Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ
Ξ We've updated our CA certificate. All members need to be using the latest ones by Dec 22. See this page for more infoΞ

Token Hashing - OpenVPN user input

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)

Topic Author
cryptomon
Posts: 13
Joined: Fri Feb 23, 2018 7:32 am

Token Hashing - OpenVPN user input

Postby cryptomon » Sat Feb 24, 2018 6:02 pm

So I use an ASUS router and have the option to setup OpenVPN in it using Asuswrt-Merlin firmware.

Recently, ASUS updated their firmware (v384.3) to restrict the username and password to be 64 characters max each.

I notice that the hash is 128 char long. Is this always the case? If so, would it be a flying possibility for the hash to be input as two parts (as an optional choice) so that the first 64 char of the hash go into the username and the second 64 char go into the password. Could this be interpreted by the server authentication system? It would be one way around the firmware issue many people might have.

It has been suggested that I use the token without hashing it as a work around, but that might be a sad situation given the privacy benefit of hashing.

Any thoughts?

Alternatively, can anyone sing the praises for alternative firmware? I don't think OpenWRT is an option for me (a shame with its linux base) , but DD-WRT or Tomato Shibby are I think. Do Cryptostorm/other gurus have a favourite router and opensource firmware arrangement for setting up VPN?

User avatar

parityboy
Site Admin
Posts: 1203
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Sun Feb 25, 2018 3:25 am

@OP

Unfortunately a SHA512 hash is going to be 128 characters long. The way OpenVPN authenticates is standard username/password so there's no real way to split them in the way you describe. Unfortunately the only way around it is to use the token in its unhashed state.

As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious. :)


0hgds

Re: Token Hashing - OpenVPN user input

Postby 0hgds » Sun Feb 25, 2018 10:01 pm

initially they indicated a particular model's firmware was not affected by the KRACK vuln and no patches would be necessary.

For unexplained reasons, however, a recent update they released indicates a backtrack to their earlier assurances.

Also .. their latest two firmware updates now restrict flashing of LEDE/Openwrt or other 3rd-party firmwares.

Hope that this does not affect future custom Merlin builds ?


Topic Author
cryptomon
Posts: 13
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Mon Feb 26, 2018 2:06 pm

parityboy wrote:@OP
As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious. :)


This sounds like an interesting area to get working on. Just got to get my head around what hardware configuration is required. Can a virtualised instance of pfSense run on the same PC etc..? Is it an alternative to OpenWRT?


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: Token Hashing - OpenVPN user input

Postby Khariz » Sun Mar 18, 2018 3:54 am

You can use the raw, un-hashed token, just FYI.


Topic Author
cryptomon
Posts: 13
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Sun Mar 18, 2018 12:52 pm

So as a work around I have just downgraded back to the previous firmware version 380.69-2.

In the mean time I might give OPNsense a try once I've found suitable low power hardware for it. Open to suggestions here...

User avatar

parityboy
Site Admin
Posts: 1203
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Mon Mar 26, 2018 2:43 am

cryptomon wrote:
parityboy wrote:@OP
As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious. :)


This sounds like an interesting area to get working on. Just got to get my head around what hardware configuration is required. Can a virtualised instance of pfSense run on the same PC etc..? Is it an alternative to OpenWRT?


Yes, it's an alternative to OpenWRT in that it is a router/firewall distribution. Yes it can run on the same PC (which is what I do) which will have a lot more horsepower for encryption than a domestic router will.

You will need a bare minimum of two physical NICs:

- NIC 0 will serve as the WAN port for pfSense (this one will be "unconnected" on your host PC). This connects to your physical upstream router.
- NIC 1 will serve as the LAN port for pfSense (this one will be "connected" on your host PC so that traffic generated by the host PC will be routed through pfSense).
- The VM will be configured with two virtual network adapters, each bridged onto their respective physical adapters.
- Once you install pfSense onto the VM, you configure its LAN and WAN ports accordingly. The WAN port can have a static IP address or get one from your physical router via DHCP. The LAN port will have a DHCP server to dole out addresses to your PC and anything else connected to that second NIC - e.g a network switch with other devices attached.

