Port 443 (HTTPS/SSL) only

[GovernmentPlates]

I've recently created a Streisand instance on a small VPS provider via the localhost installation function with all the defaults, however, when I checked the firewall information webpage, I noticed that OpenVPN and stunnel were being served over ports which are not 443 (the port used for https).

Is it possible for Sterisand to run OpenVPN and stunnel over 443? As I will be using Streisand on a network that blocks all ports apart from 80 (HTTP/standard web traffic) and 443 (HTTPS/standard encrypted web traffic).

[alimakki]

Hi @dintendocoltd,

The current Steisand setup uses https://github.com/yrutschle/sslh to multiplex connections over port 443, which handles traffic for OpenVPN (sans stunnel), nginx (for the gateway), as well as being able to handle ssh connections as well.

While it is possible to run to stunnel over port 443, this would essentially break existing functionality for other services provided.

Streisand does generate a profile for OpenVPN over 443 (using sslh). Does that setup work for your use-case?

[GovernmentPlates]

Hi @alimakki

I have located the OpenVPN profiles over 443 on my Streisand gateway, I will test the profiles tomorrow and report back with the results.

I just have a question: the network which I will be using uses a proprietary firewall and filtering system, as I have mentioned earlier, the firewall blocks all ports apart from 80 and 443. However, the filtering system uses DPI (Deep Packet Inspection) on all connections on 80 (HTTP/unencrypted traffic) and heavily monitors connections on 443 (HTTPS/encrypted traffic). What I mean by 'heavily monitors connections of 443' is that the firewall will check if the connection looks like HTTPS (if it doesn't look like HTTPS, then the firewall will drop the connection), and if the connection looks like HTTPS, it will then check for a SSL certificate.

The SSL certificate checking function in the filtering system works by having a look at the issuing certificate authority (CA) on the certificate and comparing it with a list of trusted CAs (such as DigiCert, Digital Signature Trust Co. etc.), if the certificate is self signed or comes from an unrecognized CA, then the connection is dropped.

In the past, I have ran an standalone OpenVPN instance over TCP port 443 and a Cisco AnyConnect VPN instance with a self-signed SSL certificate over a HTTPS tunnel with no success. So my question is: would this OpenVPN profile work in this case?

[alimakki]

@dintendocoltd If that's the case then my suspicion is probably not, but we'll know for sure once you have made the attempt.

We also just recently merged support for tls-crypt, this may be effective against such a DPI.

It might be worth experimenting with that as well; if you don't feel like spinning up a new server, the good news is that it should be relativity easy to edit by hand (removing the key-direction from client configs, then changing tls-auth to tls-crypt in client and server configs.

This will effectively encrypt certificate info that used to be in plaintext during the ssl handshake, leaving no way for a DPI system to perform such validation. Curious to know if the firewall will drop it or let it go through.

[GovernmentPlates]

@alimakki I'll try out the OpenVPN profiles over port 443 (although, I do believe you that they will not work) first. If not, I will try using the tls-crypt function within OpenVPN.

[GovernmentPlates]

Hi @alimakki

Just to let you know, I have tried using the OpenVPN profiles over port 443, and to no surprise, they did not work.

Could you please elaborate on setting up and using tls-crypt?

[alimakki]

Hi @dintendocoltd,

First, you'll want to ssh into your server ssh root@you-ip-address, then switch to the openvpn directory cd /etc/openvpn.

Take a backup of your existing server config: cp server.conf server.conf.bkp.

Next you'll want to edit your existing server.conf file to enable tls-crypt support, you can easily replace it wholesale with this:

server 10.8.0.0 255.255.255.0                                               
push "dhcp-option DNS 10.8.0.1"                                             
proto tcp                                                                   
port 636                                                                    
dev tun                                                                     
ca ca.crt                                                                   
cert server.crt                                                             
key server.key  # This file should be kept secret                           
dh /etc/ssl/dhparams.pem                                                    
ifconfig-pool-persist ipp.txt                                               
push "redirect-gateway def1"                                                

# Fix for the Windows 10 DNS leak described here:                           
# https://community.openvpn.net/openvpn/ticket/605                          
push block-outside-dns                                                      

client-to-client                                                            
remote-cert-tls client                                                      

