Re: [Openvpn-users] OpenVPN on port 443
On 27.01.24 19:27, Peter Davis wrote: On Thursday, January 25th, 2024 at 1:25 AM, Jochen Bern wrote: Also, don't forget to configure the VPN server with --port-share, in case one of the nation-level censors you're trying to fool gets the idea of looking at your "interesting website" himself ... Can you tell me more about the --port-share? Not really much beyond what the OpenVPN Reference Manual says, sorry. https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/#server-options Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
>On Thursday, January 25th, 2024 at 1:25 AM, Jochen Bern > wrote: > On 24.01.24 13:31, Hans via Openvpn-users wrote: > > > From: "Gert Doering" mailto:g...@greenie.muc.de> > > Date: Wednesday, 24 January 2024 at 13:03:30 > > > > > On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis via Openvpn-users > > > wrote: > > > > > > > How can I make OpenVPN look like an HTTPS connection? > > > > > > You can't. OpenVPN is not https, so even if you use tcp/443, on a close > > > enough look it will be clear "this is not HTTPS". > > > > How about using stunnel instead? > > > stunnel may be able to wrap your (TCP) traffic into TLS, whose > unencrypted parts may look more or less like the TLS interwoven into > HTTPS, but it still won't make your hours-long single-server VPN > connection with keepalives and key renegs in regular intervals and > carrying an SSH login with its single-keystroke upstream packets look > like you browsed a couple websites. > > Also, don't forget to configure the VPN server with --port-share, in > case one of the nation-level censors you're trying to fool gets the idea > of looking at your "interesting website" himself ... > > Kind regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users Hi, Can you tell me more about the --port-share? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
>On Wednesday, January 24th, 2024 at 3:38 PM, Marc SCHAEFER > wrote: > Hello, > > On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis wrote: > > > I am testing this scenario in a virtual environment before moving it to the > > real world. > > > So, use subnets within private address ranges (10.0.0.0/8, 172.16.0.0/12, > 192.168.0.0/16), or possibly > some other reserved addresses [1]. > > Do not use public addresses unless you own them. > > > How can I make OpenVPN look like an HTTPS connection? > > > Do you mean to obfuscate OpenVPN traffic so that an attacker thinks it is > legit web traffic? > > I don't think OpenVPN does that: but you can run OpenVPN over TCP over tor, > and use all > obfuscation methods that tor supports (obfs4, maybe even snowflake), some of > them look > like HTTPS. > > PS: please quote correctly (removing non pertaining text). > > [1] https://en.wikipedia.org/wiki/Private_network > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users Hello, Thank you so much. 1- So my problem is the IP address range? 2- Yes. Can you tell me how to obfuscate OpenVPN through Tor? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
On 24.01.24 13:31, Hans via Openvpn-users wrote: From: "Gert Doering" mailto:g...@greenie.muc.de>> Date: Wednesday, 24 January 2024 at 13:03:30 On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis via Openvpn-users wrote: How can I make OpenVPN look like an HTTPS connection? You can't. OpenVPN is not https, so even if you use tcp/443, on a close enough look it will be clear "this is not HTTPS". How about using stunnel instead? stunnel may be able to wrap your (TCP) traffic into TLS, whose unencrypted parts may look more or less like the TLS interwoven into HTTPS, but it still won't make your hours-long single-server VPN connection with keepalives and key renegs in regular intervals and carrying an SSH login with its single-keystroke upstream packets look like you browsed a couple websites. Also, don't forget to configure the VPN server with --port-share, in case one of the nation-level censors you're trying to fool gets the idea of looking at your "interesting website" himself ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
