Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Token Hashing - OpenVPN user input

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)

Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Token Hashing - OpenVPN user input

Postby cryptomon » Sat Feb 24, 2018 6:02 pm

So I use an ASUS router and have the option to setup OpenVPN in it using Asuswrt-Merlin firmware.

Recently, ASUS updated their firmware (v384.3) to restrict the username and password to be 64 characters max each.

I notice that the hash is 128 char long. Is this always the case? If so, would it be a flying possibility for the hash to be input as two parts (as an optional choice) so that the first 64 char of the hash go into the username and the second 64 char go into the password. Could this be interpreted by the server authentication system? It would be one way around the firmware issue many people might have.

It has been suggested that I use the token without hashing it as a work around, but that might be a sad situation given the privacy benefit of hashing.

Any thoughts?

Alternatively, can anyone sing the praises for alternative firmware? I don't think OpenWRT is an option for me (a shame with its linux base) , but DD-WRT or Tomato Shibby are I think. Do Cryptostorm/other gurus have a favourite router and opensource firmware arrangement for setting up VPN?

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Sun Feb 25, 2018 3:25 am

@OP

Unfortunately a SHA512 hash is going to be 128 characters long. The way OpenVPN authenticates is standard username/password so there's no real way to split them in the way you describe. Unfortunately the only way around it is to use the token in its unhashed state.

As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious. :)


0hgds

Re: Token Hashing - OpenVPN user input

Postby 0hgds » Sun Feb 25, 2018 10:01 pm

initially they indicated a particular model's firmware was not affected by the KRACK vuln and no patches would be necessary.

For unexplained reasons, however, a recent update they released indicates a backtrack to their earlier assurances.

Also .. their latest two firmware updates now restrict flashing of LEDE/Openwrt or other 3rd-party firmwares.

Hope that this does not affect future custom Merlin builds ?


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Mon Feb 26, 2018 2:06 pm

parityboy wrote:@OP
As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious. :)


This sounds like an interesting area to get working on. Just got to get my head around what hardware configuration is required. Can a virtualised instance of pfSense run on the same PC etc..? Is it an alternative to OpenWRT?


Khariz
Posts: 162
Joined: Sun Jan 17, 2016 7:48 am

Re: Token Hashing - OpenVPN user input

Postby Khariz » Sun Mar 18, 2018 3:54 am

You can use the raw, un-hashed token, just FYI.


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Sun Mar 18, 2018 12:52 pm

So as a work around I have just downgraded back to the previous firmware version 380.69-2.

In the mean time I might give OPNsense a try once I've found suitable low power hardware for it. Open to suggestions here...

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Mon Mar 26, 2018 2:43 am

cryptomon wrote:
parityboy wrote:@OP
As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious. :)


This sounds like an interesting area to get working on. Just got to get my head around what hardware configuration is required. Can a virtualised instance of pfSense run on the same PC etc..? Is it an alternative to OpenWRT?


Yes, it's an alternative to OpenWRT in that it is a router/firewall distribution. Yes it can run on the same PC (which is what I do) which will have a lot more horsepower for encryption than a domestic router will.

You will need a bare minimum of two physical NICs:

- NIC 0 will serve as the WAN port for pfSense (this one will be "unconnected" on your host PC). This connects to your physical upstream router.
- NIC 1 will serve as the LAN port for pfSense (this one will be "connected" on your host PC so that traffic generated by the host PC will be routed through pfSense).
- The VM will be configured with two virtual network adapters, each bridged onto their respective physical adapters.
- Once you install pfSense onto the VM, you configure its LAN and WAN ports accordingly. The WAN port can have a static IP address or get one from your physical router via DHCP. The LAN port will have a DHCP server to dole out addresses to your PC and anything else connected to that second NIC - e.g a network switch with other devices attached.

From here you can configure one or more client instances of OpenVPN to connect to different exit nodes, you can even group them for load balancing and failover. There's a guide in the HOWTO section. :)


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Mon Mar 26, 2018 9:05 am

parityboy wrote:Yes it can run on the same PC (which is what I do) which will have a lot more horsepower for encryption than a domestic router will.


Appreciate the input. (I seem to learn find new things all the time ever since going down the CS route. A great learning experience.) I had to read it a few times to digest the content. I think I need a diagram to help see how the connection arrangement works. The PC appears to connect to the VM via a LAN as does one of the physical LAN port adapters?

I suppose on the down side your PC needs to be running to give network access to other networked devices. Great if your box is on 24h a day, but also too if you want to try without finding new hardware.

