OpenVPN Service

Advanced feature discussion, beta programs and unsupported "Labs" features.
64 posts Page 5 of 7
by kgc » Mon Mar 14, 2016 9:35 am
forest wrote:
To make matters worse, it turns out that some OpenVPN implementations (e.g. the one in GNOME NetworkManager) strip out the deprecated option when importing a config file, effectively removing the MITM protection from the .ovpn files currently generated by Sonic's server.


I've reviewed this with their support again. The AS server uses the old deprecated Netscape Cert Types, and you'll note that the client certificate has this flag set in the X509v3 extensions:

Code: Select all

$ openssl x509 -in /tmp/c -text
...
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client


When combined with the "ns-cert-type server" directive, this provides protection from MitM attacks. If does not make sense for the NetworkManager to strip out any options, particularly this one. This is a security bug and should be taken to the vendor. As noted by their wiki "Important note: some OpenVPN configs rely on the deprecated "Netscape" cert attribute called nsCertType."

I can't comment with the AS server uses these older options instead of the newer ones you've mentioned.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by forest » Mon Mar 14, 2016 12:58 pm
kgc wrote:
This is a security bug and should be taken to the vendor.


Absolutely. I have already brought it up with them.

The fact remains that you just launched a VPN service that is apparently already vulnerable to impersonation with at least one widely-distributed client, and it is within your power to mitigate the problem, probably with little effort. Regardless of whose fault it is, I figured you'd want to know about it.

To other Sonic customers setting up OpenVPN clients, I suggest you make sure your client honors the "ns-cert-type server" directive that's already in your .ovpn config file, and/or add one of these directives (and verify that it works):

Code: Select all

verify-x509-name 'CN=OpenVPN Server'
tls-remote /CN=OpenVPN_Server
by forest » Mon Mar 14, 2016 2:47 pm
kgc wrote:
As noted by their wiki "Important note: some OpenVPN configs rely on the deprecated "Netscape" cert attribute called nsCertType."


Yes, and the whole paragraph reads as follows:

Important note: some OpenVPN configs rely on the deprecated "Netscape" cert attribute called nsCertType. This is deprecated behavior, and Easy-RSA 3 does not enable this by default like v2 did. Please use the --remote-cert-tls directive in your OpenVPN config files for MITM protection.


Note their explicit directions to use the --remote-cert-tls directive, which is the very thing I requested at the start of this discussion. It won't work until Sonic issues a new server certificate with the X509v3 Key Usage / Extended Key Usage properties.
by kgc » Mon Mar 14, 2016 2:57 pm
So far as I know we're not able to change to eku without regenerating all client and server certificates.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by forest » Mon Mar 14, 2016 3:09 pm
kgc wrote:
So far as I know we're not able to change to eku without regenerating all client and server certificates.


Huh? Why would you have to regenerate the client certificates in order to issue a new server certificate?

As far as I can tell, a new server cert wouldn't disrupt any of the existing clients, so long as you generate the new one with the same x.509 subject and nsCertType property as the old one, and sign it with the same CA that signed the old one.

Just to be clear, I'm not suggesting that you replace the CA certificate. Only the server certificate; the one that gets signed by the CA. (It's basically a peer to the client certs, not a parent.) Clients would continue to work, for the same reason that web browsers continue to work when an https website updates its expiring certificate. For reference, here's the SHA1 fingerprint of the cert that would be replaced:

2D 6B 4F CC 28 A2 5E 9A 8D 6E E2 68 75 3D 1A 1C 7C 22 E2 97
by Sonic.net user » Tue Mar 15, 2016 7:02 am
forest wrote:
kgc wrote:
This is a security bug and should be taken to the vendor.


Absolutely. I have already brought it up with them.

The fact remains that you just launched a VPN service that is apparently already vulnerable to impersonation with at least one widely-distributed client, and it is within your power to mitigate the problem, probably with little effort. Regardless of whose fault it is, I figured you'd want to know about it.

To other Sonic customers setting up OpenVPN clients, I suggest you make sure your client honors the "ns-cert-type server" directive that's already in your .ovpn config file, and/or add one of these directives (and verify that it works):

Code: Select all

verify-x509-name 'CN=OpenVPN Server'
tls-remote /CN=OpenVPN_Server


Seems to work fine with client on my pfSense box:

Mar 15 06:52:02 openvpn[67103]: VERIFY OK: depth=1, CN=OpenVPN CA
Mar 15 06:52:02 openvpn[67103]: VERIFY OK: nsCertType=SERVER
Mar 15 06:52:02 openvpn[67103]: VERIFY X509NAME OK: CN=OpenVPN Server
Mar 15 06:52:02 openvpn[67103]: VERIFY OK: depth=0, CN=OpenVPN Server


Your concerns are appreciated.
by forest » Thu Mar 24, 2016 3:50 pm
For those following the router hardware discussion, I started a new topic:
OpenVPN Service with the EdgeRouter X / EdgeRouter Lite
by ashes » Tue May 10, 2016 12:03 am
ovpn.sonic.net is down and has been down for at least 15-20 min
I can't ping it. I can't establish openvpn to it when I step outside my fail-closed VPN'd network.

Apparently I need to look into scripting a failover to beta.vpn.sonic.net

Edit:
Checking logs, it looks like it was down for ~40 min from 11:24pm to 12:05am
by forest » Tue May 10, 2016 1:52 am
ashes wrote:
ovpn.sonic.net is down and has been down for at least 15-20 min
I can't ping it.


This was part of a planned maintenance, announced in the usual places.

It took me by surprise, though, because the announcement email didn't arrive until after the VPN server was already down. I had to check Sonic's status page with my smartphone to discover what was going on.

Dexter K – System Operations wrote:
Part of this maintenance will require us to take the ovpn server offline, likely for less than 15 minutes. The maintenance should be completed within 1 hour.
by ashes » Tue May 10, 2016 12:23 pm
forest wrote:
This was part of a planned maintenance, announced in the usual places.

It took me by surprise, though, because the announcement email didn't arrive until after the VPN server was already down. I had to check Sonic's status page with my smartphone to discover what was going on.


Ah thanks. I'm still not used to finding my way around Sonic's site redesign, and I rarely have network problems.

How do you sign up for announcement emails like that? I'd love to do that so I can run a filter to alert me to upcoming outages, assuming they send scheduled maintenance notices with sufficient lead time.
64 posts Page 5 of 7

Who is online

In total there are 2 users online :: 0 registered, 0 hidden and 2 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 2 guests