# Allow multiple clients with the same common name to concurrently connect. 
# In the absence of this option, OpenVPN will disconnect a client instance  
# upon connection of a new client having the same common name.              
# duplicate-cn                                                              

keepalive 1800 3600                                                         
tls-crypt ta.key # This file is secret                                      
cipher AES-256-CBC                                                          
ncp-ciphers AES-256-GCM:AES-128-GCM                                         
auth SHA256                                                                 
tls-version-min 1.2                                                         
compress lzo                                                                
user nobody                                                                 
group nogroup                                                               
persist-key                                                                 
persist-tun                                                                 
verb 0                                                                      

Once done, you'll want to restart your OpenVPN service to pick up the changes: systemctl restart openvpn

Next, you'll want to grab one of your client configs. As the client names are randomly generated, I'll be using one as an example from here on out. On a test server that I generated, this is what my generated OpenVPN configrations look like:

/etc/openvpn# ls -l | sort
drw------- 2 root root 4096 Mar  5 19:13 fury-hawk
drw------- 2 root root 4096 Mar  5 19:13 paper-furnace
drw------- 2 root root 4096 Mar  5 19:13 resemble-trick
drw------- 2 root root 4096 Mar  5 19:14 biology-glimpse
drw------- 2 root root 4096 Mar  5 19:14 fox-issue
-rw------- 1 root root    0 Mar  5 19:08 index.txt.old
-rw------- 1 root root  129 Mar  5 19:09 index.txt
-rw------- 1 root root 1301 Mar  1 07:06 update-resolv-conf
-rw------- 1 root root 1801 Mar  5 19:09 server.csr
-rw------- 1 root root 2047 Mar  5 19:08 openssl.cnf
-rw------- 1 root root 2106 Mar  5 19:08 ca.crt
-rw------- 1 root root   21 Mar  5 19:09 index.txt.attr
-rw------- 1 root root   23 Mar  5 19:08 openvpn_server_common_name
-rw------- 1 root root    2 Mar  5 19:08 serial.old
-rw------- 1 root root 3243 Mar  5 19:08 ca.key
-rw------- 1 root root 3243 Mar  5 19:08 server.key
-rw------- 1 root root    3 Mar  5 19:09 serial
-rw------- 1 root root  636 Mar  5 19:10 ta.key
-rw------- 1 root root 8124 Mar  5 19:09 01.pem
-rw------- 1 root root 8124 Mar  5 19:09 server.crt
-rw-r--r-- 1 root root   17 Mar  5 19:10 ca.srl
-rw-r--r-- 1 root root  862 Mar  5 19:13 server.conf
-rw-r--r-- 1 root root  863 Mar  5 19:13 server-udp.conf

One of my generated client names is fury-hawk, so let's use that as an example. Enter its directory cd fury-hawk, and again, take a backup of the sslh type profile: cp your-ip-address-sslh.ovpn your-ip-address-sslh.ovpn.bkp .

Next you'll want to edit the file. You should see a line with the following directive key-direction 1, have it deleted.

Finally, at the tail end of the file, you'll want to change your static key block to tls-cypt, for example:

<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
ksjdfljadkljsldkfjaklsdjflkasdflkjadklfja
-----END OpenVPN Static key V1-----
</tls-crypt>

Note that this change will enable tls-crypt for only one of your client profiles, and only for tcp type connections (other tcp profiles will no longer work unless the same changes are made to each one); udp profiles will remain unaffected.

Let me know if you need more clarification.

[alimakki]

@dintendocoltd have you had any success with the issue you were facing?

[dimzon]

FYI it's possible to share same port between OpenConnect and Nginx/Apache https://github.com/openconnect/recipes/blob/master/ocserv-multihost.md

This means you can serve on same port: 1) SSH 2) Nginx SSL 3) OpenConnect 4) OpenVPN

[alimakki]

@dimzon Thanks for the link. I've gone over them, and they all seem to proxy based on SNI, which would require a valid domain and SSL certificates for the VPNs, which Streisand does not currently do in the meantime - I don't think this is a solution that will work for us unfortunately.

[dimzon]

Let's encrypt?

ср, 2 мая 2018 г., 16:10 Ali Makki notifications@github.com:

@dimzon https://github.com/dimzon Thanks for the link. I've gone over them, and they all seem to proxy based on SNI, which would require a valid domain and SSL certificates for the VPNs, which Streisand does not currently do in the meantime - I don't think this is a solution that will work for us unfortunately.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/StreisandEffect/discussions/issues/105#issuecomment-385972148, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3ekmYUgFnXoPUnyW0FBCWY31c-YtXFks5tubA1gaJpZM4SbezP .