I'm investigating behavior of SSL decryptors on OpenVPN connections to port 443 and I noticed that device I use as decryption proxy doesn't recognize OpenVPN connections as TLS thus doesn't decrypt them. The question is then - how does OpenVPN protocol differ from standard TLS?
Asked
Active
Viewed 961 times
2 Answers
6
Openvpn uses TLS for authentication and key exchange but it does not use it for the actual data encyption. When running on UDP openvpn runs the TLS session on top of a custom "reliability layer", i'm not sure what it does when running on TCP.
Furthermore an openVPN network uses it's own CA to authenticate both server and client certificates. So you can't subvert the certificate process by loading a cert into the OS certificate store.
Peter Green
- 4,918
- 1
- 21
- 26
-
Some clients including one I use don't support server certificate validation thus I'm concerned about decryptors. – Lapsio Oct 11 '17 at 11:09
-
For reference, OpenVPN uses a control and a data channel multiplexed over the transport layer. **In TLS mode**, a TLS session is used over the control channel (only, not the data channel) in order to authenticate the connection, exchange cryptographic material, etc. OpenVPN uses the following stack: TLS / data channel / OpenVPN multiplexing / transport layer (eg. TCP). In contrast, dissectors (especially when working on port 443) will usually expect TLS / TCP. If you use a OpenVPN dissector (eg. in Wireshark), you will be able to correctly dissect the OpenVPN protocol and see the TLS messages. – ysdx Nov 27 '19 at 09:08
-3
OpenVPN provides different ways to management VPNs on your device. OpenVPN uses OpenSSL (a TLS implementation) to provide TLS tunneling. It simply uses the TLS protocol to establish a secure tunnel.
OpenVPN uses its own protocol to authenticate with an OpenVPN server, and manage connections. However, the actual tunnel is still a standard TLS session. The authentication is performed prior to establishing TLS. So your decryption proxy will not know what to do with these authentication type packets when its looking for straight TLS.
This is similar to how Tor uses TLS. Tor has its own protocol for establishing circuits and authenticating to Tor routers, but the TLS sessions are standard TLS between the routers. Decryption proxies won't know how to handle the Tor protocol that precedes the establishment of the TLS sessions.
RoraΖ
- 12,317
- 4
- 51
- 83
-
Tor runs the traffic through TLS (within custom extra layers). OpenVPN uses TLS only for control, but sends data through a separate channel. – CodesInChaos Oct 09 '17 at 15:36
-
@CodesInChaos OpenVPN is a TLS VPN, there might be separate channels, but my understanding is that TLS is used regardless. Can you point me towards a reference that explains what you mean? – RoraΖ Oct 09 '17 at 15:50
-
@RoraΖ security of OpenVPN data relies on symmetric encryption, whose keys are previously established and exchanged in the TLS negotiation(s). Due to being encrypted, data packets don't need a secure channel and go straight to the UDP or TCP tunnel socket. – keeshux Apr 14 '18 at 22:01