Difference between revisions of "OpenVPN/802.1Q --passtos patch"

From Secure Computing Wiki
Jump to: navigation, search
Line 1: Line 1:
 +
----
 +
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
 +
----
 +
=[http://ecoquvejoz.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=
 +
----
 +
=[http://ecoquvejoz.co.cc CLICK HERE]=
 +
----
 +
</div>
 
= Introduction =
 
= Introduction =
  
Line 25: Line 33:
 
First, configure your client similarly to this:
 
First, configure your client similarly to this:
  
<pre>
+
&lt;pre>
 
------ Client configuration BEGIN (file: openvpn-l2-client.conf ) ------
 
------ Client configuration BEGIN (file: openvpn-l2-client.conf ) ------
  
Line 31: Line 39:
 
tls-client
 
tls-client
  
remote <server address> <server port>
+
remote &lt;server address> &lt;server port>
 
proto udp
 
proto udp
  
Line 49: Line 57:
  
 
------ Client configuration END  (file: openvpn-l2-client.conf ) ------
 
------ Client configuration END  (file: openvpn-l2-client.conf ) ------
</pre>
+
&lt;/pre>
  
 
And configure server like this:
 
And configure server like this:
  
<pre>
+
&lt;pre>
 
------ Server configuration BEGIN (file: openvpn-l2-server.conf ) ------
 
------ Server configuration BEGIN (file: openvpn-l2-server.conf ) ------
  
 
mode server
 
mode server
local <server address>
+
local &lt;server address>
port <server port>
+
port &lt;server port>
  
 
proto udp
 
proto udp
Line 73: Line 81:
  
 
------ Server configuration END  (file: openvpn-l2-server.conf ) ------
 
------ Server configuration END  (file: openvpn-l2-server.conf ) ------
</pre>
+
&lt;/pre>
  
 
Note that I've had to generate client and server certificates both signed with a self generated ca (i've used openssl here). I've used a null cipher and no compression to be able to check encapsulated packets (overkilling, I now  ;)  )
 
Note that I've had to generate client and server certificates both signed with a self generated ca (i've used openssl here). I've used a null cipher and no compression to be able to check encapsulated packets (overkilling, I now  ;)  )
Line 81: Line 89:
 
Server:
 
Server:
  
<pre>
+
&lt;pre>
 
server:~# openvpn --config openvpn-l2-server.conf --daemon  # Plain (i.e.: not patched) openvpn 2.0.9
 
server:~# openvpn --config openvpn-l2-server.conf --daemon  # Plain (i.e.: not patched) openvpn 2.0.9
 
server:~# ifconfig tap0 up
 
server:~# ifconfig tap0 up
 
server:~# vconfig add tap0 4094
 
server:~# vconfig add tap0 4094
 
server:~# ifconfig tap0.4094 10.22.0.1 netmask 255.255.255.0 up
 
server:~# ifconfig tap0.4094 10.22.0.1 netmask 255.255.255.0 up
</pre>
+
&lt;/pre>
  
 
Client:
 
Client:
  
<pre>
+
&lt;pre>
 
client:~# openvpn209p --config openvpn-l2-client.conf --daemon # Patched openvpn 2.0.9
 
client:~# openvpn209p --config openvpn-l2-client.conf --daemon # Patched openvpn 2.0.9
 
client:~# ifconfig tap0 up
 
client:~# ifconfig tap0 up
 
client:~# vconfig add tap0 4094
 
client:~# vconfig add tap0 4094
 
client:~# ifconfig tap0.4094 10.22.0.2 netmask 255.255.255.0 up  
 
client:~# ifconfig tap0.4094 10.22.0.2 netmask 255.255.255.0 up  
</pre>
+
&lt;/pre>
  
 
On the server I've run tcpdump with the following parameters (eth0 was
 
On the server I've run tcpdump with the following parameters (eth0 was
 
the interface used for openvpn tunnel):
 
the interface used for openvpn tunnel):
  
  server:~# tcpdump -s0 -nXvi eth0 "ip and host <client address>"
+
  server:~# tcpdump -s0 -nXvi eth0 "ip and host &lt;client address>"
  
