Weimarnetz Wiki

OpenVPN SSL obfuscation

Version vom 12. Dezember 2015, 18:01 Uhr von Fries43 (Diskussion | Beiträge) (initial)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)

Ziel: eine ordentliche Patchdatei bauen, die man fuer OpenWrt verwenden kann. Wir ueber mal mit folgendem commit den ich gefunden habe: 

https://github.com/hizukiayaka/openvpn/commit/2eb2234f28d176a74d949f8563eb11ac2ad70bb8

erstmal OpenWrt holen und schauen wo 'openvpn' liegt: 

bastian@X301:~/software$ git clone git://git.openwrt.org/openwrt.git
bastian@X301:~/software$ cd openwrt
bastian@X301:~/software/openwrt$ find . -type d -name openvpn
./package/network/services/openvpn

OK, wir schauen uns das Makefile an und den Downloadlink/Version: 

bastian@X301:~/software/openwrt$ grep -m6 ^[A-Z] ./package/network/services/openvpn/Makefile
PKG_NAME:=openvpn
PKG_VERSION:=2.3.7
PKG_RELEASE:=1
PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_MD5SUM:=070bca95e478f88dff9ec6a221e2c3f7

OK, wir machen uns ein lokales git und holen den tarball: 

bastian@X301:~/software/openwrt$ cd ..
bastian@X301:~/software$ mkdir openvpn
bastian@X301:~/software$ cd openvpn/
bastian@X301:~/software/openvpn$ git init
Initialized empty Git repository in /home/bastian/software/openvpn/.git/

bastian@X301:~/software/openvpn$ wget http://swupdate.openvpn.net/community/releases/openvpn-2.3.7.tar.gz
bastian@X301:~/software/openvpn$ tar xzf openvpn-2.3.7.tar.gz 
bastian@X301:~/software/openvpn$ cd openvpn-2.3.7/
bastian@X301:~/software/openvpn/openvpn-2.3.7$ git init
Initialized empty Git repository in /home/bastian/software/openvpn/openvpn-2.3.7/.git/
bastian@X301:~/software/openvpn/openvpn-2.3.7$ git add .
bastian@X301:~/software/openvpn/openvpn-2.3.7$ git commit -m "extracted openvpn-2.3.7.tar.gz"
[master (root-commit) e97a8c6] extracted openvpn-2.3.7.tar.gz
 306 files changed, 112266 insertions(+)

Nun laden wir uns von dem github-commit das patchfile herunter: 

# https://github.com/hizukiayaka/openvpn/commit/2eb2234f28d176a74d949f8563eb11ac2ad70bb8
# .patch anhängen:
bastian@X301:~/software/openvpn/openvpn-2.3.7$ wget -O /tmp/mypatch https://github.com/hizukiayaka/openvpn/commit/2eb2234f28d176a74d949f8563eb11ac2ad70bb8.patch
bastian@X301:~/software/openvpn/openvpn-2.3.7$ git apply --check </tmp/mypatch
error: patch failed: src/openvpn/options.c:6593
error: src/openvpn/options.c: patch does not apply
error: patch failed: src/openvpn/options.h:522
error: src/openvpn/options.h: patch does not apply

ok, das geht nicht so einfach, wir holen uns also option.c und option.h vom commit davor ("parent") 

parent='3ec9eb8ee402ea977805eaac6a8caa38f5800bbd'
wget -O src/openvpn/options.c "https://raw.githubusercontent.com/hizukiayaka/openvpn/$parent/src/openvpn/options.c"
wget -O src/openvpn/options.h "https://raw.githubusercontent.com/hizukiayaka/openvpn/$parent/src/openvpn/options.h"
git add .
git commit -m "sync options.* of parent"

nun nochmal testen ob es geht: 

bastian@X301:~/software/openvpn/openvpn-2.3.7$ git apply --check /tmp/mypatch
bastian@X301:~/software/openvpn/openvpn-2.3.7$ git am --ignore-whitespace --signoff </tmp/mypatch

bastian@X301:~/software/openvpn/openvpn-2.3.7$ git log
commit dc3103e7fef1afb1c7c76bc83d1d6d78079284da
Author: ayaka <ayaka@soulik.info>
Date:   Fri Aug 28 18:00:58 2015 +0800

    obfuscation: apply xor in SSL layer
    
    NOTE: It only work with OpenSSL library not PolarSSL library.
    The xor patch before only worked with IP tunnel package.
    
    Signed-off-by: ayaka <ayaka@soulik.info>
    Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>

commit 6d764b72d92594b478c73f2a843abafd8ce02f52
Author: Bastian Bittorf <bittorf@bluebottle.com>
Date:   Sat Dec 12 16:21:33 2015 +0100

    options.* from parent

wunderbar! nun machen wir daraus 2 normale patchdateien:
bastian@X301:~/software/openvpn/openvpn-2.3.7$ git format-patch -s -2
0001-options.-from-parent.patch
0002-obfuscation-apply-xor-in-SSL-layer.patch

...und kopieren die uns OpenWrt-buildsystem: 

bastian@X301:~/software/openvpn/openvpn-2.3.7$ find ../../openwrt -type d -name openvpn
../../openwrt/package/network/services/openvpn
bastian@X301:~/software/openvpn/openvpn-2.3.7$ mv 000* ../../openwrt/package/network/services/openvpn/patches/

die patches habe ich mal hochgeladen: https://github.com/bittorf/kalua/tree/master/openwrt-patches/interesting/openvpn-ssl-obfuscation

via 'make menuconfig' muss unter network->VPN->openvpn-openssl gewaehlt werden: 

make package/openvpn/clean
make package/openvpn/compile
make package/openvpn/install

fertig!

Abgerufen von „https://wireless.subsignal.org/index.php?title=OpenVPN_SSL_obfuscation&oldid=20019