How about using stunnel instead? From: "Gert Doering" mailto:g...@greenie.muc.de>> Date: Wednesday, 24 January 2024 at 13:03:30 To: "Peter Davis" mailto:peter.davis1...@proton.me>> Cc: "openvpn-users@lists.sourceforge.net" mailto:openvpn-users@lists.sourceforge.net>> Subject: Re: [Openvpn-users] OpenVPN on port 443 Hi, On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis via Openvpn-users wrote: > How can I make OpenVPN look like an HTTPS connection? You can't. OpenVPN is not https, so even if you use tcp/443, on a close enough look it will be clear "this is not HTTPS". gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
Hello, On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis wrote: > I am testing this scenario in a virtual environment before moving it to the > real world. So, use subnets within private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), or possibly some other reserved addresses [1]. Do not use public addresses unless you own them. > How can I make OpenVPN look like an HTTPS connection? Do you mean to obfuscate OpenVPN traffic so that an attacker thinks it is legit web traffic? I don't think OpenVPN does that: but you can run OpenVPN over TCP over tor, and use all obfuscation methods that tor supports (obfs4, maybe even snowflake), some of them look like HTTPS. PS: please quote correctly (removing non pertaining text). [1] https://en.wikipedia.org/wiki/Private_network ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
Hi, On Wed, Jan 24, 2024 at 11:49:43AM +, Peter Davis via Openvpn-users wrote: > How can I make OpenVPN look like an HTTPS connection? You can't. OpenVPN is not https, so even if you use tcp/443, on a close enough look it will be clear "this is not HTTPS". gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
>On Wednesday, January 24th, 2024 at 11:18 AM, Marc SCHAEFER > wrote: > Hello, > > On Wed, Jan 24, 2024 at 06:14:22AM +, Peter Davis via Openvpn-users wrote: > > > 1- I don't understand what you mean about "server 20.20.0.0 255.255.255.0". > > What is the difference between IP range 10.X and 20.X? > > > 10.0.0.0/8 is a private range, that you can use as you please for private > networks, including 10.0.0.0/24. > 20.20.0.0/24 is: > > schaefer@reliant:~$ whois 20.20.0.0 > > NetRange: 20.0.0.0 - 20.31.255.255 > CIDR: 20.0.0.0/11 > NetName: MSFT > NetHandle: NET-20-0-0-0-1 > Parent: NET20 (NET-20-0-0-0-0) > NetType: Direct Allocation > OriginAS: > Organization: Microsoft Corporation (MSFT) > RegDate: 2017-10-18 > Updated: 2021-12-14 > Ref: https://rdap.arin.net/registry/ip/20.0.0.0 > > OrgName: Microsoft Corporation > OrgId: MSFT > Address: One Microsoft Way > [ ... ] > > This will work, as long as you have a NAT between those addresses and > Internet, > and obviously you won't be able to contact any of those Microsoft IPs anymore, > > In short: bad idea. Use private ranges only (or any public range that you > own). > > > 2- But this is a remote server, not an internal server, and I want to > > connect to this server through OpenVPN, but my connection looks like HTTPS. > > > Parse error. Hello, Thanks. I am testing this scenario in a virtual environment before moving it to the real world. For this reason, my server has two NICs. One that is directly connected to the Internet (enp0s3) and the other to the internal network (enp0s8). What is problem? How can I make OpenVPN look like an HTTPS connection? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
On 24.01.24 08:48, Marc SCHAEFER wrote: and obviously you won't be able to contact any of those Microsoft IPs anymore, Considering all the times Peter mentioned that "evade [nation-level] censors" is among his objectives, blackholing the clients' connections to Microsoft (auto)update servers while they're deep-diving might well be the *idea*. :-3 Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
Hello, On Wed, Jan 24, 2024 at 06:14:22AM +, Peter Davis via Openvpn-users wrote: > 1- I don't understand what you mean about "server 20.20.0.0 255.255.255.0". > What is the difference between IP range 10.X and 20.X? 10.0.0.0/8 is a private range, that you can use as you please for private networks, including 10.0.0.0/24. 20.20.0.0/24 is: schaefer@reliant:~$ whois 20.20.0.0 NetRange: 20.0.0.0 - 20.31.255.255 CIDR: 20.0.0.0/11 NetName:MSFT NetHandle: NET-20-0-0-0-1 Parent: NET20 (NET-20-0-0-0-0) NetType:Direct Allocation OriginAS: Organization: Microsoft Corporation (MSFT) RegDate:2017-10-18 Updated:2021-12-14 Ref:https://rdap.arin.net/registry/ip/20.0.0.0 OrgName:Microsoft Corporation OrgId: MSFT Address:One Microsoft Way [ ... ] This will work, as long as you have a NAT between those addresses and Internet, and obviously you won't be able to contact any of those Microsoft IPs anymore, In short: bad idea. Use private ranges only (or any public range that you own). > 2- But this is a remote server, not an internal server, and I want to connect > to this server through OpenVPN, but my connection looks like HTTPS. Parse error. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
