Token Hashing - OpenVPN user input

[cryptomon]

So I use an ASUS router and have the option to setup OpenVPN in it using Asuswrt-Merlin firmware.

Recently, ASUS updated their firmware (v384.3) to restrict the username and password to be 64 characters max each.

I notice that the hash is 128 char long. Is this always the case? If so, would it be a flying possibility for the hash to be input as two parts (as an optional choice) so that the first 64 char of the hash go into the username and the second 64 char go into the password. Could this be interpreted by the server authentication system? It would be one way around the firmware issue many people might have.

It has been suggested that I use the token without hashing it as a work around, but that might be a sad situation given the privacy benefit of hashing.

Any thoughts?

Alternatively, can anyone sing the praises for alternative firmware? I don't think OpenWRT is an option for me (a shame with its linux base) , but DD-WRT or Tomato Shibby are I think. Do Cryptostorm/other gurus have a favourite router and opensource firmware arrangement for setting up VPN?

[parityboy]

@OP

Unfortunately a SHA512 hash is going to be 128 characters long. The way OpenVPN authenticates is standard username/password so there's no real way to split them in the way you describe. Unfortunately the only way around it is to use the token in its unhashed state.

As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious.

[0hgds]

initially they indicated a particular model's firmware was not affected by the KRACK vuln and no patches would be necessary.

For unexplained reasons, however, a recent update they released indicates a backtrack to their earlier assurances.

Also .. their latest two firmware updates now restrict flashing of LEDE/Openwrt or other 3rd-party firmwares.

Hope that this does not affect future custom Merlin builds ?

[cryptomon]

@OP
As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious.

This sounds like an interesting area to get working on. Just got to get my head around what hardware configuration is required. Can a virtualised instance of pfSense run on the same PC etc..? Is it an alternative to OpenWRT?

[Khariz]

You can use the raw, un-hashed token, just FYI.

[cryptomon]

So as a work around I have just downgraded back to the previous firmware version 380.69-2.

In the mean time I might give OPNsense a try once I've found suitable low power hardware for it. Open to suggestions here...

[parityboy]

@OP
As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious.

This sounds like an interesting area to get working on. Just got to get my head around what hardware configuration is required. Can a virtualised instance of pfSense run on the same PC etc..? Is it an alternative to OpenWRT?

Yes, it's an alternative to OpenWRT in that it is a router/firewall distribution. Yes it can run on the same PC (which is what I do) which will have a lot more horsepower for encryption than a domestic router will.

You will need a bare minimum of two physical NICs:

- NIC 0 will serve as the WAN port for pfSense (this one will be "unconnected" on your host PC). This connects to your physical upstream router.
- NIC 1 will serve as the LAN port for pfSense (this one will be "connected" on your host PC so that traffic generated by the host PC will be routed through pfSense).
- The VM will be configured with two virtual network adapters, each bridged onto their respective physical adapters.
- Once you install pfSense onto the VM, you configure its LAN and WAN ports accordingly. The WAN port can have a static IP address or get one from your physical router via DHCP. The LAN port will have a DHCP server to dole out addresses to your PC and anything else connected to that second NIC - e.g a network switch with other devices attached.

From here you can configure one or more client instances of OpenVPN to connect to different exit nodes, you can even group them for load balancing and failover. There's a guide in the HOWTO section.

[cryptomon]

Yes it can run on the same PC (which is what I do) which will have a lot more horsepower for encryption than a domestic router will.

Appreciate the input. (I seem to learn find new things all the time ever since going down the CS route. A great learning experience.) I had to read it a few times to digest the content. I think I need a diagram to help see how the connection arrangement works. The PC appears to connect to the VM via a LAN as does one of the physical LAN port adapters?

I suppose on the down side your PC needs to be running to give network access to other networked devices. Great if your box is on 24h a day, but also too if you want to try without finding new hardware.

Without knowing better I might be inclined to try the competition's OPNsense for this. In my case I should be able to connect directly to the WAN at the PC adaptor, as it is ethernet all the way to the exchange. No ADSL/copper so no modem needed etc.

It would still be nice to find some generic lower power hardware to install on for a long term 24h solution. That could then make a permament retirement for any domestic hardware router and the associated firmware issues.

[parityboy]

@cryptomon

Code: Select all

|----------|<->|NIC 0|<---->ISP connection point<---->Internet
|pfSense VM|
|----------|<->|NIC 1|<---->LAN<---->Host PC

My ASCII art isn't the greatest.

Without knowing better I might be inclined to try the competition's OPNsense for this. In my case I should be able to connect directly to the WAN at the PC adaptor, as it is ethernet all the way to the exchange. No ADSL/copper so no modem needed etc.

What's your connection speed?

It would still be nice to find some generic lower power hardware to install on for a long term 24h solution. That could then make a permament retirement for any domestic hardware router and the associated firmware issues.

The problem with this is that low power hardware does not support high speed encryption. Most low powered hardware will top out really quickly, especially with AES256 encryption.

[cryptomon]

What's your connection speed?

I know what you are thinking....but unfortunately nothing special, 100Mb is possible if you pay for it, but I just use the slowest speed. In reality I only get about 5-50% of that speed on a good day. Provider congestion/over subscription has a lot to do with it.

The problem with this is that low power hardware does not support high-speed encryption. Most low powered hardware will top out really quickly, especially with AES256 encryption.

Okay, but I have openvpn with CS config installed on an ASUS RT AC68U, is not that already doing something like that?

[parityboy]

@cryptomon

Yep it is. A friend of mine has a similar Asus router which was doing a similar job. He has a 38Mb/s connection and was getting ~5Mb/s out of the router. When he moved the VPN connection to his Mac Mini, his connection speed improved greatly, close to his line speed.

