Re: [Openvpn-users] OpenVPN architecture
Thank you, I appreciate the detailed response. -Original Message- From: Gert Doering To: Leroy Tennison Cc: openvpn-users Sent: Wed, Apr 29, 2020 11:53 am Subject: Re: [Openvpn-users] OpenVPN architecture Hi, On Wed, Apr 29, 2020 at 04:47:56PM +, Leroy Tennison via Openvpn-users wrote: > I've seen a couple of replies to this but no direct answer to my question, > sounds like OpenVPN works similar to https, correct? Sort of. It's a bit more complicated, but it boils down to "TLS runs, authenticates by asymmetric cipher, uses DH to build key for symmetric cipher for the control channel, uses key material derived from that to build symmetric cipher for the data channel" gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
Hi, On Wed, Apr 29, 2020 at 04:47:56PM +, Leroy Tennison via Openvpn-users wrote: > I've seen a couple of replies to this but no direct answer to my question, > sounds like OpenVPN works similar to https, correct? Sort of. It's a bit more complicated, but it boils down to "TLS runs, authenticates by asymmetric cipher, uses DH to build key for symmetric cipher for the control channel, uses key material derived from that to build symmetric cipher for the data channel" gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
I've seen a couple of replies to this but no direct answer to my question, sounds like OpenVPN works similar to https, correct? -Original Message- From: Leroy Tennison via Openvpn-users To: openvpn-users Sent: Tue, Apr 28, 2020 5:28 pm Subject: [Openvpn-users] OpenVPN architecture Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used to encrypt and transmit a symmetric key which is then used for all future communication?___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
On Wed, Apr 29, 2020 at 09:37:06AM +0200, Gert Doering wrote: > > HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :)) > > Of course :-) > > (it always had, in TLS mode. Not in p2p --secret mode, but that is > deprecated - no PFS is one of the reasons) Nice! Thanks Gert. signature.asc Description: Digital signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
Hi, On Wed, Apr 29, 2020 at 08:57:07AM +0200, Marc SCHAEFER wrote: > On Tue, Apr 28, 2020 at 10:26:40PM +, Leroy Tennison via Openvpn-users > wrote: > > Is OpenVPN architecture similar to HTTPS where the certificate, etc. is > > used to encrypt and transmit a symmetric key which is then used for all > > future communication? > > HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :)) Of course :-) (it always had, in TLS mode. Not in p2p --secret mode, but that is deprecated - no PFS is one of the reasons) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture
On Tue, Apr 28, 2020 at 10:26:40PM +, Leroy Tennison via Openvpn-users wrote: > Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used > to encrypt and transmit a symmetric key which is then used for all future > communication? HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :)) [1] https://en.wikipedia.org/wiki/Forward_secrecy if the private key is stolen, decryption of key exchange protocols will not give the key, e.g. PKI authenticated Diffie-Hellman ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN architecture
Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used to encrypt and transmit a symmetric key which is then used for all future communication?___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
On Mon, Nov 30, 2015 at 9:54 AM, Jason Haarwrote: > On 29/11/15 22:56, Steffan Karger wrote: >> OpenVPN makes a distinction between control traffic (key/config >> exchange, etc) and data traffic (actual vpn network packets). For >> control packets, OpenVPN has a reliability layer that ACKs packets, >> retransmits, etc. For data packets, OpenVPN does not do any of that. >> (But, when you're using TCP mode, TCP does that, ofc.) > ...Then why does it work so well over UDP? > > I almost exclusively use openvpn over UDP and I would have thought the > lack of error checking on the data channel would hurt, so why doesn't it? > > eg, if there's no UDP error checking built into openvpn, then shouldn't > DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the > Internet generally so reliable that it doesn't matter? (eg 1% packet > loss on Internet leads to 1% packet loss inside openvpn tunnel?) You're tunnelling IP over UDP. IP assumes no reliable transport. Either you run a protocol over IP that provides the reliability (e.g. TCP), or you design your application such that it does not assume reliable transport (e.g. DNS). DNS over UDP-OpenVPN over Internet will experience (almost) the same packet loss, out-of-order transmissions and whatnot behaviour as UDP-over-Internet on the same route would. Because the assumptions IP makes on the underlying transport are similar to the behaviour of UDP tunnelling, UDP tunnelling generally works well. TCP tunnelling however can cause problems with TCP-over-TCP, because the two layers of reliability features can cause strange interactions. So yes, 1% packet loss on the underlying transport will cause 1% packet loss on your UDP-OpenVPN tunnel. And that's (generally) a good thing ;) -Steffan (Disclaimer: I'm really not a networking expert, so I might not use the correct terms, be imprecise or even incorrect. Please correct me if that is the case.) -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
