ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    OpenVPN Server with SSL Tunnel

    Scheduled Pinned Locked Moved IT Discussion
    23 Posts 7 Posters 7.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RamblingBipedR
      RamblingBiped
      last edited by

      I've currently got an OpenVPN server setup and running through an SSL tunnel created using the stunnel4 package on Ubuntu 14.04. If I'm connecting with a Windows Client everything works as expected. However, when I try to connect a Linux or Android client it appears everything works, but my clients are unable to browse the internet once connected to the server.

      Any thoughts on what could be causing this? The SSL tunnel is up and operational, and I can see data traversing the connection on the serverside logs whenever my client connects.

      It REALLY bothers me that this works so easily on Windows and I'm having so many problems with Linux. It's just not right...

      Any thoughts/help appreciated.

      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender
        last edited by

        Sounds like a Split Tunneling issue.

        Perhaps Windows isn't obeying the OpenSSL settings to not allow it, but Linux/Android do?

        Just a thought.

        1 Reply Last reply Reply Quote 3
        • JaredBuschJ
          JaredBusch
          last edited by

          OpenVPN itself is an SSL VPN. What is the point of double encryption?

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            Yeah, I'm with @JaredBusch, you have two SSL VPNs here. Why two VPNs? And why two of the same type? It's just two different mechanisms for setting up SSL.

            1 Reply Last reply Reply Quote 0
            • coliverC
              coliver
              last edited by

              0_1459512545686_images.jpg

              1 Reply Last reply Reply Quote 3
              • scottalanmillerS
                scottalanmiller
                last edited by

                Just wait until he starts looking at HTTPS sites over it! It's SSLception!

                1 Reply Last reply Reply Quote 1
                • RamblingBipedR
                  RamblingBiped
                  last edited by

                  The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.

                  So just changing OpenVPN configuration to use TCP port 443 should do the same thing? From what I had previously read they still have some way of detecting and shutting down OpenVPN traffic.

                  scottalanmillerS 2 Replies Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender
                    last edited by

                    LOL - so you have to obfuscate what you're obfuscating to get through great firewall eh? I thought that was illegal over there?

                    RamblingBipedR 1 Reply Last reply Reply Quote 0
                    • RamblingBipedR
                      RamblingBiped
                      last edited by

                      Problem resolved! It was a missing route... Because of the order in which the Linux client establishes the new routes it loses it's ability to communicate with the VPN server once the connection is established. I just had to add a route telling it how to get to the OpenVPN server once the connection was established.

                      route add -host <vpn-server-ip> gw <gw-as-defined-by-default-route>

                      1 Reply Last reply Reply Quote 1
                      • RamblingBipedR
                        RamblingBiped @Dashrender
                        last edited by RamblingBiped

                        @Dashrender said:

                        LOL - so you have to obfuscate what you're obfuscating to get through great firewall eh? I thought that was illegal over there?

                        It's illegal to use a VPN to access legitimate services required to do business in China.

                        It's legal for the Chinese government to inspect your network traffic and devices, and possibly (with relatively high probability) steal hardware prototype designs and code/software off of your devices.

                        #moral-dilemma

                        --edit--

                        I've got people traveling in a few countries over the next week or so... My primary concern is confidentiality of the data that is being sent across the wire. As soon as their systems are back home and in the office they are getting blasted and physically inspected before being released back into the wild.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @RamblingBiped
                          last edited by

                          @RamblingBiped said:

                          @Dashrender said:

                          LOL - so you have to obfuscate what you're obfuscating to get through great firewall eh? I thought that was illegal over there?

                          It's illegal to use a VPN to access legitimate services required to do business in China.

                          It's legal for the Chinese government to inspect your network traffic, and possibly (with relatively high probability) steal hardware prototype designs and code/software off of your devices.

                          #moral-dilemma

                          Not really a moral delemma it's actually pretty easy - don't do business in China, problem solved. If enough companies stand by their morals and refuse to do business under that type of control, they will either change or die.

                          1 Reply Last reply Reply Quote 3
                          • wrx7mW
                            wrx7m
                            last edited by

                            We do business in China and have a very small office there. We have 2 Chinese nationals and an American. I was not aware of the VPN legalities so that is interesting.

                            1 Reply Last reply Reply Quote 0
                            • wrx7mW
                              wrx7m
                              last edited by

                              How would you get around the VPN thing to let certain users access documents in the US from China?

                              DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • dafyreD
                                dafyre
                                last edited by

                                Remote Desktop Gateway or SSH Jump box?

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @wrx7m
                                  last edited by

                                  @wrx7m said:

                                  How would you get around the VPN thing to let certain users access documents in the US from China?

                                  Actually I have no idea what the laws of China actually are. I know journalist break them all the time so they can get their stories out. I'd say that you have some work ahead of you to discover what Chinese law is, and then work from there.

                                  For example, if Chinese law says you can't use encrypted traffic that they can't decrypt, well that more or less you can't use SSL or VPN that they themselves don't have the keys to, otherwise you're breaking the law.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @RamblingBiped
                                    last edited by

                                    @RamblingBiped said:

                                    The last time I had someone travel to the country that my people are going to be working from they were unable to access their OpenVPN connection. When I researched the solution, using stunnel to obfuscate the traffic is what I found. I implemented it and it worked.

                                    That's weird as OpenVPN already obfuscates the traffic identically. You must be using different settings for them, like using stunnel on common ports and OpenVPN on uncommon. But the two are literally identical on the wire, there is no way to identify one from the other, their obfuscation is exactly the same.

                                    RamblingBipedR 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @RamblingBiped
                                      last edited by

                                      @RamblingBiped said:

                                      So just changing OpenVPN configuration to use TCP port 443 should do the same thing? From what I had previously read they still have some way of detecting and shutting down OpenVPN traffic.

                                      Yes, no idea how they could identify it. OpenVPN, stunnel or any SSL tunnel are all the same thing. Literally the same thing. They are just management systems for the same SSL connector. They actually leverage the same library to do the actual VPN.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @wrx7m
                                        last edited by

                                        @wrx7m said:

                                        How would you get around the VPN thing to let certain users access documents in the US from China?

                                        You would turn off all security. That's why doing business in China isn't that great.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @dafyre
                                          last edited by

                                          @dafyre said:

                                          Remote Desktop Gateway or SSH Jump box?

                                          Those use VPNs to be secured. SSH goes over an SSL VPN tunnel. RDS needs that too for security. All HTTPS sites are VPNs under the hood. We don't call them that, but they are and they violate Chinese Internet rules.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said:

                                            @wrx7m said:

                                            How would you get around the VPN thing to let certain users access documents in the US from China?

                                            Actually I have no idea what the laws of China actually are. I know journalist break them all the time so they can get their stories out. I'd say that you have some work ahead of you to discover what Chinese law is, and then work from there.

                                            For example, if Chinese law says you can't use encrypted traffic that they can't decrypt, well that more or less you can't use SSL or VPN that they themselves don't have the keys to, otherwise you're breaking the law.

                                            Correct, you cannot use SSL whatsoever legally.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post