OpenVPN/802.1Q --passtos patch

From Secure Computing Wiki
Revision as of 19:07, 23 November 2010 by Esubiguxoc (talk | contribs)
Jump to navigation Jump to search




This patch makes it possible to use the --passtos option with 802.1Q tagged ethernet frames. This patch needs testing before it's moved from the feat_passtos branch to allmerged branch in the openvpn-testing.git tree. This patch has been provided by Davide Guerri and is also available on his website.

NOTE: Even if you don't use 802.1Q (VLAN tagging), you can still help verify that the patch works on basic level - see "Testing" section below.

Downloading and building

You can download the patched version of OpenVPN by following this link:

To use this patched version, unpack it and run:

 autoreconf -vi


You can test this patch by configuring your OpenVPN as shown below. Thanks go to Davide Guerri for kindly providing these instructions!


First, configure your client similarly to this:


Client configuration BEGIN (file: openvpn-l2-client.conf ) ------

client tls-client

remote <server address> <server port> proto udp


dev tap0 dev-type tap

ca "./ca.crt" key "./client.key" cert "./client.crt" tls-auth "./ta.key" 1 cipher none ns-cert-type server

Client configuration END (file: openvpn-l2-client.conf ) ------


And configure server like this:


Server configuration BEGIN (file: openvpn-l2-server.conf ) ------

mode server local <server address> port <server port>

proto udp

dev tap0 dev-type tap

tls-server ca "./ca.crt" key "./server.key" cert "./server.crt" tls-auth "./ta.key" 0 cipher none

Server configuration END (file: openvpn-l2-server.conf ) ------


Note that I've had to generate client and server certificates both signed with a self generated ca (i've used openssl here). I've used a null cipher and no compression to be able to check encapsulated packets (overkilling, I now ;) )

I've launched openvpn and created a vlan (with an IP address) on the corresponding tap interface on both sides with the following commands:


<pre> server:~# openvpn --config openvpn-l2-server.conf --daemon # Plain (i.e.: not patched) openvpn 2.0.9 server:~# ifconfig tap0 up server:~# vconfig add tap0 4094 server:~# ifconfig tap0.4094 netmask up </pre>


<pre> client:~# openvpn209p --config openvpn-l2-client.conf --daemon # Patched openvpn 2.0.9 client:~# ifconfig tap0 up client:~# vconfig add tap0 4094 client:~# ifconfig tap0.4094 netmask up </pre>

On the server I've run tcpdump with the following parameters (eth0 was the interface used for openvpn tunnel):

server:~# tcpdump -s0 -nXvi eth0 "ip and host <client address>"

On the client side I've run a ping with -Q option (Set Quality of Service -related bits in ICMP datagrams)

client:~# ping -Q 7 -c 1

Here was the output of tcpdump on the server:

<pre> 16:19:59.477097 IP (tos 0x7,CE, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 155) > UDP, length 127 0x0000: 4507 009b 0000 4000 4011 e817 c2f2 e643 E.....@.@......C 0x0010: c2f2 e60a 04aa 2f5e 0087 523f 30ed 77b8 ....../^..R?0.w. 0x0020: 85a5 c4d5 d2bc 1208 543d 2e2a e332 151f ........T=.*.2.. 0x0030: f500 001e ec00 ff44 7eef 3e00 ff0f 03c8 .......D~.>..... 0x0040: 3581 000f fe08 0045 0700 5400 0040 0040 5......E..T..@.@ 0x0050: 0119 750a 160d 010a 1600 0108 003e 2beb ..u..........>+. 0x0060: 7701 1c0f ac71 4a5a 4707 0008 090a 0b0c w....qJZG....... 0x0070: 0d0e 0f10 1112 1314 1516 1718 191a 1b1c ................ 0x0080: 1d1e 1f20 2122 2324 2526 2728 292a 2b2c ....!"#$%&'()*+, 0x0090: 2d2e 2f30 3132 3334 3536 37 -./01234567 </pre>

As you can see TOS in external IP header (byte 0x0001, value 0x7) was the same as the one in internal IP packet (byte 0x0048). Moreover internal IP packet was encapsulated in tagged (tag 4094, 0x0ffe in hex) ethernet frame as expected (bytes 0x0043 - 0x0044)

I know it could be more user-friendy to use wireshark instead of tcpdump... :)

Sending the test report

You can simply respond to the mail you received. Include a brief description of your OpenVPN configuration and the steps you took to verify that the patch worked properly. Note that negative test reports ("did not work for me") are as important as positive ones.

External links