https://github.com/clayface/openvpn_xorpatch) to add a "scramble" option to OpenVPN was proposed in April, 2013. The option can be useful to avoid having OpenVPN traffic detected by monitoring or censoring mechanisms such as the Great Firewall of China. The option "scrambles" each buffer of traffic before it is sent between the OpenVPN client and server.
https://github.com/clayface/openvpn_xorpatch) to add a "scramble" option to OpenVPN was proposed in April, 2013. The option can be useful to avoid having OpenVPN traffic detected by monitoring or censoring mechanisms such as the Great Firewall of China. The option "scrambles" each buffer of traffic before it is sent between the OpenVPN client and server.
However, the patch is controversial: it was not accepted as an addition to OpenVPN by the OpenVPN developers. There is a long discussion of the patch on the OpenVPN Community Support Forum. The last post is:
"We (OpenVPN developers) do not encourage people building their own versions of OpenVPN changing the wire-protocol like this, without the patch being through a proper patch review and having evaluated possible security risks related to such a change.
"And we especially discourage using such an approach when there exists a far better solution, used by the TOR community. It is called obfsproxy and can be used together with OpenVPN without needing any re-compilation of OpenVPN.
"For more information, have a look at these URLs
http://community.openvpn.net/openvpn/wiki/TrafficObfuscation
https://www.torproject.org/projects/obfsproxy.html.en
"To avoid confusing users further going for a possibly insecure setup , this thread will be locked now."
In December 2016, further discussion took place on the OpenVPN users mailing list. OpenVPN developers again explained why they do not want to include the patch in OpenVPN and discussed alternatives. See (https://sourceforge.net/p/openvpn/mailman/openvpn-users/thread/DFBD5589-71CB-41CD-B7A7-F2A540380E33%40haloprivacy.com/#msg35560747.
Tunnelblick's View
Regardless of the OpenVPN developers decision not to include the patch in OpenVPN, the patch is attractive because it is so easy to implement: simply apply the patch to both the OpenVPN server and the OpenVPN client and add a single, identical option to the configuration files for each. Using obfsproxy is more complicated because it involves running another, separate program on both the server and the client.
Because the patch is so easy to implement, the patch is included in all versions of OpenVPN that are included in Tunnelblick as of build 4420.
Critical Warning
The original post proposing the patch claims that using the patch is sufficient to secure communications and that no other encryption is necessary:
"With this obfuscate option, I think that it is ok to use "cipher none", because working out the method used would take a lot of cryptoanalysis. The obfuscate option is also much easier on the CPU than any cipher options This is incase you are using ddwrt or openwrt or have a low speed cpu."
Do not take this advice! The obfuscation provided by this patch appears to be extremely rudimentary. Beware of cryptographic advice from amateur cryptographers!
Large organizations have the ability and power to "unscramble" traffic and detect it as OpenVPN traffic, and the obfuscation provided by this patch is so rudimentary that relatively simple cryptanalysis will probably be able to unscramble the content, too.
Tunnelblick Modifications to the Patch
As the OpenVPN developers point out, the patch has never been through a thorough review for security, coding, etc. However, a Tunnelblick developer has reviewed the patch, found some problems, and modified it in Tunnelblick to resolve those problems. The problems that were found and fixed involved insufficient parameter validation, null pointer dereferences, division by zero errors, and a buffer overflow. Some defensive programming was also added to the modified version of the patch to increase its robustness.
I invite anyone/everyone to review the patch and report any problems, either to the Tunnelblick Discussion Group or to the developers. Details of the patch are below.
Scramble Option Syntax
Note: The "scramble" option and parameters in the server and client configuration files must match.
scramble xor_string
scramble xormask xor_string
These options XOR the bytes in each buffer with xor_string.
scramble xormask xor_string
These options XOR the bytes in each buffer with xor_string.
scramble reverse
The "reverse" option reverses order of the bytes in each buffer (except that the first byte is unchanged). So "abcde" becomes "aedcb".
The "reverse" option reverses order of the bytes in each buffer (except that the first byte is unchanged). So "abcde" becomes "aedcb".
scramble xorptrpos
The "xorptrpos" option XORs each byte of the buffer of traffic with the position in the buffer.
The "xorptrpos" option XORs each byte of the buffer of traffic with the position in the buffer.
scramble obfuscate password
The "obfuscate" option performs several of the above steps, using password as the xor_string in one of the steps.
The "obfuscate" option performs several of the above steps, using password as the xor_string in one of the steps.
The Patch as Modified for Use in Tunnelblick
Tunnelblick's build process expands OpenVPN, applies patches, and then builds from the patched source code.
In recent versions of Tunnelblick, the patch has been broken into five separate .diff files, with each .diff modifying a single file in the OpenVPN source code. (This is done to make it easier to modify the patch when the underlying OpenVPN source code is changed.)
