OpenVPN + XOR Scramble + OpnSense/FreeBSD HowTo

[Cake]

If anybody is interested in this quick instructions. There is only a tiny bit of info I can find on how to do this according to google, so now snb forums gets a one stop how too.
My current versions:
OPNsense 16.7.3-amd64
FreeBSD 10.3-RELEASE-p7
OpenSSL 1.0.2h 3 May 2016
OpenVPN 2.3.12 (soon to be downgraded)

OpenVPN is currently at 2.3.12, I found that Clayfaces's patch works up to version 2.3.11
After you install OpnSense, follow these steps:
1)Turn on SSH (Secure Shell)
2)Log into router root@192.*.*.* (default pass is opnsense)
3)Select #8
5)

#pkg install wget
#pkg install git
#cd ~
#mkdir XOR
#cd XOR
#wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
#unzip master.zip
#wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.xz
#tar -xf openvpn-*
#cp openvpn_xorpatch-master/openvpn_xor.patch ~/XOR/openvpn-2.3.11/
#cd openvpn-2.3.11
#git apply openvpn_xor.patch
#./configure CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
#make
#make install

4)Web GUI-->System--->Firmware--->Packages---> Lock openvpn from being updated. (even though it says a different version, if you check the log it says openvpn 2.3.11)

This is working for me TESTED (for some reason I have to put comp-lzo no into server and client configs)
Easy as pie, Now if I could only understand the pf way of doing things.
Excuse the basic command line stuff, I know I could have combined some of those lines.
Edits forgot the apply patch step. Remove installing nano. Doh

 

[sfx2000]

Easy as pie, Now if I could only understand the pf way of doing things.
Excuse the basic command line stuff, I know I could have combined some of those lines.

OpenBSD has a nice set of items describing pf fundamentals...

https://www.openbsd.org/faq/pf/

If you've ever used the Uncomplicated Fire Wall (ufw) on debian (or Ubuntu), the concepts are very similar...

 

[sfx2000]

Be careful with the XOR patch - if you don't need it, don't use it, and if you do need it, might consider using obfsproxy instead...

Tunnelblick, which is an OpenVPN client, has a good writeup on this topic - and kind of like the pfSense/Opnsense split, it's a tad bit political with regards to discussion...

https://tunnelblick.net/cOpenvpn_xorpatch.html

 

[Cake]

Be careful with the XOR patch - if you don't need it, don't use it, and if you do need it, might consider using obfsproxy instead...

Tunnelblick, which is an OpenVPN client, has a good writeup on this topic - and kind of like the pfSense/Opnsense split, it's a tad bit political with regards to discussion...

https://tunnelblick.net/cOpenvpn_xorpatch.html

The clayface patch is only a little over 200 lines if I remember. What I mean is it wouldn't take much time to vet the code by one of you rock stars. I am aware of discussions of the buffer overflow reports in the past and that the majority of community has opinions against it. I hope somebody updates the patch so it works with 2.3.12+ otherwise it may be the end.

 

[sfx2000]

The clayface patch is only a little over 200 lines if I remember. What I mean is it wouldn't take much time to vet the code by one of you rock stars. I am aware of discussions of the buffer overflow reports in the past and that the majority of community has opinions against it. I hope somebody updates the patch so it works with 2.3.12+ otherwise it may be the end.

I'm not a crypto guy, and I'm smart enough to know better...

Tunnelblick is just pointing out some of the concerns - there are some issues within the patch itself that could be done better from a programatic view, but since this part is pretty much persona-non-grata and not blessed by the OpenVPN team, it's not worth the effort to fix...

The gist of the concerns it that it can weaken security/privacy compared to other methods, and this is why the OpenVPN team actively discouraged it.