OPENCONNECT PATH
Daniel Lenski
dlenski at gmail.com
Mon Oct 5 13:09:20 EDT 2020
On Mon, Oct 5, 2020 at 1:03 AM Maksim Karamushko <max at lifetm.net> wrote:
> As I understand your script (thanks for your work) in the case of
> Anyconnect you using root / - runs POST and depending on the answer
> Anyconnect detects, will not the possibility of changing the path solve
> this question?
No. The part you are looking at (POST /) is only used to detect if the
server expects/requires a client certificate when connecting via the
default path.
Look at the subsequent lines of code
(https://github.com/dlenski/what-vpn/blob/master/what_vpn/sniffers.py#L115-L123),
which do the actual confirmation of AnyConnect/ocserv servers by
sending 'CONNECT /CSCOSSLC/tunnel'. That path cannot be changed,
because all known VPN client software uses it to initiate the VPN
tunnel (both Cisco AnyConnect and OpenConnect). And that is precisely
*why* I use it to detect the presence of these servers, because it
can't vary.
> "easy to detect VPN gateways running ocserv simply by TLS fingerprinting (since ocserv is one of the most common server applications that use GnuTLS)"
> What do you mean?
Tools such as https://github.com/WestpointLtd/tls_prober or
https://github.com/LeeBrotherston/tls-fingerprinting can detect which
particular TLS implementation a server is running. We know that ocserv
is based on GnuTLS, but very few other web services in the real world
are based on GnuTLS. Censors can use TLS fingerprints alone to detect
ocserv, and block connections to it. Notice that this does not involve
*any* knowledge of the application-layer protocol (HTTP) used by
ocserv; changing the authentication path is totally irrelevant to this
method of detection. The paper "The use of TLS in Censorship
Circumvention" (https://tlsfingerprint.io/) goes into a lot of detail
about how TLS fingerprinting works, and ideas about how to obscure a
server's TLS fingerprints.
---
The bottom line is that circumventing active probing is very
challenging and involves modifying a protocol to be less distinctive
at multiple layers. A sophisticated censorship system like the Great
Firewall of China uses not only active probing, but combines it with
passive data collection (packet timing, exclusivity of client
connections, etc) to detect VPN servers.
Dan
More information about the openconnect-devel
mailing list