Domestic router hardware is pretty weak, to be honest.

[cryptomon]

@cryptomon
When he moved the VPN connection to his Mac Mini,...

That's an interesting observation. So I need to find some Linux friendly hardware like the Mac Mini that I can install this BSD firewall software onto like pfsense or OVPsense. I'm sure the Mac works well for him, but I'm not a Mac person unfortunately.

[parityboy]

@cryptomon

Yeah, he uses that Mac Mini as a media centre/general purpose PC, so Tunnelblick is the go to VPN software for that platform.

[ebpf-ftw]

Very late but it seems not to have been mentioned. I've not used used merlin but have used close variants, so ymmv, but I suspect this'll work.

Enable jffs
https://github.com/RMerl/asuswrt-merlin/wiki/Jffs

log into your router with ssh (if unfamiliar there are many guides),and create a text file on the jffs partition - first line your hashed token, 2nd a password.


cd jffs/
vi filename
press i
type your things
press esc, then :wq then enter
exit


add the following line to your openvpn config, in the advanced tab on the ovpn page via your browser

auth-user-pass /jffs/filename

start openvpn.

[cryptomon]

Thanks for the contribution. I'll give it a go next opportunity.

Although now I've discovered OPNsense and similar arrangements, I think this might be a better direction to go. I tried to set one up as a virtual machine as suggested by Parityboy above but failed trying to use QEMU and KVM rather than Virtualbox. Couldn't find enough information that I understood to get it working unfortunately. Haven't given up yet though. Hoping I'll figure it out. Probably easier doing it on a separate box ultimately.

[ebpf*]

No problem, and good luck with your virtual machine tinkerings

I find gui tools like https://virt-manager.org/ make installing virtual machines really easy, and will let you use the gui if that's your preference. There's plenty of distro-specific guides around for installing all the things to make it work via the command line.

cli is easy, too, for basic use, and is how I tend to interact with them once installed.

Show all installed machines and their state -

Code: Select all

sudo virsh list --all

Start a given machine

Code: Select all

sudo virsh start [machinename as shown by previous command]

To find out what ip it's on, where to point ssh -

Code: Select all

ip n

[cryptomon]

I was actually trying to use VMM as you suggested but got lost on what should be bridged or otherwise for the nic. Virsh cmd line is fine if it makes things more direct to configure. How and what were virtbr0 and virtbr0-nic created when I installed OPNsense?
Trying to set up similar to parityboy's diagram but have just been a bit ignorant (despite days of reading) on what the nic arrangement settings should be to LAN nic and host (Host with internal connection to VM).

To elaborate I have (Host Linux box)
2 x ethernet nics enp4s0, enp5s0;
tun0 via openVPN;
OPNsense VM installed;
Direct ethernet connection to internet;
LAN PCs inc. host.

|OPNsense VM|
|-----------|<-bridge?->|Physical NIC 0|<->Ethernet to ISP connect<->Internet
|-----------|<-bridge?->|Physical NIC 1|<->LAN<->Switch<>Network PCs
|-----------|<-source mode?->|<->LAN<->Host PC

Not sure how tun0 is meant to be incorporated here so all LAN goes via VPN. Perhaps this is just an internal configuration in OPNsense?

(I realise this might not be the place to ask these advanced user issues and don't expect help, but this stuff is so interesting in Linux and closely related to a nice setup I can but ask)

[ebpf*]

I recognise your approach; bewildered fascination. It's mine too

I've had a quick look at OPNSense, and see it's FreeBSD based. I have basically no experience with that OS, so will lead you astray if I try! In linux you'd be messing around with iptables, but I think the BSDs use 'pf' - perhaps start reading on that. Enjoy!

Oh, and now I've read more posts - I also have an AC68U, and it does a lot better than 5mb! When connected by cable it maxes out around 35-38Mb on my 40mb (down) line. Mine is over-clocked, though. I've read some scare stories occasionally about doing that (and also that later models don't do it at all), but I've had no problems at all in 3 years+. If you go back to the router I'll share the steps, they're very simple.

[ebpf*]

...actually, if your host is a linux machine you'd not be using pf to redirect! You could snat/dnat or MASQUERADE using iptables. (just dumping terms for you to look into )

I shouldn't post before having coffee

[cryptomon]

Very late but it seems not to have been mentioned.
....
auth-user-pass /jffs/filename

start openvpn.

Tried this without success. Substituting a file for GUI inputs doesn't seem an option. However, there may be a subtle method to achieve this I'm so far unaware of.

[parityboy]

@cryptomon

Could you try inspecting the HTML in something like Firefox's debugger? It may give you the ability to alter the HTML (i.e. remove the restriction on the input field) temporarily just so that you can input the hashed token.

[cryptomon]

Could you try inspecting the HTML

Yes, but the right click "Inspect Element" already says "maxlength"=255, so I don't think that is the issue in the firmware code. I can paste the long string into the box but it won't stick.

[parityboy]

@cryptomon

It could be then that either the parsing code for the HTML page or the database which actually stores the username/password credentials have not been updated to reflect the update to the HTML page.

Having said that, it might be worth looking to see if the router actually stores the credentials in a file somewhere, rather than a database.

[cryptomon]

see if the router actually stores the credentials in a file somewhere, rather than a database.

It does store the credentials in a file called the "up" file. Whilst I can write to this file using "vi" and have it save a long hash, it's not persistent.
The directory itself (/tmp/etc/openvpn/client1) and the file seem temporary and are created/written if the GUI is turned off/on. So it seems the code will read the screen, check it's 64 char length, if so write to file, if not revert to previous setting. So I think the code is the issue and is by design apparently judging from previous comments.

[df]

@cryptomon
See the solution @ viewtopic.php?f=69&t=9271&p=18983#p18983