topic Re: Decrypting OPENVPN? in General Topics

Decrypting OPENVPN?

Hwinter — Thu, 06 Apr 2017 00:33:21 GMT

Is it possible to decrypt openVPN with SSL Forward Proxy? I'm pretty sure the asnwer is no, but I figured I would ask.

My problem is that I have a Ubuntu Server running openVPN client behind a VM-100. I would like to continue to use openVPN, but I would like to intercept it, apply some policy on the decrypted traffic and re-encrypt. The server I basically uses:

sudo openvpn --config VPN_UDP-443.ovpn

Has anyone done something similar? One option (unfortunately non existent) would be implementing a opnVPN client direclty on the VM-100 and have my server just use that as the gateway... but that would be too easy! 🙂

Thanks!

Re: Decrypting OPENVPN?

BPry — Thu, 06 Apr 2017 01:44:53 GMT

Technically possible; sure.

That being said OpenVPN uses a custom encryption set and I doubt they are going to tell you what that is so that you can actually decrypt it properly.

Re: Decrypting OPENVPN?

Hwinter — Thu, 06 Apr 2017 14:55:24 GMT

Yes, but the client is using an openVPN config file, which should have all that info (i.e. the .ovpn file). I can access that file... but I'm not sure what I would be looking for.

Re: Decrypting OPENVPN?

BPry — Thu, 06 Apr 2017 20:37:30 GMT

Right but your config file isn't going to show you the negotiated key; which is needed to actually intercept and reencrypt the traffic.

Re: Decrypting OPENVPN?

Hwinter — Fri, 07 Apr 2017 21:21:08 GMT

Actually, I do have all the info in the config file... unfortunately I don't know how to use it though:

client
dev tun
proto udp
remote vpn.vpn.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
route-delay 5
verb 3
explicit-exit-notify 5
<ca>
-----BEGIN CERTIFICATE-----
MIIGVDCCBDygAwIBAgIJAIzYQ+/kXyADMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
.
.
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIGnDCCBISgAwIBAgICRaAwDQYJKoZIhvcNAQEFBQAweTELMAkGA1UEBhMCSVQx
.
.
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEA4hKsIsb3x4LJlYL35XivJr8FE/ak47OJbmZRfXB0l5jkLqc/
.
.
.
-----END RSA PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
7bb7a23a0f5f28d01e792df68f1764ab
.
.
.
-----END OpenVPN Static key V1-----
</tls-auth>

I removed the actual key, but as you can see, it is actually there on the .ovpn file.