Force ovpn client to send TLS SNI
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 13, 2020 6:46 am
Force ovpn client to send TLS SNI
Hi,
How to I make an OVPN client use TLS SNI when it connects?
Jeff
How to I make an OVPN client use TLS SNI when it connects?
Jeff
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 13, 2020 6:46 am
Re: Force ovpn client to send TLS SNI
This might be better in "Configuration" can a mod move it for me, please?
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: Force ovpn client to send TLS SNI
Can you explain your use-case a bit more?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 13, 2020 6:46 am
Re: Force ovpn client to send TLS SNI
The openvpn server that I need to connect to needs to be behind a reverse proxy. This proxy uses TLS SNI to route the traffic to different backends.
The proxy is outside of my control.
The logs for the proxy tells me that the openvpn client traffic is not using SNI. If I connect to the same endpoint using chrome then SNI is used and the traffic gets routed correctly by the proxy. (it does not work of course)
The proxy is outside of my control.
The logs for the proxy tells me that the openvpn client traffic is not using SNI. If I connect to the same endpoint using chrome then SNI is used and the traffic gets routed correctly by the proxy. (it does not work of course)
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: Force ovpn client to send TLS SNI
[parrot]
The handshake is not normal SSL.
SNI is not set in SSL context.
The proxy would not be able to extract the SNI info.
[/parrot]
Also found this: https://community.openvpn.net/openvpn/ticket/594
Or perhaps stunnel can help?
The handshake is not normal SSL.
SNI is not set in SSL context.
The proxy would not be able to extract the SNI info.
[/parrot]
Also found this: https://community.openvpn.net/openvpn/ticket/594
Or perhaps stunnel can help?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 13, 2020 6:46 am
Re: Force ovpn client to send TLS SNI
I found this while googling around.
https://github.com/OpenVPN/openvpn3/blo ... consts.hpp
It looks like it is being considered at some point at least.
For the time being it looks like my only option is try to arrange for the proxy to have a default rule that sends non SNI connections to the oVPN backend.
I dread to think what other rubbish it might end up with but beggars can't be choosers
Thanks for your help
https://github.com/OpenVPN/openvpn3/blo ... consts.hpp
It looks like it is being considered at some point at least.
For the time being it looks like my only option is try to arrange for the proxy to have a default rule that sends non SNI connections to the oVPN backend.
I dread to think what other rubbish it might end up with but beggars can't be choosers
Thanks for your help
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: Force ovpn client to send TLS SNI
I’m confused why you wouldn’t just put OpenVPN on a custom port instead of messing with SNI-based reverse proxy? If you are worried about increased attack surface, use UDP.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 13, 2020 6:46 am
Re: Force ovpn client to send TLS SNI
I don’t control the proxy It was built for another purpose and I am just trying to get things working without too many changes.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon May 18, 2020 2:17 pm
Re: Force ovpn client to send TLS SNI
Dear All, like wuftymerguftyguff, I try to 'route' openvpn traffic via HAPROXY (I have multiples openvpn servers on the same port), HAPROXY have to know the SNI, someone know how to enable SNI in openvpn client? on github I can see:
ENABLE_CLIENT_SNI in openvpn/ssl/sslconsts.hpp; openvpn/transport/client/tcpcli.hpp; openvpn/aws/awspc.hpp etc
thx alot !!!!
ENABLE_CLIENT_SNI in openvpn/ssl/sslconsts.hpp; openvpn/transport/client/tcpcli.hpp; openvpn/aws/awspc.hpp etc
thx alot !!!!