Files with patches for each particular version of OpenVPN are located in the Tunnelblick source code in a "patches" folder specific to that version of OpenVPN. The path to patches for OpenVPN version X.Y.Z would be
.../third_party/sources/openvpn/X.Y.Z/patches
from https://tunnelblick.net/cOpenvpn_xorpatch.html
---------------
补丁项目地址:https://github.com/clayface/openvpn_xorpatch
----------
教程:
https://www.lowendtalk.com/discussion/21539/tutorial-build-your-ultimate-scrambled-vpn
http://www.servermom.org/install-scrambled-openvpn/
---------------
在openvpn community上的讨论:
https://forums.openvpn.net/viewtopic.php?t=12605
-----------------
RMerl/asuswrt-merlin » Added OpenVPN scramble patch, it tested with patched client
tuapuikia created this issue 3 years ago.
The patch is to by pass IDS detection and there is 4 option to choose and it must set the same for client and server custom configuration field.
“scramble password” – perform a simple xor operation the packet payload, using a string “password”, you choose password
“scramble reverse” – This simply reverses all the data in the packet. This is enough to get past the regular expression detection in both China and Iran.
“scramble xorptrpos” – This performs a xor operation, utilising the current position in the packet payload.
“scramble obfuscate password” – This method is more secure. It utilises the 3 types of scrambling mentioned above. “password” is a string you choose.
RMerl commented on this issue 3 years ago.
One of the reasons I'm hesitant in merging this is because it might make it hard for me to do upstream upgrades as new OpenVPN release become available. For this reason I prefer to keep most third party components as close to their original source code as possible.
Also, this pull request contains a lot of totally unrelated changes.
@rootless4real @tuapuikia
Consider this: https://github.com/kevinxucs/udpmask
Can be used to scramble udp traffic without modifying the OpenVPN client
Can be compiled to run on the asus router and linux pc (still working on windows port)
from https://www.bountysource.com/issues/8476982-added-openvpn-scramble-patch-it-tested-with-patched-client
https://github.com/RMerl/asuswrt-merlin/pull/858
(https://github.com/rootless4real ,https://github.com/tuapuikia)
-------------------------------
我的使用说明
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
tar zxvf lzo-2.10.tar.gz
cd lzo-2.10
./configure
make
make install
cd ~
wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz
(或者wget https://build.openvpn.net/downloads/releases/openvpn-2.4.3.tar.gz)
tar zxvf openvpn-2.4.3.tar.gz
cd openvpn-2.4.3
wget https://github.com/clayface/openvpn_xorpatch/raw/master/openvpn_xor.patch
(https://github.com/rootless4real ,https://github.com/tuapuikia)
-------------------------------
我的使用说明
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
tar zxvf lzo-2.10.tar.gz
cd lzo-2.10
./configure
make
make install
cd ~
wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz
(或者wget https://build.openvpn.net/downloads/releases/openvpn-2.4.3.tar.gz)
tar zxvf openvpn-2.4.3.tar.gz
cd openvpn-2.4.3
wget https://github.com/clayface/openvpn_xorpatch/raw/master/openvpn_xor.patch
git apply
openvpn_xor.patch (此即打补丁的命令.不要用patch命令来打补丁)
autoreconf -i -v -f
./configure --prefix=/usr/local/openvpn-2.4.3
make && make install
得到的可执行文件为/usr/local/openvpn-2.4.3/sbin/openvpn
然后按http://briteming.blogspot.com/2017/08/openvpncipher.html操作,
然后把服务器端的配置文件和客户端的配置文件里的cipher AES-256-CBC这行都改为:
scramble obfuscate your-password
最后,启动OpenVPN服务器的命令为:
/usr/local/openvpn-2.4.3/sbin/openvpn --config /etc/openvpn-2.4.3/openvpn-server.conf --daemon
把客户端配置文件client1.ovpn下载到你的本地电脑(windows上,则是下载到 c:\program files\openvpn\config\目录中;mac系统,则先安装tunnelblick,然后在 finder中,搜索文件client1.ovpn,双击它,导入到tunnelblick) 启动客户端程序,待连接成功后,即可翻墙。
现在服务器/客户端2边的配置文件不是启用cipher AES-256-CBC而是启用scramble obfuscate your-password
,gfw对openvpn一样的无可奈何,只不过似乎用cipher AES-256-CBC比用scramble obfuscate your-password
更安全一些,毕竟cipher是加密,而scramble只是打乱/混淆流量而已。
相关帖子:http://briteming.blogspot.com/2017/08/openvpncipher.html
http://briteming.blogspot.de/2013/02/openvpn_5863.html (这个帖子的内容已过时,请忽略)
No comments:
Post a Comment