Without knowing better I might be inclined to try the competition's OPNsense for this. In my case I should be able to connect directly to the WAN at the PC adaptor, as it is ethernet all the way to the exchange. No ADSL/copper so no modem needed etc.

It would still be nice to find some generic lower power hardware to install on for a long term 24h solution. That could then make a permament retirement for any domestic hardware router and the associated firmware issues.

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Mon Mar 26, 2018 11:09 pm

@cryptomon

Code: Select all

|----------|<->|NIC 0|<---->ISP connection point<---->Internet
|pfSense VM|
|----------|<->|NIC 1|<---->LAN<---->Host PC


My ASCII art isn't the greatest.:P

Without knowing better I might be inclined to try the competition's OPNsense for this. In my case I should be able to connect directly to the WAN at the PC adaptor, as it is ethernet all the way to the exchange. No ADSL/copper so no modem needed etc.


What's your connection speed?

It would still be nice to find some generic lower power hardware to install on for a long term 24h solution. That could then make a permament retirement for any domestic hardware router and the associated firmware issues.


The problem with this is that low power hardware does not support high speed encryption. Most low powered hardware will top out really quickly, especially with AES256 encryption.


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Tue Mar 27, 2018 7:09 am

parityboy wrote:What's your connection speed?


I know what you are thinking....but unfortunately nothing special, 100Mb is possible if you pay for it, but I just use the slowest speed. In reality I only get about 5-50% of that speed on a good day. Provider congestion/over subscription has a lot to do with it.

The problem with this is that low power hardware does not support high-speed encryption. Most low powered hardware will top out really quickly, especially with AES256 encryption.


Okay, but I have openvpn with CS config installed on an ASUS RT AC68U, is not that already doing something like that?

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Wed Mar 28, 2018 7:59 pm

@cryptomon

Yep it is. A friend of mine has a similar Asus router which was doing a similar job. He has a 38Mb/s connection and was getting ~5Mb/s out of the router. When he moved the VPN connection to his Mac Mini, his connection speed improved greatly, close to his line speed.

Domestic router hardware is pretty weak, to be honest.


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Thu Mar 29, 2018 7:40 am

parityboy wrote:@cryptomon
When he moved the VPN connection to his Mac Mini,...


That's an interesting observation. So I need to find some Linux friendly hardware like the Mac Mini that I can install this BSD firewall software onto like pfsense or OVPsense. I'm sure the Mac works well for him, but I'm not a Mac person unfortunately.

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Fri Mar 30, 2018 3:27 pm

@cryptomon

Yeah, he uses that Mac Mini as a media centre/general purpose PC, so Tunnelblick is the go to VPN software for that platform.


ebpf-ftw

Re: Token Hashing - OpenVPN user input

Postby ebpf-ftw » Tue Jun 05, 2018 12:52 am

Very late but it seems not to have been mentioned. I've not used used merlin but have used close variants, so ymmv, but I suspect this'll work.

Enable jffs
https://github.com/RMerl/asuswrt-merlin/wiki/Jffs

log into your router with ssh (if unfamiliar there are many guides),and create a text file on the jffs partition - first line your hashed token, 2nd a password.


cd jffs/
vi filename
press i
type your things
press esc, then :wq then enter
exit


add the following line to your openvpn config, in the advanced tab on the ovpn page via your browser

auth-user-pass /jffs/filename

start openvpn.


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Wed Jun 06, 2018 7:02 pm

Thanks for the contribution. I'll give it a go next opportunity.

Although now I've discovered OPNsense and similar arrangements, I think this might be a better direction to go. I tried to set one up as a virtual machine as suggested by Parityboy above but failed trying to use QEMU and KVM rather than Virtualbox. Couldn't find enough information that I understood to get it working unfortunately. Haven't given up yet though. Hoping I'll figure it out. Probably easier doing it on a separate box ultimately.


ebpf*

Re: Token Hashing - OpenVPN user input

Postby ebpf* » Wed Jun 06, 2018 11:45 pm

No problem, and good luck with your virtual machine tinkerings :)

I find gui tools like https://virt-manager.org/ make installing virtual machines really easy, and will let you use the gui if that's your preference. There's plenty of distro-specific guides around for installing all the things to make it work via the command line.

cli is easy, too, for basic use, and is how I tend to interact with them once installed.

Show all installed machines and their state -

Code: Select all

sudo virsh list --all


Start a given machine

Code: Select all

sudo virsh start [machinename as shown by previous command]


To find out what ip it's on, where to point ssh -

Code: Select all

ip n


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Thu Jun 07, 2018 6:53 am

I was actually trying to use VMM as you suggested but got lost on what should be bridged or otherwise for the nic. Virsh cmd line is fine if it makes things more direct to configure. How and what were virtbr0 and virtbr0-nic created when I installed OPNsense?
Trying to set up similar to parityboy's diagram but have just been a bit ignorant (despite days of reading) on what the nic arrangement settings should be to LAN nic and host (Host with internal connection to VM).

To elaborate I have (Host Linux box)
2 x ethernet nics enp4s0, enp5s0;
tun0 via openVPN;
OPNsense VM installed;
Direct ethernet connection to internet;
LAN PCs inc. host.

|OPNsense VM|
|-----------|<-bridge?->|Physical NIC 0|<->Ethernet to ISP connect<->Internet
|-----------|<-bridge?->|Physical NIC 1|<->LAN<->Switch<>Network PCs
|-----------|<-source mode?->|<->LAN<->Host PC

Not sure how tun0 is meant to be incorporated here so all LAN goes via VPN. Perhaps this is just an internal configuration in OPNsense?

(I realise this might not be the place to ask these advanced user issues and don't expect help, but this stuff is so interesting in Linux and closely related to a nice setup I can but ask)


ebpf*

Re: Token Hashing - OpenVPN user input

Postby ebpf* » Thu Jun 07, 2018 11:40 am

I recognise your approach; bewildered fascination. It's mine too :D

I've had a quick look at OPNSense, and see it's FreeBSD based. I have basically no experience with that OS, so will lead you astray if I try! In linux you'd be messing around with iptables, but I think the BSDs use 'pf' - perhaps start reading on that. Enjoy! :)

Oh, and now I've read more posts - I also have an AC68U, and it does a lot better than 5mb! When connected by cable it maxes out around 35-38Mb on my 40mb (down) line. Mine is over-clocked, though. I've read some scare stories occasionally about doing that (and also that later models don't do it at all), but I've had no problems at all in 3 years+. If you go back to the router I'll share the steps, they're very simple.


ebpf*

Re: Token Hashing - OpenVPN user input

Postby ebpf* » Thu Jun 07, 2018 11:55 am

...actually, if your host is a linux machine you'd not be using pf to redirect! You could snat/dnat or MASQUERADE using iptables. (just dumping terms for you to look into :) )

I shouldn't post before having coffee :roll:


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Tue Oct 16, 2018 4:41 am

ebpf-ftw wrote:Very late but it seems not to have been mentioned.
....
auth-user-pass /jffs/filename

start openvpn.


Tried this without success. Substituting a file for GUI inputs doesn't seem an option. However, there may be a subtle method to achieve this I'm so far unaware of.

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Tue Oct 16, 2018 9:30 pm

@cryptomon

Could you try inspecting the HTML in something like Firefox's debugger? It may give you the ability to alter the HTML (i.e. remove the restriction on the input field) temporarily just so that you can input the hashed token.


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Wed Oct 17, 2018 3:47 am

parityboy wrote:Could you try inspecting the HTML


Yes, but the right click "Inspect Element" already says "maxlength"=255, so I don't think that is the issue in the firmware code. I can paste the long string into the box but it won't stick.

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Wed Oct 17, 2018 6:37 pm

@cryptomon

It could be then that either the parsing code for the HTML page or the database which actually stores the username/password credentials have not been updated to reflect the update to the HTML page.

Having said that, it might be worth looking to see if the router actually stores the credentials in a file somewhere, rather than a database.


Topic Author
cryptomon
Posts: 24
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Thu Oct 18, 2018 7:04 am

parityboy wrote:see if the router actually stores the credentials in a file somewhere, rather than a database.


It does store the credentials in a file called the "up" file. Whilst I can write to this file using "vi" and have it save a long hash, it's not persistent.
The directory itself (/tmp/etc/openvpn/client1) and the file seem temporary and are created/written if the GUI is turned off/on. So it seems the code will read the screen, check it's 64 char length, if so write to file, if not revert to previous setting. So I think the code is the issue and is by design apparently judging from previous comments.

User avatar

df
Site Admin
Posts: 407
Joined: Thu Jan 01, 1970 5:00 am

Re: Token Hashing - OpenVPN user input

Postby df » Mon Oct 29, 2018 6:17 pm

@cryptomon
See the solution @ viewtopic.php?f=69&t=9271&p=18983#p18983


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: No registered users and 21 guests

Login