Re: [Openvpn-users] OpenVPN architecture

2020-04-29 Thread Leroy Tennison via Openvpn-users 
Thank you, I appreciate the detailed response.


-Original Message-
From: Gert Doering 
To: Leroy Tennison 
Cc: openvpn-users 
Sent: Wed, Apr 29, 2020 11:53 am
Subject: Re: [Openvpn-users] OpenVPN architecture

Hi,

On Wed, Apr 29, 2020 at 04:47:56PM +, Leroy Tennison via Openvpn-users 
wrote:
> I've seen a couple of replies to this but no direct answer to my question, 
> sounds like OpenVPN works similar to https, correct?

Sort of.  It's a bit more complicated, but it boils down to "TLS runs,
authenticates by asymmetric cipher, uses DH to build key for symmetric 
cipher for the control channel, uses key material derived from that to build
symmetric cipher for the data channel"

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                            Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                            g...@greenie.muc.de___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN architecture

2020-04-29 Thread Gert Doering 
Hi,

On Wed, Apr 29, 2020 at 04:47:56PM +, Leroy Tennison via Openvpn-users 
wrote:
> I've seen a couple of replies to this but no direct answer to my question, 
> sounds like OpenVPN works similar to https, correct?

Sort of.  It's a bit more complicated, but it boils down to "TLS runs,
authenticates by asymmetric cipher, uses DH to build key for symmetric 
cipher for the control channel, uses key material derived from that to build
symmetric cipher for the data channel"

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN architecture

2020-04-29 Thread Leroy Tennison via Openvpn-users 
I've seen a couple of replies to this but no direct answer to my question, 
sounds like OpenVPN works similar to https, correct?


-Original Message-
From: Leroy Tennison via Openvpn-users 
To: openvpn-users 
Sent: Tue, Apr 28, 2020 5:28 pm
Subject: [Openvpn-users] OpenVPN architecture

Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used to 
encrypt and transmit a symmetric key which is then used for all future 
communication?___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN architecture

2020-04-29 Thread Marc SCHAEFER 
On Wed, Apr 29, 2020 at 09:37:06AM +0200, Gert Doering wrote:
> > HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :))
> 
> Of course :-) 
> 
> (it always had, in TLS mode.  Not in p2p --secret mode, but that is
> deprecated - no PFS is one of the reasons)

Nice!

Thanks Gert.


signature.asc
Description: Digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN architecture

2020-04-29 Thread Gert Doering 
Hi,

On Wed, Apr 29, 2020 at 08:57:07AM +0200, Marc SCHAEFER wrote:
> On Tue, Apr 28, 2020 at 10:26:40PM +, Leroy Tennison via Openvpn-users 
> wrote:
> > Is OpenVPN architecture similar to HTTPS where the certificate, etc. is 
> > used to encrypt and transmit a symmetric key which is then used for all 
> > future communication?
> 
> HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :))

Of course :-) 

(it always had, in TLS mode.  Not in p2p --secret mode, but that is
deprecated - no PFS is one of the reasons)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN architecture

2020-04-29 Thread Marc SCHAEFER 
On Tue, Apr 28, 2020 at 10:26:40PM +, Leroy Tennison via Openvpn-users 
wrote:
> Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used 
> to encrypt and transmit a symmetric key which is then used for all future 
> communication?

HTTPS also has PFS[1] now, does OpenVPN have PFS too ? :))

[1] https://en.wikipedia.org/wiki/Forward_secrecy
if the private key is stolen, decryption of key exchange protocols
will not give the key,  e.g. PKI authenticated Diffie-Hellman


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN architecture

2020-04-28 Thread Leroy Tennison via Openvpn-users 
Is OpenVPN architecture similar to HTTPS where the certificate, etc. is used to 
encrypt and transmit a symmetric key which is then used for all future 
communication?___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN architecture questions

2015-11-30 Thread Steffan Karger 
On Mon, Nov 30, 2015 at 9:54 AM, Jason Haar  wrote:
> On 29/11/15 22:56, Steffan Karger wrote:
>> OpenVPN makes a distinction between control traffic (key/config
>> exchange, etc) and data traffic (actual vpn network packets).  For
>> control packets, OpenVPN has a reliability layer that ACKs packets,
>> retransmits, etc.  For data packets, OpenVPN does not do any of that.
>> (But, when you're using TCP mode, TCP does that, ofc.)
> ...Then why does it work so well over UDP?
>
> I almost exclusively use openvpn over UDP and I would have thought the
> lack of error checking on the data channel would hurt, so why doesn't it?
>
> eg, if there's no UDP error checking built into openvpn, then shouldn't
> DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the
> Internet generally so reliable that it doesn't matter? (eg 1% packet
> loss on Internet leads to 1% packet loss inside openvpn tunnel?)