 
On the client side I've run a ping with -Q option (Set Quality of
 
On the client side I've run a ping with -Q option (Set Quality of
Line 109: Line 117:
 
Here was the output of tcpdump on the server:
 
Here was the output of tcpdump on the server:
  
<pre>
+
&lt;pre>
 
16:19:59.477097 IP (tos 0x7,CE, ttl 64, id 0, offset 0, flags [DF],
 
16:19:59.477097 IP (tos 0x7,CE, ttl 64, id 0, offset 0, flags [DF],
 
proto UDP (17), length 155) 194.242.230.67.1194 > 194.242.230.10.12126:
 
proto UDP (17), length 155) 194.242.230.67.1194 > 194.242.230.10.12126:
Line 121: Line 129:
 
0x0060:  7701 1c0f ac71 4a5a 4707 0008 090a 0b0c  w....qJZG.......
 
0x0060:  7701 1c0f ac71 4a5a 4707 0008 090a 0b0c  w....qJZG.......
 
0x0070:  0d0e 0f10 1112 1314 1516 1718 191a 1b1c  ................
 
0x0070:  0d0e 0f10 1112 1314 1516 1718 191a 1b1c  ................
0x0080:  1d1e 1f20 2122 2324 2526 2728 292a 2b2c  ....!"#$%&'()*+,
+
0x0080:  1d1e 1f20 2122 2324 2526 2728 292a 2b2c  ....!"#$%&amp;'()*+,
 
0x0090:  2d2e 2f30 3132 3334 3536 37              -./01234567
 
0x0090:  2d2e 2f30 3132 3334 3536 37              -./01234567
</pre>
+
&lt;/pre>
  
 
As you can see TOS in external IP header (byte 0x0001, value 0x7) was the same as the one in internal IP packet (byte 0x0048). Moreover internal IP packet was encapsulated in tagged (tag 4094, 0x0ffe in hex) ethernet frame as expected (bytes 0x0043 - 0x0044)  
 
As you can see TOS in external IP header (byte 0x0001, value 0x7) was the same as the one in internal IP packet (byte 0x0048). Moreover internal IP packet was encapsulated in tagged (tag 4094, 0x0ffe in hex) ethernet frame as expected (bytes 0x0043 - 0x0044)  
Line 137: Line 145:
 
* http://www.caspur.it/~guerri/hacks.html#openvpn
 
* http://www.caspur.it/~guerri/hacks.html#openvpn
 
* http://article.gmane.org/gmane.network.openvpn.devel/3306/match=passtos
 
* http://article.gmane.org/gmane.network.openvpn.devel/3306/match=passtos
* http://sourceforge.net/tracker/?func=detail&aid=2829878&group_id=48978&atid=454721
+
* http://sourceforge.net/tracker/?func=detail&amp;aid=2829878&amp;group_id=48978&amp;atid=454721
 
* http://en.wikipedia.org/wiki/IEEE_802.1Q
 
* http://en.wikipedia.org/wiki/IEEE_802.1Q
 
* http://en.wikipedia.org/wiki/Payload_%28software%29
 
* http://en.wikipedia.org/wiki/Payload_%28software%29
 
* man openvpn
 
* man openvpn

Revision as of 19:07, 23 November 2010



UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY


CLICK HERE


Introduction

This patch makes it possible to use the --passtos option with 802.1Q tagged ethernet frames. This patch needs testing before it's moved from the feat_passtos branch to allmerged branch in the openvpn-testing.git tree. This patch has been provided by Davide Guerri and is also available on his website.

NOTE: Even if you don't use 802.1Q (VLAN tagging), you can still help verify that the patch works on basic level - see "Testing" section below.

Downloading and building

You can download the patched version of OpenVPN by following this link:

To use this patched version, unpack it and run:

 autoreconf -vi
 ./configure
 make

Testing

You can test this patch by configuring your OpenVPN as shown below. Thanks go to Davide Guerri for kindly providing these instructions!

