![]() Maybe your browser keeps a connection open to your mail server, I don't know. Let's assume that your OpenVPN connection looks just like an https connection on the wire, so an attacker cannot read the byte stream and know what kind of connection it is.Ī typical https connection won't live too awfully long. Left unmentioned, however, is that traffic analysis can go a long way toward identifying applications. Ysdx's answer is great, and describes very well how the traffic will look on the wire. Which would implement this protocol stack: You should be able to combine this with a stunnel instance connecting to a remote HTTPS PROXY: http-proxy 127.0.0.1 8443 OpenVPN has an option to use a HTTP Proxy: http-proxy You can even require authentication of client in order to authorise the HTTP CONNECT request (squid should be able to do this). = Either OpenVPN/TLS/TCP or HTTP/TLS/TCPĪnother solution is to use a standard HTTP/TLS server and use HTTP CONNECT/TLS to connect to the OpenVPN server: it will look like a standard HTTP server. The server will look like standard HTTP/TLS server but someone trying to speak OpenVPN/TLS with this server will be able to detect that it is in fact a OpenVPN/TLS server as well. sslh can be used to automatically detect the payload of the protocol and dispatch either to a plain HTTP/TCP server or you OpenVPN/TCP server. Multiplexed OpenVPN/TLS and HTTP/TLSĪnother solution is to serve both HTTP and OpenVPN over the TLS session. Warning:* I'm not talking about the builtin TLS support in OpenVPN (see above for en explanation about why it won't help you). It you are worried about this you could enable TLS client authentication: an attacker will not be able to initiate a working TLS session and will not be able to guess which payload is encapsulated over TLS. OpenVPN over TLS with client authentication By trying to speak the OpenVPN protocol, he will be able to detect that your server is a OpenVPN/TLS server. You should be aware that if a passive attacker will not be able to tell that your remote server is in fact an OpenVPN server, an active attacker will be able to find this out: simply by connecting to your server over TLS, he will be able to confirm that it is not a HTTP/TLS server. ![]() If you interpret this traffic as OpenVPN in wireshark, you will recognise the OpenVPN messages and inside of them the TLS messages (but not the payload). In this case, your traffic does not look like a plain TLS traffic but is obviously OpenVPN. The builtin TLS layer does not encapsulate the (IP, Ethernet) packets but is only used for setting up the session and authenticating: In comparison, if you are using OpenVPN, you will have something like this: You might want to use ALPN as well but stunnel currently does not handle that. You might want to use SNI in the client in order to look like what a modern browser would do. In the wireshark UI (right button on a packet of the stream), you can ask wireshark to interpret the traffic as TLS: it will recognise it as TLS traffic (you will see the different TLS messages but not the payload of the TLS session). You can check this by using wireshark: record the traffic between the stunnel instances. So yes, it is plain TLS traffic (it could be HTTP/TLS, SMTP/TLS, POP/TLS or anything else for someone looking at the traffic but it looks a lot like HTTP/TLS as the TCP port 443 is used). You get this protocol stack:īetween the stunnel instances you have this protocol stack on the wire:Īs the TLS encrypts its payload, an attacker can only see: The stunnel instance is used to encapsulate the content of the TCP stream in TLS/TCP. Your VPN is using TCP as a transport protocol. OPENVPN CONFIG on server: local REMOTE_SERVER_IP ![]() Debugging stuff (may useful for troubleshooting) STUNNEL CONFIG ON SERVER: sslVersion = all # Remote server for sTunnel to connect to # Set sTunnel to be in client mode (defaults to server) Is there a way to DPI my own traffic to ensure it looks like SSL traffic and not OpenVPN traffic? And based on my config setup does all traffic use port 443 which is the SSL port? I am trying to make my outgoing and incoming traffic look as legitimate as close to SSL traffic as possible. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |