[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN RFC-2246 Compliance Question


  • Subject: Re: [Openvpn-users] OpenVPN RFC-2246 Compliance Question
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Thu, 19 Jul 2007 07:46:13 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID050LgsmUu0499X38

Randolph A. Krenz wrote:
> I have a need to utilize OpenVPN in a Server/multi-Client, TCP, TUN mode
> on port 443.  OpenVPN generally works fine but I’ve recently had a need
> to pass this traffic through a firewall with stateful packet inspection
> (that can’t be circumvented).  The firewall complains that the traffic
> does not comply with section 7.4.1.2 of RFC-2246 (The TLS protocol)
> which states that a “client hello” must be sent as the client’s first
> message.  The traffic is dropped as a result.  I don’t see any obvious
> OpenVPN configuration changes that would affect this behavior.  Is there
> anything I can do, from a configuration perspective, to cause the
> OpenVPN client to send the “client hello”?  Not sure if this would be
> the only (or just the first) obstacle in getting through the SPI.
>   

The problem is that OpenVPN uses its own protocol that is not TLS,
although it makes use of TLS to secure the control channel.  The data
OpenVPN sends out isn't RFC-2246 compliant because OpenVPN needs to
multiplex both the control and data channels over a single network
stream, and a decent SPI firewall will know that this isn't valid
TLS/SSL traffic.  Setting OpenVPN to use TCP over port 443 only works if
the firewall rules are port-based rather than protocol-based.  If you
have no other option to send the data, you'll need to use a proxy to
encapsulate the OpenVPN data inside an http or https stream (if you do,
you'll probably want to make the OpenVPN stream UDP, otherwise you'll
have 2 TCP layers on top of each other for the transport alone, and
that's discounting the final payload.)

Ideally the administrator of this SPI firewall would make an exception
for this traffic for the user that needs it, but it sounds like this
isn't something that can/will be done.

-- 
Josh


Attachment: signature.asc
Description: OpenPGP digital signature