[tor-dev] Combining obfsproxy+scramblesuit with OpenVPN

irregulator irregulator at riseup.net
Thu Mar 6 17:22:16 UTC 2014 

On 03/05/2014 07:58 PM, Yawning Angel wrote:
>
>> So, while testing OpenVPN with obfsproxy and the latest patch, the vpn
>> client enters the authentication phase.
> Yay.
>
>> Do the credentials depend on the pluggable transport in use by the
>> obfsproxy?
> Yes.  It only should happen for obfs2 (if Shared Secret mode is used)
> and ScrambleSuit.  All the other transports will ignore any credentials
> passed.
>
>> If so, what credentials should the vpn or the ssh socks client
>> provide when talking with scramblesuit?
> As the *username*:
>  * "password=<Base32 encoded k_B>" k_B is 32 characters encoded.
>
> As the *password*:
>  * '\0' (A single byte of value 0x00).
>
>> Will vpn client have to provide the session ticket or other
>> pre-shared secret through socks authentication?
> Just k_B.  Session Tickets are separate and not something the user
> should ever mess with.
>
> It is also possible to skip using RFC 1929 auth entirely by passing
> "--password <Base32 encoded k_B>" as a command line option.
>
> Regards,

Hey people thanks for your input,

I'm actually passing password inline while starting obfsproxy
(client-side) like that :

python pyobfsproxy.py --log-min-severity=info scramblesuit --password
LLDNOWV7I4P6RKFJMDEMIY2GNU2IQISA socks 127.0.0.1:9999

Still when openvpn client connects to localhost:9999 enters the
authentication phase. I think this is undesirable and needless since
obfsproxy client has already been started with the password.

So I made a rearrangement like this :

--- a/obfsproxy/network/socks5.py
+++ b/obfsproxy/network/socks5.py
@@ -98,8 +98,8 @@ class SOCKSv5Protocol(protocol.Protocol):
 
     # Authentication methods
     ACCEPTABLE_AUTH_METHODS = [
-        _SOCKS_AUTH_USERNAME_PASSWORD,
-        _SOCKS_AUTH_NO_AUTHENTICATION_REQUIRED
+        _SOCKS_AUTH_NO_AUTHENTICATION_REQUIRED,
+        _SOCKS_AUTH_USERNAME_PASSWORD
     ]
     AUTH_METHOD_VTABLE = {
         _SOCKS_AUTH_USERNAME_PASSWORD:
methodcaller('processRfc1929Request'),

After the change openVPN client is no more requested to enter
credentials, and it works like a charm. OpenVPN client talks to OpenVPN
server over scramblesuit :)

So I am wondering, is the change above acceptable for all cases? I mean,
changing the priority between authentication and no authentication mode,
will it affect some PTs ?

I'm not sure what is better here : should the OpenVPN client pass the
scramblesuit password to the obfsproxy client listening to localhost, or
the should the obfsproxy client already know the password so as the
OpenVPN client doesn't need to authenticate at all.

If the first is preferable, any idea how the '\0' value could fit in
there? OpenVPN socks authentication is implemented, afaik, either via
standard input or via a two line file containing user-password.

Alex

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 880 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140306/bc7270dc/attachment.sig>

More information about the tor-dev mailing list