OpenVPN Patch to beat deep packet inspection.

[bashywash]

As many know in many countries such as China OpenVPN is being blocked. On the OpenVPN forum they have been able to create a working patch to scramble the protocol and establish VPN connections. What are the chances we can get this patch implemented in a future Merlin Build to have the option to use this feature if needed ?

Original Thread

More detailed install and details even though its for the Raspberry

More Details
Thank you.

 

[v1k0d3n]

HA! for a country that blocks OpenVPN...I sure do get a lot of OpenVPN attempts on my router from CN. Then again...I'm sure those aren't normal users, either.

 

[RMerlin]

Will have to see first if that patch works properly against 2.3.2 - I see it was originally designed for 2.3.0.

I have a feeling however that it will only work for a while, and eventually their DPI will be adjusted to counter this simple obfuscation as well.

 

[v1k0d3n]

very true; i wouldn't count on it for too long. especially with today's UTM firewalls like sidewinder and palo alto...they're always coming up with better ways to identify traffic patterns, and prevent unwanted...well...whatever.

 

[bashywash]

True but this looks to have been working for 8 Months now, since its a custom implementation it's not something that has got much attention, YET Hopefully we can get this added.

Users on the thread also reported this working on 2.3.2!

 

[RMerlin]

True but this looks to have been working for 8 Months now, since its a custom implementation it's not something that has got much attention, YET Hopefully we can get this added.

Users on the thread also reported this working on 2.3.2!

So, you want me to help in ruining it by making it even more widespread?

 

[bashywash]

Heh, actually I doubt you would be spreading anything around to the point of mass scale where ISP's notice. The Client would still need to use a custom modified application which can take advantage of the new settings and also on the server side the custom config would only be known about people who read forums which makes this version as open as the Raspberry and ddwrt version of this modification! I think as long as BIG commercial providers leave us alone, we have more time! They have had access to all the info for months and have left this feature out. I doubt adding it to the firmware would hurt!

 

[bashywash]

any luck with getting this added?

 

[pitboss]

Hey bashy, the vpn provider you subscribed to already release the asuswrt-merlin with the patch that you mentioning.

You can download them from http://www.bolehvpn.net/forum/index.php?board=41.0

Its based on the stable 35_4 for now and available for RT-N66/U, AC56U, AC66U and AC68U.

We will be updating the latest version, once I can play catchup with Rmerl.

Eric, thanks for the help to get me up and running compiling and customizing some of the parts. The patch worked perfectly with the firmware, with no changes to any of your openvpn settings. just need to add a new config line at the custom config.

 

[sinshiva]

Hi, do you have source code available publicly? We are confident in merlin because he has the blessing of Asus, themselves. You, however, are going to need a 3rd party's seal of approval or it will be advised to stay away from your firmware, i'm afraid. nothing personal, of course.

 

[pitboss]

@sinshiva
The source code has nothing to do with the firmware core apps. The changes is only in openvpn source code which is available from openvpn repository and the patches is also available from openvpn forum (as given by the OP first message) and as for seal of approval, google can be your source.

We are mostly interested in providing the best openvpn to our users and would like to accommodate as many routers firmware as possible to them. Merlin firmware is our recommendation for asus broadcom models for openvpn client but with our flavors of openvpn binary.

We are also working to provide the same openvpn binary to dd-wrt and tomato based routers that is outside of merlin supported devices.

Please be advised that our customized version of merlin firmware is only for our users, who has trusted us for more than 7 years and not for the general public.

 

[sinshiva]

all i see is firmware binary blobs on your site, none of the development or changes. it's not as if you are redistributing an installer so people can make the changes themselves, on their own firmware. i'm glad you've been in business for 7 years, but i've never heard of you

 

[pitboss]

Haha, that makes two of us, I have not heard of you too and let's leave this as it is as I do not get involve in the forum that much and mostly I'm with Rmerl on email only.

My users are not those who do their own firmware. They just want something that works once they flashed the firmware. And some guides from other users on how to do use it.

We are just helping them to tweak the firmware to suit our needs and make our users happy.

 

[RMerlin]

Just to help clear things up a bit: Pitboss is one of the managers at Bohlevpn. So basically what he did isn't much different from what, for example, Astrill did by providing a product targeting their own customers.

It's up to everyone to chose what software they trust or not, and I totally respect that. I'm even happy to see that people are starting to be more concerned about security in general than they were 5 years ago.

 

[bashywash]

Pitboss, I noticed that, but I wasn't sure if this patch was available on your custom firmware to only be used on your service alone or not. Also does you firmware allow me to setup my own VPN server with the built-in OpenVPN with this feature added or not!?

 

[sinshiva]

Just to help clear things up a bit: Pitboss is one of the managers at Bohlevpn. So basically what he did isn't much different from what, for example, Astrill did by providing a product targeting their own customers.

It's up to everyone to chose what software they trust or not, and I totally respect that. I'm even happy to see that people are starting to be more concerned about security in general than they were 5 years ago.

good enough for me. sorry pitboss, i'm a little overzealous in security, perhaps, but i think we all need to be anymore.

 

[pitboss]

Pitboss, I noticed that, but I wasn't sure if this patch was available on your custom firmware to only be used on your service alone or not. Also does you firmware allow me to setup my own VPN server with the built-in OpenVPN with this feature added or not!?

The version in our website can be used as client or server. Openvpn only has one binary and whether its client or server depends on your configuration.

For everyone info, the patched openvpn binary that we are using is able to run with or without the scramble options and act either as server or client to any other openvpn servers.

For support, please refer to bolehvpn support forum.

 

[bobg8zwf]

HA! for a country that blocks OpenVPN...I sure do get a lot of OpenVPN attempts on my router from CN. Then again...I'm sure those aren't normal users, either.

I'm using AC66U Merlin in Shanghai. With openvpn client running, log is absolutely full (hundreds) of entries as below..... With vpn off, nothing unusual is seen. Many different ip addresses all from Nanjing and Hanzhou seem to be doing this. Worrying, but apart from switching vpn off, there seems to be nothing I can do.

Bob


Jan 8 18:15:29 dropbear[15813]: Login attempt for nonexistent user from 61.147.116.51:4292
Jan 8 18:15:30 dropbear[15813]: Exit before auth: Max auth tries reached - user 'is invalid' from 61.147.116.51:4292
Jan 8 18:15:32 dropbear[15950]: Child connection from 61.147.116.51:1557
Jan 8 18:15:42 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:43 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:44 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:45 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:46 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:46 dropbear[15950]: Exit before auth: Max auth tries reached - user 'is invalid' from 61.147.116.51:1557
Jan 8 18:15:50 dropbear[16032]: Child connection from 61.147.116.51:1608
Jan 8 18:16:10 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:11 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:13 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:14 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:15 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:15 dropbear[16032]: Exit before auth: Max auth tries reached - user 'is invalid' from 61.147.116.51:1608
Jan 8 18:16:20 dropbear[16176]: Child connection from 61.147.116.51:3916
Jan 8 18:16:26 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:27 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:28 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:31 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:32 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:33 dropbear[16176]: Exit before auth: Max auth tries reached - user 'is invalid' from 61.147.116.51:3916

 

[RMerlin]

I'm using AC66U Merlin in Shanghai. With openvpn client running, log is absolutely full (hundreds) of entries as below..... With vpn off, nothing unusual is seen. Many different ip addresses all from Nanjing and Hanzhou seem to be doing this. Worrying, but apart from switching vpn off, there seems to be nothing I can do.

Bob


Jan 8 18:15:29 dropbear[15813]: Login attempt for nonexistent user from 61.147.116.51:4292
Jan 8 18:15:30 dropbear[15813]: Exit before auth: Max auth tries reached - user 'is invalid' from 61.147.116.51:4292
Jan 8 18:15:32 dropbear[15950]: Child connection from 61.147.116.51:1557
Jan 8 18:15:42 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:43 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:44 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:45 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:46 dropbear[15950]: Login attempt for nonexistent user from 61.147.116.51:1557
Jan 8 18:15:46 dropbear[15950]: Exit before auth: Max auth tries reached - user 'is invalid' from 61.147.116.51:1557
Jan 8 18:15:50 dropbear[16032]: Child connection from 61.147.116.51:1608
Jan 8 18:16:10 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:11 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:13 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:14 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:15 dropbear[16032]: Login attempt for nonexistent user from 61.147.116.51:1608
Jan 8 18:16:15 dropbear[16032]: Exit before auth: Max auth tries reached - user 'is invalid' from 61.147.116.51:1608
Jan 8 18:16:20 dropbear[16176]: Child connection from 61.147.116.51:3916
Jan 8 18:16:26 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:27 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:28 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:31 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:32 dropbear[16176]: Login attempt for nonexistent user from 61.147.116.51:3916
Jan 8 18:16:33 dropbear[16176]: Exit before auth: Max auth tries reached - user 'is invalid' from 61.147.116.51:3916

Those connection attempts are all on SSH. Either disable SSH access from WAN, or enable brute force protection under System.