Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow one/many connection per TLS-Crypt-V2 key #213

Open
TinCanTech opened this issue Aug 7, 2021 · 6 comments
Open

Allow one/many connection per TLS-Crypt-V2 key #213

TinCanTech opened this issue Aug 7, 2021 · 6 comments
Assignees
@TinCanTech
Labels
Feature request Additional new feature Testing welcome

Comments

@TinCanTech
Copy link
Owner

This requires some form of TLS-Crypt-V2 key connection tracking.
@TinCanTech TinCanTech added the Feature request Additional new feature label Aug 7, 2021
@TinCanTech TinCanTech self-assigned this Aug 7, 2021
@TinCanTech TinCanTech added the wontfix This will not be worked on label Aug 9, 2021
@TinCanTech
Copy link
Owner Author

This cannot be done because there is no way to track the TLS-Key serial number when a client disconnects.

@TinCanTech TinCanTech removed the wontfix This will not be worked on label Aug 9, 2021
@TinCanTech
Copy link
Owner Author

TinCanTech commented Aug 9, 2021
edited
Loading

This may be possible by using abusing OpenVPN auth_control_file.

@TinCanTech TinCanTech reopened this Aug 9, 2021
TinCanTech referenced this issue Aug 10, 2021
@TinCanTech
Introduce easytls-client-disconnect.sh and vars file
4172a08 
This is required by TLS-Crypt-V2 key connection tracking,
which is disabled by default. (WIP)

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 10, 2021
@TinCanTech
Remove unsupported vars
07f17bb 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 10, 2021
@TinCanTech
Add comment for conn-trac
6b97f76 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 10, 2021
@TinCanTech
Add TLS-Crypt-V2 connection tracking
cca4828 
This script only adds to conn-trac.
(Disabled)

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 10, 2021
@TinCanTech
Add TLS-Crypt-V2 connection tracking
d0c8f01 
This script only renoves from conn-trac.
(Disabled)

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 10, 2021
@TinCanTech
Add TLS-Crypt-V2 connection tracking
eb9eee5 
This script adds to and removes from conn-trac.

A conn-trac can be lost by client-disconnect if --reneg-* and --float
occur during the same --ping interval.  There may be other reasons as
well.

(Disabled)

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Copy link
Owner Author

Requires ip address and port number

@TinCanTech
Copy link
Owner Author

TinCanTech commented Aug 11, 2021
edited
Loading

Due to --float and not being able to use --ipchange on a server, tracking by ip:port is not may be possible~ when a client floats ..

So Also, have to can conn-trac by tlskey-serial (TLS-Crypt-V2 key).

It's a pain in the ass but is possible for TLS-Crypt-V2 keys only.

TinCanTech referenced this issue Aug 12, 2021
@TinCanTech
Introduce easytls-conn-trac.lib
a05e4f1 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 12, 2021
@TinCanTech
Minor improvements to conn-trac
31a6793 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 12, 2021
@TinCanTech
Improve metadata file management and disable conn-trac
4483a86 
If metadata files exist then delete them if stale
(older than stale_sec: defaullt 3 seconds)
Otherwise, fail without kill-client, client will try again.

conn-trac is not done for TLS-Crypt-V2 keys.

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 12, 2021
@TinCanTech
Use conn-trac lib and remove TLS-Key-temp-file
ddf97ab 
conn-trac is used only to unregister a previous connection,
which now fails to connect.

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 12, 2021
@TinCanTech
Use conn-trac lib and improve temp-file management
643937a 
Use conn-trac lib to register new connections and unregister
failing connections.  Includes loading c_ext_md_file.

Stop abusing Openvpn auth_control_file.
Remove TLS-Crypt-V2 key serial file.

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Aug 12, 2021
@TinCanTech
Use conn-trac lib and remove TLS-Crypt-V2 key serial temp-file
77deccf 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Copy link
Owner Author

After extensive testing, early indicators suggest that conn-trac library is working well.

@TinCanTech
Copy link
Owner Author

The only item remaining, is to decide what action to take if a new connection is the same as a current connection.

TinCanTech added a commit that referenced this issue Oct 11, 2021
@TinCanTech
Connection tracking - Work around Openvpn issue #160
9864cfa 
Details:
* #213
* https://community.openvpn.net/openvpn/ticket/160

Signed-off-by: Richard T Bonhomme <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
Feature request Additional new feature Testing welcome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TinCanTech