OpenVPN/802.1Q --passtos patch

From Secure Computing Wiki
Jump to navigation Jump to search


This patch makes it possible to use the --passtos option with 802.1Q tagged ethernet frames. This patch needs testing before it's moved from the feat_passtos branch to allmerged branch in the openvpn-testing.git tree. This patch has been provided by Davide Guerri and is also available on his website.

NOTE: Even if you don't use 802.1Q (VLAN tagging), you can still help verify that the patch works on basic level - see "Testing" section below.

Downloading and building

You can download the patched version of OpenVPN by following this link:

To use this patched version, unpack it and run:

 autoreconf -vi


You can test this patch by configuring your OpenVPN as shown below. Thanks go to Davide Guerri for kindly providing these instructions!


First, configure your client similarly to this:

------ Client configuration BEGIN (file: openvpn-l2-client.conf ) ------


remote		<server address> <server port>
proto		udp


dev		tap0
dev-type	tap

ca		"./ca.crt"
key		"./client.key"
cert		"./client.crt"
tls-auth	"./ta.key" 1
cipher		none
ns-cert-type	server

------ Client configuration END   (file: openvpn-l2-client.conf ) ------

And configure server like this:

------ Server configuration BEGIN (file: openvpn-l2-server.conf ) ------

mode		server
local		<server address>
port		<server port>

proto		udp

dev		tap0
dev-type	tap

ca 		"./ca.crt"
key		"./server.key"
cert		"./server.crt"
tls-auth	"./ta.key" 0
cipher		none

------ Server configuration END   (file: openvpn-l2-server.conf ) ------

Note that I've had to generate client and server certificates both signed with a self generated ca (i've used openssl here). I've used a null cipher and no compression to be able to check encapsulated packets (overkilling, I now ;) )

I've launched openvpn and created a vlan (with an IP address) on the corresponding tap interface on both sides with the following commands:


	server:~# openvpn --config openvpn-l2-server.conf --daemon  	# Plain (i.e.: not patched) openvpn 2.0.9
	server:~# ifconfig tap0 up
	server:~# vconfig add tap0 4094
	server:~# ifconfig tap0.4094 netmask up


	client:~# openvpn209p --config openvpn-l2-client.conf --daemon 	# Patched openvpn 2.0.9
	client:~# ifconfig tap0 up
	client:~# vconfig add tap0 4094
	client:~# ifconfig tap0.4094 netmask up 

On the server I've run tcpdump with the following parameters (eth0 was the interface used for openvpn tunnel):

server:~# tcpdump -s0 -nXvi eth0 "ip and host <client address>"

On the client side I've run a ping with -Q option (Set Quality of Service -related bits in ICMP datagrams)

client:~# ping -Q 7 -c 1

Here was the output of tcpdump on the server:

16:19:59.477097 IP (tos 0x7,CE, ttl 64, id 0, offset 0, flags [DF],
proto UDP (17), length 155) >
UDP, length 127
	0x0000:  4507 009b 0000 4000 4011 e817 c2f2 e643  [email protected]@......C
	0x0010:  c2f2 e60a 04aa 2f5e 0087 523f 30ed 77b8  ....../^..R?0.w.
	0x0020:  85a5 c4d5 d2bc 1208 543d 2e2a e332 151f  ........T=.*.2..
	0x0030:  f500 001e ec00 ff44 7eef 3e00 ff0f 03c8  .......D~.>.....
	0x0040:  3581 000f fe08 0045 0700 5400 0040 0040  [email protected]@
	0x0050:  0119 750a 160d 010a 1600 0108 003e 2beb  ..u..........>+.
	0x0060:  7701 1c0f ac71 4a5a 4707 0008 090a 0b0c  w....qJZG.......
	0x0070:  0d0e 0f10 1112 1314 1516 1718 191a 1b1c  ................
	0x0080:  1d1e 1f20 2122 2324 2526 2728 292a 2b2c  ....!"#$%&'()*+,
	0x0090:  2d2e 2f30 3132 3334 3536 37              -./01234567

As you can see TOS in external IP header (byte 0x0001, value 0x7) was the same as the one in internal IP packet (byte 0x0048). Moreover internal IP packet was encapsulated in tagged (tag 4094, 0x0ffe in hex) ethernet frame as expected (bytes 0x0043 - 0x0044)

I know it could be more user-friendy to use wireshark instead of tcpdump... :)

Sending the test report

You can simply respond to the mail you received. Include a brief description of your OpenVPN configuration and the steps you took to verify that the patch worked properly. Note that negative test reports ("did not work for me") are as important as positive ones.

External links