From: 77 77 <sir...@gm...> - 2013-01-23 13:43:18
|
On Wed, Jan 23, 2013 at 8:49 PM, David Sommerseth < ope...@to...> wrote: > On 23/01/13 11:21, 77 77 wrote: > > Hi all, > > > > I wrote a patch to obfuscate OpenVPN's traffic to avoid protocol > > identification. Compared with other traffic obfuscation methods like > > using static keys or obfsproxy, it only adds one more config parameter, > > and supports both TCP and UDP. If OpenVPN releases support this, lots of > > devices will benefit from traffic obfuscation without installing > > additional softwares -- for exsample, the newly released OpenVPN Connect > > for iOS or Openvpn for Android. > > > > The patch is based on openvpn-2.2.1, but works fine with openvpn-2.2.2. > > Gert said one very important thing about openvpn 2.2. Even though, he > said to bring it up to openvpn-2.3 or git-master .... I'm saying > git-master is the natural point. If you need to have it in openvpn-2.3, > backporting it from git-master is far easier than going the other way. > > I've looked quickly at your patch. And the first instinct is that, > yes, this looks reasonably well. This is also a feature which I think > will be very useful in the coming future. > I hope OpenVPN be more connectively from every place, every device. My friends and I have been using this patch for a while. > > Just a few comments ... > > - Have you looked at the obfsproxy project from TOR? That does pretty > much a similar thing and does work together with OpenVPN (but only via > TCP, as it uses the socks5 proxy mode of obfsproxy). Could it be > considered a better approach to integrate tighter against obfsproxy? > obfsproxy provides a more "plug-in" oriented approach where there > obfuscator logic can be changed at runtime, and doesn't necessarily > depend on a encryption/obfuscation key. What you basically do is to RC4 > encrypt the data. > The shortcome of obfsproxy is that you have to run the proxy along with OpenVPN. If people want to use OpenVPN on mobile devices, it's easier to use if we have in-place obfuscation ability. For example, OpenVPN Connect is avaliable on iOS, but failed to connect from some countries. *In such circumstances obfsproxy can't help, but in-place obfuscation would work.* Currently, this patch *JUST* works. And I agree that a "plug-in" system for obfuscation is more robust and easier to extend. > > - Have you looked into issues related with the RC4 algorithm? IIRC, the > first 256 bytes of a RC4 stream should always be discarded and the > keying material should at minimum be hashed, otherwise weaknesses in RC4 > makes it easier to crack the encryption. I know and understand that > this is purely for obfuscation, but this encrypting isn't even > obfuscation if you can crack the key fairly easily. Which again makes > me think of obfsproxy, which have established a fairly well stabilised > code base for traffic obfuscation. > A "plug-in" system for obfuscation would work much better than one simple encrytion method. This is a cat and mouse game. Sometime a little modification will cause the other side hard to catch up and had to use much more resources. > > - Have your patch been tested in both UDP and TCP mode? > Yes. > > - What is the purpose of the obfuscation_preprocess_incomming_link() and > obfuscation_preprocess_outgoing_link() functions? Why isn't > obfuscation_process_incoming() or obfuscation_process_outgoing() used > directly? > yes they can be used directly. > > - In OpenVPN 2.3 (including git-master) we also added support for > PolarSSL as an alternative to OpenSSL. It would be good if the code > base could add PolarSSL support by using the SSL wrapper layer we now > have implemented. > Ok. > > For further information on the OpenVPN development methods, please look > here: > > <https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation> > > And if you're not familiar with git ... here's a git crash course, which > hopefully will help you get started quicker. > > <https://community.openvpn.net/openvpn/wiki/GitCrashCourse> > > Our code repositories can be found here: > > <https://community.openvpn.net/openvpn/wiki/CodeRepositories> > > > -- > kind regards, > > David Sommerseth > > |