Hi,
I'm using openvpn to get outside my company network (please stay with the off topic topic) but they're changing their policy. We will be soon transitioning from squid to webwasher (http://www.mcafee.com/us/products/web-gateway.aspx). As you might know, it acts as MITM in order to scan possible malware or bad activity thus decrypting and reencryping communications. Of course that breaks openvpn badly (Bad encapsulated packet length from peer), probably forever. Am I right or is there a way to relax checks on openvpn's side and run another tunnel inside (openvpn or ipsec in openvpn, or maybe oepnvpn in some sort of http tunnel) ?
Thanks
webwasher
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: webwasher
if you specify your own client configuration with your own ca.crt and client.{crt,key} files then there is no way that webwasher is capable of decrypting that communication.
You might have to resort to using a different http or socks proxy, or it could be that openvpn connections via the proxy are blocked altogether, but decrypting and re-encrypting an openvpn connection is not possible, unless your encryption ciphers are too weak (the default should be OK, but if you're paranoid use AES-256, which is not broken yet).
You might have to resort to using a different http or socks proxy, or it could be that openvpn connections via the proxy are blocked altogether, but decrypting and re-encrypting an openvpn connection is not possible, unless your encryption ciphers are too weak (the default should be OK, but if you're paranoid use AES-256, which is not broken yet).
-
huy
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Apr 12, 2011 3:19 pm
Re: webwasher
Well i'm indeed using my own ca.crt and client key pair however the connection is initiated but will stop with the following message on server side:
WARNING: Bad encapsulated packet length from peer (32892), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
On the client side, there's a similar message with a different number (18516).
The same connection using the squid proxy works fine.
WARNING: Bad encapsulated packet length from peer (32892), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
On the client side, there's a similar message with a different number (18516).
The same connection using the squid proxy works fine.
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: webwasher
that sounds like the webwasher is indeed attacking and corrupting the VPN packets - there's little you can do about that, other than encapsulating your VPN packets in an SSL tunnel (e.g. using 'stunnel') - but that is off-topic for this list.
If a company wants to stop you from using a VPN tunnel (which is their prerogative) then they can.
If a company wants to stop you from using a VPN tunnel (which is their prerogative) then they can.
-
huy
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Apr 12, 2011 3:19 pm
Re: webwasher
Well it seems that it actually filters anything that's not strictly https.
-
huy
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Apr 12, 2011 3:19 pm
Re: webwasher
How different is openvpn compared to stunnel ? If webwasher can corrupt the openvpn traffic, there's no reason stunnel should work better to me.janjust wrote:that sounds like the webwasher is indeed attacking and corrupting the VPN packets - there's little you can do about that, other than encapsulating your VPN packets in an SSL tunnel (e.g. using 'stunnel') - but that is off-topic for this list.
If a company wants to stop you from using a VPN tunnel (which is their prerogative) then they can.