From here you can configure one or more client instances of OpenVPN to connect to different exit nodes, you can even group them for load balancing and failover. There's a guide in the HOWTO section. :)


Topic Author
cryptomon
Posts: 13
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Mon Mar 26, 2018 9:05 am

parityboy wrote:Yes it can run on the same PC (which is what I do) which will have a lot more horsepower for encryption than a domestic router will.


Appreciate the input. (I seem to learn find new things all the time ever since going down the CS route. A great learning experience.) I had to read it a few times to digest the content. I think I need a diagram to help see how the connection arrangement works. The PC appears to connect to the VM via a LAN as does one of the physical LAN port adapters?

I suppose on the down side your PC needs to be running to give network access to other networked devices. Great if your box is on 24h a day, but also too if you want to try without finding new hardware.

Without knowing better I might be inclined to try the competition's OPNsense for this. In my case I should be able to connect directly to the WAN at the PC adaptor, as it is ethernet all the way to the exchange. No ADSL/copper so no modem needed etc.

It would still be nice to find some generic lower power hardware to install on for a long term 24h solution. That could then make a permament retirement for any domestic hardware router and the associated firmware issues.

User avatar

parityboy
Site Admin
Posts: 1203
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Mon Mar 26, 2018 11:09 pm

@cryptomon

Code: Select all

|----------|<->|NIC 0|<---->ISP connection point<---->Internet
|pfSense VM|
|----------|<->|NIC 1|<---->LAN<---->Host PC


My ASCII art isn't the greatest.:P

Without knowing better I might be inclined to try the competition's OPNsense for this. In my case I should be able to connect directly to the WAN at the PC adaptor, as it is ethernet all the way to the exchange. No ADSL/copper so no modem needed etc.


What's your connection speed?

It would still be nice to find some generic lower power hardware to install on for a long term 24h solution. That could then make a permament retirement for any domestic hardware router and the associated firmware issues.


The problem with this is that low power hardware does not support high speed encryption. Most low powered hardware will top out really quickly, especially with AES256 encryption.


Topic Author
cryptomon
Posts: 13
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Tue Mar 27, 2018 7:09 am

parityboy wrote:What's your connection speed?


I know what you are thinking....but unfortunately nothing special, 100Mb is possible if you pay for it, but I just use the slowest speed. In reality I only get about 5-50% of that speed on a good day. Provider congestion/over subscription has a lot to do with it.

The problem with this is that low power hardware does not support high-speed encryption. Most low powered hardware will top out really quickly, especially with AES256 encryption.


Okay, but I have openvpn with CS config installed on an ASUS RT AC68U, is not that already doing something like that?

User avatar

parityboy
Site Admin
Posts: 1203
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Wed Mar 28, 2018 7:59 pm

@cryptomon

Yep it is. A friend of mine has a similar Asus router which was doing a similar job. He has a 38Mb/s connection and was getting ~5Mb/s out of the router. When he moved the VPN connection to his Mac Mini, his connection speed improved greatly, close to his line speed.

Domestic router hardware is pretty weak, to be honest.


Topic Author
cryptomon
Posts: 13
Joined: Fri Feb 23, 2018 7:32 am

Re: Token Hashing - OpenVPN user input

Postby cryptomon » Thu Mar 29, 2018 7:40 am

parityboy wrote:@cryptomon
When he moved the VPN connection to his Mac Mini,...


That's an interesting observation. So I need to find some Linux friendly hardware like the Mac Mini that I can install this BSD firewall software onto like pfsense or OVPsense. I'm sure the Mac works well for him, but I'm not a Mac person unfortunately.

User avatar

parityboy
Site Admin
Posts: 1203
Joined: Wed Feb 05, 2014 3:47 am

Re: Token Hashing - OpenVPN user input

Postby parityboy » Fri Mar 30, 2018 3:27 pm

@cryptomon

Yeah, he uses that Mac Mini as a media centre/general purpose PC, so Tunnelblick is the go to VPN software for that platform.


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], Boorbun21 and 2 guests

Login