OpenVPN Server with SSL Tunnel



  • I've currently got an OpenVPN server setup and running through an SSL tunnel created using the stunnel4 package on Ubuntu 14.04. If I'm connecting with a Windows Client everything works as expected. However, when I try to connect a Linux or Android client it appears everything works, but my clients are unable to browse the internet once connected to the server.

    Any thoughts on what could be causing this? The SSL tunnel is up and operational, and I can see data traversing the connection on the serverside logs whenever my client connects.

    It REALLY bothers me that this works so easily on Windows and I'm having so many problems with Linux. It's just not right...

    Any thoughts/help appreciated.



  • Sounds like a Split Tunneling issue.

    Perhaps Windows isn't obeying the OpenSSL settings to not allow it, but Linux/Android do?

    Just a thought.



  • OpenVPN itself is an SSL VPN. What is the point of double encryption?



  • Yeah, I'm with @JaredBusch, you have two SSL VPNs here. Why two VPNs? And why two of the same type? It's just two different mechanisms for setting up SSL.



  • 0_1459512545686_images.jpg



  • Just wait until he starts looking at HTTPS sites over it! It's SSLception!



  • The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.

    So just changing OpenVPN configuration to use TCP port 443 should do the same thing? From what I had previously read they still have some way of detecting and shutting down OpenVPN traffic.



  • LOL - so you have to obfuscate what you're obfuscating to get through great firewall eh? I thought that was illegal over there?



  • Problem resolved! It was a missing route... Because of the order in which the Linux client establishes the new routes it loses it's ability to communicate with the VPN server once the connection is established. I just had to add a route telling it how to get to the OpenVPN server once the connection was established.

    route add -host <vpn-server-ip> gw <gw-as-defined-by-default-route>



  • @Dashrender said:

    LOL - so you have to obfuscate what you're obfuscating to get through great firewall eh? I thought that was illegal over there?

    It's illegal to use a VPN to access legitimate services required to do business in China.

    It's legal for the Chinese government to inspect your network traffic and devices, and possibly (with relatively high probability) steal hardware prototype designs and code/software off of your devices.

    #moral-dilemma

    --edit--

    I've got people traveling in a few countries over the next week or so... My primary concern is confidentiality of the data that is being sent across the wire. As soon as their systems are back home and in the office they are getting blasted and physically inspected before being released back into the wild.



  • @RamblingBiped said:

    @Dashrender said:

    LOL - so you have to obfuscate what you're obfuscating to get through great firewall eh? I thought that was illegal over there?

    It's illegal to use a VPN to access legitimate services required to do business in China.

    It's legal for the Chinese government to inspect your network traffic, and possibly (with relatively high probability) steal hardware prototype designs and code/software off of your devices.

    #moral-dilemma

    Not really a moral delemma it's actually pretty easy - don't do business in China, problem solved. If enough companies stand by their morals and refuse to do business under that type of control, they will either change or die.



  • We do business in China and have a very small office there. We have 2 Chinese nationals and an American. I was not aware of the VPN legalities so that is interesting.



  • How would you get around the VPN thing to let certain users access documents in the US from China?



  • Remote Desktop Gateway or SSH Jump box?



  • @wrx7m said:

    How would you get around the VPN thing to let certain users access documents in the US from China?

    Actually I have no idea what the laws of China actually are. I know journalist break them all the time so they can get their stories out. I'd say that you have some work ahead of you to discover what Chinese law is, and then work from there.

    For example, if Chinese law says you can't use encrypted traffic that they can't decrypt, well that more or less you can't use SSL or VPN that they themselves don't have the keys to, otherwise you're breaking the law.



  • @RamblingBiped said:

    The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.

    That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.



  • @RamblingBiped said:

    So just changing OpenVPN configuration to use TCP port 443 should do the same thing? From what I had previously read they still have some way of detecting and shutting down OpenVPN traffic.

    Yes, no idea how they could identify it. OpenVPN, stunnel or any SSL tunnel are all the same thing. Literally the same thing. They are just management systems for the same SSL connector. They actually leverage the same library to do the actual VPN.



  • @wrx7m said:

    How would you get around the VPN thing to let certain users access documents in the US from China?

    You would turn off all security. That's why doing business in China isn't that great.



  • @dafyre said:

    Remote Desktop Gateway or SSH Jump box?

    Those use VPNs to be secured. SSH goes over an SSL VPN tunnel. RDS needs that too for security. All HTTPS sites are VPNs under the hood. We don't call them that, but they are and they violate Chinese Internet rules.



  • @Dashrender said:

    @wrx7m said:

    How would you get around the VPN thing to let certain users access documents in the US from China?

    Actually I have no idea what the laws of China actually are. I know journalist break them all the time so they can get their stories out. I'd say that you have some work ahead of you to discover what Chinese law is, and then work from there.

    For example, if Chinese law says you can't use encrypted traffic that they can't decrypt, well that more or less you can't use SSL or VPN that they themselves don't have the keys to, otherwise you're breaking the law.

    Correct, you cannot use SSL whatsoever legally.



  • To be clear... you CAN use VPNs in China, there is paperwork for this. All encrypted traffic is illegal if you don't have permits for it.



  • @scottalanmiller said:

    @RamblingBiped said:

    The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.

    That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.

    I agree, and I have found articles like this one, that seem to think they can detect patterns in the traffic that identify it as being associated with a VPN connection: http://www.vpnanswers.com/bypass-great-firewall-hide-openvpn-in-china-2015/



  • @RamblingBiped said:

    @scottalanmiller said:

    @RamblingBiped said:

    The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.

    That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.

    I agree, and I have found articles like this one, that seem to think they can detect patterns in the traffic that identify it as being associated with a VPN connection: http://www.vpnanswers.com/bypass-great-firewall-hide-openvpn-in-china-2015/

    Yes, traffic patterns can certainly identify VPNs. However, that's based on the traffic inside the tunnel and not the VPN itself. And the real question is... what are they detecting? They know it is a VPN, they can see the SSL. That it is a VPN isn't hidden.


Log in to reply