On 03/05/2014 07:58 PM, Yawning Angel wrote:
So, while testing OpenVPN with obfsproxy and the latest patch, the vpn client enters the authentication phase.
Yay.
Do the credentials depend on the pluggable transport in use by the obfsproxy?
Yes. It only should happen for obfs2 (if Shared Secret mode is used) and ScrambleSuit. All the other transports will ignore any credentials passed.
If so, what credentials should the vpn or the ssh socks client provide when talking with scramblesuit?
As the *username*:
- "password=<Base32 encoded k_B>" k_B is 32 characters encoded.
As the *password*:
- '\0' (A single byte of value 0x00).
Will vpn client have to provide the session ticket or other pre-shared secret through socks authentication?
Just k_B. Session Tickets are separate and not something the user should ever mess with.
It is also possible to skip using RFC 1929 auth entirely by passing "--password <Base32 encoded k_B>" as a command line option.
Regards,
Hey people thanks for your input,
I'm actually passing password inline while starting obfsproxy (client-side) like that :
python pyobfsproxy.py --log-min-severity=info scramblesuit --password LLDNOWV7I4P6RKFJMDEMIY2GNU2IQISA socks 127.0.0.1:9999
Still when openvpn client connects to localhost:9999 enters the authentication phase. I think this is undesirable and needless since obfsproxy client has already been started with the password.
So I made a rearrangement like this :
--- a/obfsproxy/network/socks5.py +++ b/obfsproxy/network/socks5.py @@ -98,8 +98,8 @@ class SOCKSv5Protocol(protocol.Protocol):
# Authentication methods ACCEPTABLE_AUTH_METHODS = [ - _SOCKS_AUTH_USERNAME_PASSWORD, - _SOCKS_AUTH_NO_AUTHENTICATION_REQUIRED + _SOCKS_AUTH_NO_AUTHENTICATION_REQUIRED, + _SOCKS_AUTH_USERNAME_PASSWORD ] AUTH_METHOD_VTABLE = { _SOCKS_AUTH_USERNAME_PASSWORD: methodcaller('processRfc1929Request'),
After the change openVPN client is no more requested to enter credentials, and it works like a charm. OpenVPN client talks to OpenVPN server over scramblesuit :)
So I am wondering, is the change above acceptable for all cases? I mean, changing the priority between authentication and no authentication mode, will it affect some PTs ?
I'm not sure what is better here : should the OpenVPN client pass the scramblesuit password to the obfsproxy client listening to localhost, or the should the obfsproxy client already know the password so as the OpenVPN client doesn't need to authenticate at all.
If the first is preferable, any idea how the '\0' value could fit in there? OpenVPN socks authentication is implemented, afaik, either via standard input or via a two line file containing user-password.
Alex