>On Tuesday, January 23rd, 2024 at 4:37 PM, Jakob Curdes >wrote: > Am 23.01.2024 um 13:32 schrieb Peter Davis via Openvpn-users: > > > Hello, > > I want to use OpenVPN and HTTPS. I found the following article: > > (...) > > > > > > > server 20.20.0.0 255.255.255.0 > > First of all, from where did you take that IP network? This is not a > private network range as far as I know. > When you use a public network range, many things will not work at all or > not work reliably. You need to use a private IP network (192.168., > 172.17, 10.x) for your internal networks. > > Hope this helps, JC > > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users Hi, Thank you so much for your reply. 1- I don't understand what you mean about "server 20.20.0.0 255.255.255.0". What is the difference between IP range 10.X and 20.X? 2- But this is a remote server, not an internal server, and I want to connect to this server through OpenVPN, but my connection looks like HTTPS. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN on port 443
Am 23.01.2024 um 13:32 schrieb Peter Davis via Openvpn-users: Hello, I want to use OpenVPN and HTTPS. I found the following article: (...) server 20.20.0.0 255.255.255.0 First of all, from where did you take that IP network? This is not a private network range as far as I know. When you use a public network range, many things will not work at all or not work reliably. You need to use a private IP network (192.168., 172.17, 10.x) for your internal networks. Hope this helps, JC ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN on port 443
Hello, I want to use OpenVPN and HTTPS. I found the following article: https://snikt.net/blog/2016/12/01/how-not-to-hide-openvpn-behind-https/ssl/ My server has two NICs: enp0s3 (NAT) enp0s8 (Local) My OpenVPN server.conf is as below: port 443 proto tcp dev tun1 local 0.0.0.0 port-share 127.0.0.1 4443 ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/Employee_Server.crt key /etc/openvpn/server/Employee_Server.key dh /etc/openvpn/server/dh.pem server 20.20.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 9.9.9.9" topology subnet keepalive 10 120 tls-crypt /etc/openvpn/server/ta.key 0 cipher AES-256-GCM data-ciphers AES-256-GCM user nobody group nogroup persist-key persist-tun client-to-client status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 My Client.conf is: client dev tun1 proto tcp remote 192.168.1.20 443 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server data-ciphers AES-256-GCM cipher AES-256-GCM verb 3 The firewall rules are: # IF_MAIN=enp0s3 # IF_TUNNEL=tun1 # YOUR_OPENVPN_SUBNET=20.20.0.0/16 # iptables -I INPUT -p tcp --dport 443 -j ACCEPT # iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT # iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE I connected to the OpenVPN server and it showed me the following error message: Tue Jan 23 14:30:17 2024 NOTE: unable to redirect IPv4 default gateway -- Cannot read current default gateway from system Tue Jan 23 14:30:17 2024 Initialization Sequence Completed Tue Jan 23 14:30:17 2024 MANAGEMENT: >STATE:1706007617,CONNECTED,ROUTE_ERROR,20.20.0.2,192.168.1.20,443,192.168.1.21,1064 Tue Jan 23 14:30:14 2024 ERROR: Some routes were not successfully added. The connection may not function correctly When I want to visit Google.com, then it shows me: google.com’s DNS address could not be found. Diagnosing the problem. I installed and configured the Dnsmasq on OpenVPN server and added the following iptables rules: # iptables -A FORWARD -i enp0s8 -o enp0s3 -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -i enp0s3 -o enp0s8 -j ACCEPT # iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE After it I added the following line to Server.conf file: push "dhcp-option DNS 192.168.1.20" But I still can't go to the Internet! How do I troubleshoot? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users