webwasher

This forum is for general conversation and user-user networking.
Post Reply
huy
OpenVpn Newbie
Posts: 4
Joined: Tue Apr 12, 2011 3:19 pm

webwasher

Post by huy » Tue Apr 12, 2011 3:34 pm

Hi,

I'm using openvpn to get outside my company network (please stay with the off topic topic) but they're changing their policy. We will be soon transitioning from squid to webwasher (http://www.mcafee.com/us/products/web-gateway.aspx). As you might know, it acts as MITM in order to scan possible malware or bad activity thus decrypting and reencryping communications. Of course that breaks openvpn badly (Bad encapsulated packet length from peer), probably forever. Am I right or is there a way to relax checks on openvpn's side and run another tunnel inside (openvpn or ipsec in openvpn, or maybe oepnvpn in some sort of http tunnel) ?

Thanks

User avatar
janjust
Forum Team
Posts: 2702
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: webwasher

Post by janjust » Tue Apr 12, 2011 4:32 pm

if you specify your own client configuration with your own ca.crt and client.{crt,key} files then there is no way that webwasher is capable of decrypting that communication.
You might have to resort to using a different http or socks proxy, or it could be that openvpn connections via the proxy are blocked altogether, but decrypting and re-encrypting an openvpn connection is not possible, unless your encryption ciphers are too weak (the default should be OK, but if you're paranoid use AES-256, which is not broken yet).

huy
OpenVpn Newbie
Posts: 4
Joined: Tue Apr 12, 2011 3:19 pm

Re: webwasher

Post by huy » Tue Apr 12, 2011 8:44 pm

Well i'm indeed using my own ca.crt and client key pair however the connection is initiated but will stop with the following message on server side:
WARNING: Bad encapsulated packet length from peer (32892), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
On the client side, there's a similar message with a different number (18516).
The same connection using the squid proxy works fine.

User avatar
janjust
Forum Team
Posts: 2702
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: webwasher

Post by janjust » Wed Apr 13, 2011 7:58 am

that sounds like the webwasher is indeed attacking and corrupting the VPN packets - there's little you can do about that, other than encapsulating your VPN packets in an SSL tunnel (e.g. using 'stunnel') - but that is off-topic for this list.
If a company wants to stop you from using a VPN tunnel (which is their prerogative) then they can.

huy
OpenVpn Newbie
Posts: 4
Joined: Tue Apr 12, 2011 3:19 pm

Re: webwasher

Post by huy » Wed Apr 13, 2011 7:59 am

Well it seems that it actually filters anything that's not strictly https.

huy
OpenVpn Newbie
Posts: 4
Joined: Tue Apr 12, 2011 3:19 pm

Re: webwasher

Post by huy » Wed Apr 13, 2011 8:04 am

janjust wrote:that sounds like the webwasher is indeed attacking and corrupting the VPN packets - there's little you can do about that, other than encapsulating your VPN packets in an SSL tunnel (e.g. using 'stunnel') - but that is off-topic for this list.
If a company wants to stop you from using a VPN tunnel (which is their prerogative) then they can.
How different is openvpn compared to stunnel ? If webwasher can corrupt the openvpn traffic, there's no reason stunnel should work better to me.

Post Reply