Page 1 of 1

Force ovpn client to send TLS SNI

Posted: Thu Feb 13, 2020 7:27 am
by wuftymerguftyguff
Hi,

How to I make an OVPN client use TLS SNI when it connects?

Jeff

Re: Force ovpn client to send TLS SNI

Posted: Thu Feb 13, 2020 9:52 am
by wuftymerguftyguff
This might be better in "Configuration" can a mod move it for me, please?

Re: Force ovpn client to send TLS SNI

Posted: Thu Feb 13, 2020 2:34 pm
by Pippin
Can you explain your use-case a bit more?

Re: Force ovpn client to send TLS SNI

Posted: Thu Feb 13, 2020 3:36 pm
by wuftymerguftyguff
The openvpn server that I need to connect to needs to be behind a reverse proxy. This proxy uses TLS SNI to route the traffic to different backends.

The proxy is outside of my control.

The logs for the proxy tells me that the openvpn client traffic is not using SNI. If I connect to the same endpoint using chrome then SNI is used and the traffic gets routed correctly by the proxy. (it does not work of course)

Re: Force ovpn client to send TLS SNI

Posted: Thu Feb 13, 2020 6:28 pm
by Pippin
[parrot]
The handshake is not normal SSL.
SNI is not set in SSL context.
The proxy would not be able to extract the SNI info.
[/parrot]

Also found this: https://community.openvpn.net/openvpn/ticket/594

Or perhaps stunnel can help?

Re: Force ovpn client to send TLS SNI

Posted: Fri Feb 14, 2020 9:23 am
by wuftymerguftyguff
I found this while googling around.

https://github.com/OpenVPN/openvpn3/blo ... consts.hpp

It looks like it is being considered at some point at least.

For the time being it looks like my only option is try to arrange for the proxy to have a default rule that sends non SNI connections to the oVPN backend.

I dread to think what other rubbish it might end up with but beggars can't be choosers

Thanks for your help

Re: Force ovpn client to send TLS SNI

Posted: Fri Feb 14, 2020 8:48 pm
by mdibella
I’m confused why you wouldn’t just put OpenVPN on a custom port instead of messing with SNI-based reverse proxy? If you are worried about increased attack surface, use UDP.

Re: Force ovpn client to send TLS SNI

Posted: Tue Feb 18, 2020 7:12 am
by wuftymerguftyguff
I don’t control the proxy :( It was built for another purpose and I am just trying to get things working without too many changes.

Re: Force ovpn client to send TLS SNI

Posted: Mon May 18, 2020 2:25 pm
by mrred
Dear All, like wuftymerguftyguff, I try to 'route' openvpn traffic via HAPROXY (I have multiples openvpn servers on the same port), HAPROXY have to know the SNI, someone know how to enable SNI in openvpn client? on github I can see:
ENABLE_CLIENT_SNI in openvpn/ssl/sslconsts.hpp; openvpn/transport/client/tcpcli.hpp; openvpn/aws/awspc.hpp etc

thx alot !!!!