[tor-dev] Combining obfsproxy+scramblesuit with OpenVPN

irregulator at riseup.net irregulator at riseup.net
Mon Mar 10 01:27:12 UTC 2014 

On 03/07/2014 12:10 AM, Yawning Angel wrote:
> 
> Looking at the OpenVPN source (src/openvpn/socks.c):
> 
>> const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL);
> 
> The method selection request is hardcoded to always claim support for
> No Auth, and Username/Password Auth in that order.
> 
> This as a OpenVPN bug.  It should not be offering to negotiate
> Username/Password Auth if the user has not provided credentials.  And,
> if the user did happen to provide credentials, then it should not claim
> that No Auth is acceptable.
> 

Are we sure it's an OpenVPN bug? Cause I'm getting a :

"socks_handshake: server asked for username/login auth but we were not
provided any credentials"

which kind of makes sense regarding the methods' priority in socks5.py

And that occurs even when using obfs3 which shouldn't expect any
credentials.

Am I missing something?

> 
> Options:
> 
>  * Ignore the PASSWD field if the UNAME field is less than 255
>    characters.  This feels somewhat ugly, and has Nasty Surprise
>    potential in the future.
> 
>  * Only treat the SOCKS auth as a username/password when obfsproxy is
>    in managed mode.  This forces everyone to pass in args via the
>    command line, and would break the "I want to use obfsproxy to
>    connect to multiple servers via ScrambleSuit use case", so is
>    probably unacceptable.
> 
>  * Leave things as is.  Since the UNAME/PASSWD fields are just
>    concatenated (except for the case where the passwd is 1 NUL
>    character, people can set the credentials to something like:
> 
>    Username: "password="
>    Password: "<Base32 Encoded k_B here>"
> 
>    Sorry I should have been more clear about this.
> 
> Presently I am leaning toward option 3, but I don't feel too strongly
> about this as long as Tor continues to work (Which it will regardless
> of how this is resolved since it will always only request SOCKS auth
> mechanisms that make sense based on the config file).
> 
> 

Option 3 does work for scramblesuit, cool! :)

So, socks authentication could be used by the OpenVPN client to pass
scramblesuit credentials to obfsproxy. Could I somehow run obfsproxy
without explicitly setting a scramblesuit secret, as it's needed when
running unmanaged?

Greetings,
Alex


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140310/148867ba/attachment.sig>

More information about the tor-dev mailing list