Hi Leroy, On Mon, Nov 30, 2015 at 5:21 AM, Leroy Tennisonwrote: > Thank you for your reply, I appreciate it (and the technical > distinctions concerning reliability). Do you have a pointer to a source > for additional information about what is retained in OpenVPN's "state"? > I don't mind doing the reading if I just knew where to look (even a > well-labeled C struct would be fine, I just don't know how extensive the > source code is). I'm afraid there isn't a clear piece of documentation describing the internal state. However, 'struct context' in openvpn.h should give you a good starting point when you start digging in the code: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/openvpn.h#L508 What we do have, and what might help you, is looking at the generated doxygen documentation. Either run 'doxygen doc/doxygen/openvpn.doxyfile' from the source root, or look at the doxygen I regularly generate for git-master: https://delft.syzzer.nl/openvpn-doxygen/ (no guarantees on this one, if it breaks it might take me a while to notice and/or fix). -Steffan -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
On 29/11/15 22:56, Steffan Karger wrote: > OpenVPN makes a distinction between control traffic (key/config > exchange, etc) and data traffic (actual vpn network packets). For > control packets, OpenVPN has a reliability layer that ACKs packets, > retransmits, etc. For data packets, OpenVPN does not do any of that. > (But, when you're using TCP mode, TCP does that, ofc.) ...Then why does it work so well over UDP? I almost exclusively use openvpn over UDP and I would have thought the lack of error checking on the data channel would hurt, so why doesn't it? eg, if there's no UDP error checking built into openvpn, then shouldn't DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the Internet generally so reliable that it doesn't matter? (eg 1% packet loss on Internet leads to 1% packet loss inside openvpn tunnel?) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN architecture questions
Thank you for your reply, I appreciate it (and the technical distinctions concerning reliability). Do you have a pointer to a source for additional information about what is retained in OpenVPN's "state"? I don't mind doing the reading if I just knew where to look (even a well-labeled C struct would be fine, I just don't know how extensive the source code is). On 11/29/2015 03:56 AM, Steffan Karger wrote: > Hi, > > On Sun, Nov 29, 2015 at 6:26 AM, Leroy Tennison >wrote: >> If I'm correctly reading into how OpenVPN works the server is in some >> sense stateful in that it has to remember the association of the >> original source address of a client with the client's VPN address in >> order to route a reply packet back to it. Are there other things it >> remembers about the connection? > Yes, a lot more. Like the keys to encrypt your traffic with, or > OpenVPN's own 'session id'. > >> Second question, when using UDP as the protocol, what handles the >> reliability function? Do the VPN server and client track packet >> transmission and receipt by whatever means or do they simply >> transmit/receive packets and let the embedded protocol handle reliability? > OpenVPN makes a distinction between control traffic (key/config > exchange, etc) and data traffic (actual vpn network packets). For > control packets, OpenVPN has a reliability layer that ACKs packets, > retransmits, etc. For data packets, OpenVPN does not do any of that. > (But, when you're using TCP mode, TCP does that, ofc.) > > -Steffan > -- Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN architecture questions
If I'm correctly reading into how OpenVPN works the server is in some sense stateful in that it has to remember the association of the original source address of a client with the client's VPN address in order to route a reply packet back to it. Are there other things it remembers about the connection? Second question, when using UDP as the protocol, what handles the reliability function? Do the VPN server and client track packet transmission and receipt by whatever means or do they simply transmit/receive packets and let the embedded protocol handle reliability? -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users