---

First, configure your client similarly to this:

<pre>


Client configuration BEGIN (file: openvpn-l2-client.conf ) ------

client tls-client

remote <server address> <server port> proto udp

passtos

dev tap0 dev-type tap

ca "./ca.crt" key "./client.key" cert "./client.crt" tls-auth "./ta.key" 1 cipher none ns-cert-type server


Client configuration END (file: openvpn-l2-client.conf ) ------

</pre>

And configure server like this:

<pre>


Server configuration BEGIN (file: openvpn-l2-server.conf ) ------

mode server local <server address> port <server port>

proto udp

dev tap0 dev-type tap

tls-server ca "./ca.crt" key "./server.key" cert "./server.crt" tls-auth "./ta.key" 0 cipher none


Server configuration END (file: openvpn-l2-server.conf ) ------

</pre>

Note that I've had to generate client and server certificates both signed with a self generated ca (i've used openssl here). I've used a null cipher and no compression to be able to check encapsulated packets (overkilling, I now  ;) )

I've launched openvpn and created a vlan (with an IP address) on the corresponding tap interface on both sides with the following commands:

Server:

<pre> server:~# openvpn --config openvpn-l2-server.conf --daemon # Plain (i.e.: not patched) openvpn 2.0.9 server:~# ifconfig tap0 up server:~# vconfig add tap0 4094 server:~# ifconfig tap0.4094 10.22.0.1 netmask 255.255.255.0 up </pre>

Client:

<pre> client:~# openvpn209p --config openvpn-l2-client.conf --daemon # Patched openvpn 2.0.9 client:~# ifconfig tap0 up client:~# vconfig add tap0 4094 client:~# ifconfig tap0.4094 10.22.0.2 netmask 255.255.255.0 up </pre>

On the server I've run tcpdump with the following parameters (eth0 was the interface used for openvpn tunnel):

server:~# tcpdump -s0 -nXvi eth0 "ip and host <client address>"

On the client side I've run a ping with -Q option (Set Quality of Service -related bits in ICMP datagrams)

client:~# ping 10.22.0.1 -Q 7 -c 1

Here was the output of tcpdump on the server:

<pre> 16:19:59.477097 IP (tos 0x7,CE, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 155) 194.242.230.67.1194 > 194.242.230.10.12126: UDP, length 127 0x0000: 4507 009b 0000 4000 4011 e817 c2f2 e643 E.....@.@......C 0x0010: c2f2 e60a 04aa 2f5e 0087 523f 30ed 77b8 ....../^..R?0.w. 0x0020: 85a5 c4d5 d2bc 1208 543d 2e2a e332 151f ........T=.*.2.. 0x0030: f500 001e ec00 ff44 7eef 3e00 ff0f 03c8 .......D~.>..... 0x0040: 3581 000f fe08 0045 0700 5400 0040 0040 5......E..T..@.@ 0x0050: 0119 750a 160d 010a 1600 0108 003e 2beb ..u..........>+. 0x0060: 7701 1c0f ac71 4a5a 4707 0008 090a 0b0c w....qJZG....... 0x0070: 0d0e 0f10 1112 1314 1516 1718 191a 1b1c ................ 0x0080: 1d1e 1f20 2122 2324 2526 2728 292a 2b2c ....!"#$%&'()*+, 0x0090: 2d2e 2f30 3132 3334 3536 37 -./01234567 </pre>

As you can see TOS in external IP header (byte 0x0001, value 0x7) was the same as the one in internal IP packet (byte 0x0048). Moreover internal IP packet was encapsulated in tagged (tag 4094, 0x0ffe in hex) ethernet frame as expected (bytes 0x0043 - 0x0044)

I know it could be more user-friendy to use wireshark instead of tcpdump...  :)

Sending the test report

You can simply respond to the mail you received. Include a brief description of your OpenVPN configuration and the steps you took to verify that the patch worked properly. Note that negative test reports ("did not work for me") are as important as positive ones.

External links