Force ovpn client to send TLS SNI

wuftymerguftyguff · Post by **wuftymerguftyguff** » Thu Feb 13, 2020 7:27 am

Hi,

How to I make an OVPN client use TLS SNI when it connects?

Jeff

wuftymerguftyguff · Post by **wuftymerguftyguff** » Thu Feb 13, 2020 9:52 am

This might be better in "Configuration" can a mod move it for me, please?

Post by **Pippin** » Thu Feb 13, 2020 2:34 pm

Can you explain your use-case a bit more?

wuftymerguftyguff · Post by **wuftymerguftyguff** » Thu Feb 13, 2020 3:36 pm

The openvpn server that I need to connect to needs to be behind a reverse proxy. This proxy uses TLS SNI to route the traffic to different backends.

The proxy is outside of my control.

The logs for the proxy tells me that the openvpn client traffic is not using SNI. If I connect to the same endpoint using chrome then SNI is used and the traffic gets routed correctly by the proxy. (it does not work of course)

Post by **Pippin** » Thu Feb 13, 2020 6:28 pm

[parrot]
The handshake is not normal SSL.
SNI is not set in SSL context.
The proxy would not be able to extract the SNI info.
[/parrot]

Also found this: https://community.openvpn.net/openvpn/ticket/594

Or perhaps stunnel can help?

wuftymerguftyguff · Post by **wuftymerguftyguff** » Fri Feb 14, 2020 9:23 am

I found this while googling around.

https://github.com/OpenVPN/openvpn3/blo ... consts.hpp

It looks like it is being considered at some point at least.

For the time being it looks like my only option is try to arrange for the proxy to have a default rule that sends non SNI connections to the oVPN backend.

I dread to think what other rubbish it might end up with but beggars can't be choosers

Thanks for your help

mdibella · Post by **mdibella** » Fri Feb 14, 2020 8:48 pm

I’m confused why you wouldn’t just put OpenVPN on a custom port instead of messing with SNI-based reverse proxy? If you are worried about increased attack surface, use UDP.

wuftymerguftyguff · Post by **wuftymerguftyguff** » Tue Feb 18, 2020 7:12 am

I don’t control the proxy

It was built for another purpose and I am just trying to get things working without too many changes.

mrred · Post by **mrred** » Mon May 18, 2020 2:25 pm

Dear All, like wuftymerguftyguff, I try to 'route' openvpn traffic via HAPROXY (I have multiples openvpn servers on the same port), HAPROXY have to know the SNI, someone know how to enable SNI in openvpn client? on github I can see:
ENABLE_CLIENT_SNI in openvpn/ssl/sslconsts.hpp; openvpn/transport/client/tcpcli.hpp; openvpn/aws/awspc.hpp etc

thx alot !!!!

OpenVPN Support Forum

Force ovpn client to send TLS SNI

Force ovpn client to send TLS SNI

Re: Force ovpn client to send TLS SNI

Re: Force ovpn client to send TLS SNI

Re: Force ovpn client to send TLS SNI

Re: Force ovpn client to send TLS SNI

Re: Force ovpn client to send TLS SNI

Re: Force ovpn client to send TLS SNI

Re: Force ovpn client to send TLS SNI

Re: Force ovpn client to send TLS SNI