OpenVPN socks proxy authentication methods, bug #377 fixed

obsfproxy is a tool providing traffic obfuscation between a client and a server. obfsproxy supports different obfuscation protocols, called pluggable transports. These define how the underlying traffic will be transformed eventually. Although obfsproxy is mainly used in Tor bridges, one can use it to obfuscate different kind of traffic such as VPN traffic.

While using OpenVPN with obfsproxy one has to use the socks-proxy functionality both client and server side, in order to route VPN traffic through the obfuscated channel. obfsproxy implements SOCKSv5 and supports socks authentication as a means to pass parameters to the pluggable transport in use.

SOCKS Protocol Version 5, as described in RFC 1928, defines various authentication methods, including “no-authentication” and “username-passwod”. Socks client advertises its desired methods and then socks server picks freely one among them.

So the problem was that OpenVPN client was advertising both “no-authentication” and “username-password” methods, even if the client did not want to authenticate or did not have authentication credentials at all. In RFC 1928 there is no explicit preference order of the authentication methods the client advertises. Since client was always advertising both methods, obfsproxy socks server picked “username-password”. This posed a problem when using a pluggable transport that does not actually have any parameters or credentials to pass (e.g obfs3). In that case the connection naturally was going to fail.

On the other hand if OpenVPN client did want to use credentials, it should not advertise “no-authentication” method at all.

This situation, described in bug #377, was fixed with a patch in src/openvpn/socks.c and will be part of OpenVPN as of version 2.3.4. After the patch, OpenVPN client forms the authentication negotiation message as follows :

 /* VER = 5, NMETHODS = 1, METHODS = [0 (no auth)] */
 char method_sel[3] = { 0x05, 0x01, 0x00 };
 if (p->authfile[0])
     method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
 const ssize_t size = send (sd, method_sel, sizeof (method_sel), MSG_NOSIGNAL);

Authentication method defaults to 0x01, meaning “no-authentication”, but if an authentication file is present then “username-password” method is advertised.

OpenVPN 2.3.4 was released on May 2nd 2014.

See also