You're tunnelling IP over UDP.  IP assumes no reliable transport.
Either you run a protocol over IP that provides the reliability (e.g.
TCP), or you design your application such that it does not assume
reliable transport (e.g. DNS).  DNS over UDP-OpenVPN over Internet
will experience (almost) the same packet loss, out-of-order
transmissions and whatnot behaviour as UDP-over-Internet on the same
route would.

Because the assumptions IP makes on the underlying transport are
similar to the behaviour of UDP tunnelling, UDP tunnelling generally
works well.  TCP tunnelling however can cause problems with
TCP-over-TCP, because the two layers of reliability features can cause
strange interactions.

So yes, 1% packet loss on the underlying transport will cause 1%
packet loss on your UDP-OpenVPN tunnel. And that's (generally) a good
thing ;)

-Steffan

(Disclaimer: I'm really not a networking expert, so I might not use
the correct terms, be imprecise or even incorrect.  Please correct me
if that is the case.)

--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN architecture questions

2015-11-30 Thread Steffan Karger 
Hi Leroy,

On Mon, Nov 30, 2015 at 5:21 AM, Leroy Tennison
 wrote:
> Thank you for your reply, I appreciate it (and the technical
> distinctions concerning reliability).  Do you have a pointer to a source
> for additional information about what is retained in OpenVPN's "state"?
> I don't mind doing the reading if I just knew where to look (even a
> well-labeled C struct would be fine, I just don't know how extensive the
> source code is).

I'm afraid there isn't a clear piece of documentation describing the
internal state.  However, 'struct context' in openvpn.h should give
you a good starting point when you start digging in the code:
https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/openvpn.h#L508

What we do have, and what might help you, is looking at the generated
doxygen documentation.  Either run 'doxygen
doc/doxygen/openvpn.doxyfile' from the source root, or look at the
doxygen I regularly generate for git-master:
https://delft.syzzer.nl/openvpn-doxygen/  (no guarantees on this one,
if it breaks it might take me a while to notice and/or fix).

-Steffan

--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN architecture questions

2015-11-30 Thread Jason Haar 
On 29/11/15 22:56, Steffan Karger wrote:
> OpenVPN makes a distinction between control traffic (key/config
> exchange, etc) and data traffic (actual vpn network packets).  For
> control packets, OpenVPN has a reliability layer that ACKs packets,
> retransmits, etc.  For data packets, OpenVPN does not do any of that.
> (But, when you're using TCP mode, TCP does that, ofc.)
...Then why does it work so well over UDP?

I almost exclusively use openvpn over UDP and I would have thought the
lack of error checking on the data channel would hurt, so why doesn't it?

eg, if there's no UDP error checking built into openvpn, then shouldn't
DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the
Internet generally so reliable that it doesn't matter? (eg 1% packet
loss on Internet leads to 1% packet loss inside openvpn tunnel?)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN architecture questions

2015-11-29 Thread Leroy Tennison 
Thank you for your reply, I appreciate it (and the technical 
distinctions concerning reliability).  Do you have a pointer to a source 
for additional information about what is retained in OpenVPN's "state"?  
I don't mind doing the reading if I just knew where to look (even a 
well-labeled C struct would be fine, I just don't know how extensive the 
source code is).

On 11/29/2015 03:56 AM, Steffan Karger wrote:
> Hi,
>
> On Sun, Nov 29, 2015 at 6:26 AM, Leroy Tennison
>  wrote:
>> If I'm correctly reading into how OpenVPN works the server is in some
>> sense stateful in that it has to remember the association of the
>> original source address of a client with the client's VPN address in
>> order to route a reply packet back to it.  Are there other things it
>> remembers about the connection?
> Yes, a lot more.  Like the keys to encrypt your traffic with, or
> OpenVPN's own 'session id'.
>
>> Second question, when using UDP as the protocol, what handles the
>> reliability function?  Do the VPN server and client track packet
>> transmission and receipt by whatever means or do they simply
>> transmit/receive packets and let the embedded protocol handle reliability?
> OpenVPN makes a distinction between control traffic (key/config
> exchange, etc) and data traffic (actual vpn network packets).  For
> control packets, OpenVPN has a reliability layer that ACKs packets,
> retransmits, etc.  For data packets, OpenVPN does not do any of that.
> (But, when you're using TCP mode, TCP does that, ofc.)
>
> -Steffan
>


--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN architecture questions

2015-11-28 Thread Leroy Tennison 
If I'm correctly reading into how OpenVPN works the server is in some 
sense stateful in that it has to remember the association of the 
original source address of a client with the client's VPN address in 
order to route a reply packet back to it.  Are there other things it 
remembers about the connection?

Second question, when using UDP as the protocol, what handles the 
reliability function?  Do the VPN server and client track packet 
transmission and receipt by whatever means or do they simply 
transmit/receive packets and let the embedded protocol handle reliability?

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users