OpenVPN Windows TAP in AWS

[Eddie Rivera]

I'm currently trying to capture all traffic from a Windows server to a Security Onion server running OpenVPN in bridging mode. The Server works perfectly, as it is functioning with Linux clients as well as answering DHCP requests. The Windows client has a bridged interface as well as a primary interface. I've set all the applications to run as an administrator as well as disabled firewall monitoring on the TAP interface (I also opened ports, 443, 53, ICMP, 1194). When I start the OpenVPN GUI and start the connection, it says it's successful, but I don't see any UDP 1194 traffic destined to the OpenVPN server. All OpenVPN traffic I see is from my primary interface. See below for my log outputs

Tue Aug 22 20:18:52 2017 OpenVPN 2.3.16 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 19 2017
Tue Aug 22 20:18:52 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Aug 22 20:18:52 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Tue Aug 22 20:18:52 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Aug 22 20:18:52 2017 Need hold release from management interface, waiting...
Tue Aug 22 20:18:52 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Aug 22 20:18:52 2017 MANAGEMENT: CMD 'state on'
Tue Aug 22 20:18:52 2017 MANAGEMENT: CMD 'log all on'
Tue Aug 22 20:18:52 2017 MANAGEMENT: CMD 'hold off'
Tue Aug 22 20:18:52 2017 MANAGEMENT: CMD 'hold release'
Tue Aug 22 20:18:53 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Aug 22 20:18:53 2017 UDPv4 link local: [undef]
Tue Aug 22 20:18:53 2017 UDPv4 link remote: [AF_INET]10.1XX.2X.122:1194
Tue Aug 22 20:18:53 2017 MANAGEMENT: >STATE:1503433133,WAIT,,,
Tue Aug 22 20:18:53 2017 MANAGEMENT: >STATE:1503433133,AUTH,,,
Tue Aug 22 20:18:53 2017 TLS: Initial packet from [AF_INET]10.1XX.2X.122:1194, sid=0d2fae31 f2e8728e
Tue Aug 22 20:18:53 2017 VERIFY OK: depth=1, C=US, ST=FL, L=City, O=Somewhere, OU=organized, CN=Security Onion, name=Security Onion, emailAddress=help@somewhere.com
Tue Aug 22 20:18:53 2017 Validating certificate key usage
Tue Aug 22 20:18:53 2017 ++ Certificate has key usage 00a0, expects 00a0
Tue Aug 22 20:18:53 2017 VERIFY KU OK
Tue Aug 22 20:18:53 2017 Validating certificate extended key usage
Tue Aug 22 20:18:53 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Aug 22 20:18:53 2017 VERIFY EKU OK
Tue Aug 22 20:18:53 2017 VERIFY OK: depth=0, C=US, ST=FL, L=City, O=Somewhere, OU=organized, CN=securityonion, name=securityonion, emailAddress=help@somewhere.com
Tue Aug 22 20:18:53 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 22 20:18:53 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Aug 22 20:18:53 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 22 20:18:53 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 22 20:18:53 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Aug 22 20:18:53 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 22 20:18:53 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Aug 22 20:18:53 2017 [securityonion] Peer Connection Initiated with [AF_INET]10.1XX.2X.122:1194
Tue Aug 22 20:18:54 2017 MANAGEMENT: >STATE:1503433134,GET_CONFIG,,,
Tue Aug 22 20:18:55 2017 SENT CONTROL [securityonion]: 'PUSH_REQUEST' (status=1)
Tue Aug 22 20:18:55 2017 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.10 255.255.255.0'
Tue Aug 22 20:18:55 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 22 20:18:55 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 22 20:18:55 2017 OPTIONS IMPORT: route-related options modified
Tue Aug 22 20:18:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Aug 22 20:18:55 2017 MANAGEMENT: >STATE:1503433135,ASSIGN_IP,,10.8.0.10,
Tue Aug 22 20:18:55 2017 open_tun, tt->ipv6=0
Tue Aug 22 20:18:55 2017 TAP-WIN32 device [TAP-Win32] opened: \\.\Global\{F7D3D415-73E2-4A48-A73B-866A91C1268C}.tap
Tue Aug 22 20:18:55 2017 TAP-Windows Driver Version 9.21
Tue Aug 22 20:18:55 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.10/255.255.255.0 on interface {F7D3D415-73E2-4A48-A73B-866A91C1268C} [DHCP-serv: 10.8.0.0, lease-time: 31536000]
Tue Aug 22 20:18:55 2017 NOTE: FlushIpNetTable failed on interface [16] {F7D3D415-73E2-4A48-A73B-866A91C1268C} (status=1168) : Element not found.
Tue Aug 22 20:19:05 2017 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Tue Aug 22 20:19:05 2017 Initialization Sequence Completed
Tue Aug 22 20:19:05 2017 MANAGEMENT: >STATE:1503433145,CONNECTED,SUCCESS,10.8.0.10,10.1XX.2X.122

Below is some WireShark capture during the handshake process. Please note that I use OpenVPN as the VPN client into my VPC's as well.
Outside of this handshake info, there is also a lot of UDP traffic (P_DATA_V1) that's going back and forth during the handshake and after.

425 4.144641 10.1XX.2X.211 10.1XX.2X.122 TLSv1 301 Client Hello
503 4.199104 10.1XX.2X.122 10.1XX.2X.211 TLSv1 146 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
515 4.228941 10.1XX.2X.211 10.1XX.2X.122 TLSv1 1230 Ignored Unknown Record
516 4.228993 10.1XX.2X.211 10.1XX.2X.122 TLSv1 941 Ignored Unknown Record
520 4.236115 10.1XX.2X.122 10.1XX.2X.211 TLSv1 127 Change Cipher Spec, Encrypted Handshake Message
521 4.236283 10.1XX.2X.211 10.1XX.2X.122 TLSv1 446 Application Data, Application Data


I'm not sure where the issue lies as I can't quite see what's going on, but any help would be great

[AdamJeo01]

Thanks for sharing but is too difficult.

[TinCanTech]

It is probably due to bad bridge configuration.

[Eddie Rivera]

The bridge server or client? This is my client.conf file from the Windows instance. It's nearly identical to the Linux client.conf files with the exception of TAP-Win32 and key references. Only my Windows instances are having an issue.

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
dev-node TAP-Win32

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 10.1XX.2X.122 1194
remote 10.1XX.1X.128 1194
remote 10.1XX.6X.225 1194
remote 10.1XX.1X.81 1194

;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry 3 retry on connection failures
;http-proxy [x.x.x.x] [proxy port 8080]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert somekey.crt
key somekey.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
;cipher AES-256-CBC


# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

route-method exe
route-delay 10