Discussion in 'privacy technology' started by FanJ, Dec 29, 2019.

  1. FanJ

    FanJ Updates Team

    Feb 9, 2002
    There has been a previous thread started by @Baserk but I thought to start a new one for those interested.
    Maybe better to first read that previous thread. You can also search the forum for "OpenVPN-NL"; it has been mentioned a few times.

    OpenVPN-NL by Fox-IT

    To start, about the "why" and the "Differences between OpenVPN and OpenVPN-NL" you have to read:

    About the "Audience":
    "While OpenVPN-NL is targeted for use by Dutch governmental bodies, it is available for anybody who wants to use it. No registration is required for download or use. A low-volume mailing list is available and open to all users to be informed of updates and security issues."
    "OpenVPN-NL is available free of licence costs. One should be aware that deployment and maintenance of any product requires knowledge and manpower, neither of which is free. Neither NBV nor Fox-IT provides free support or consultancy on OpenVPN. The commitment of NBV and Fox-IT is essentially limited to keeping the product up to date, and providing the information which can be found on this site."

    There is a lot more there:


    The OpenVPN-NL lifecycle

  2. FanJ

    FanJ Updates Team

    Feb 9, 2002
  3. mirimir

    mirimir Registered Member

    Oct 1, 2011
    So is it backdoored?
  4. imdb

    imdb Registered Member

    Nov 2, 2011
    given that a gov't is involved in it, i don't see any reason why it wouldn't be. :ninja:
  5. Stefan Froberg

    Stefan Froberg Registered Member

    Jul 30, 2014
    I tried very hard to grep word "backdoor" :D from their modified version of openvpn 2.4.7 source code and only found this:

    Opening that mbedtls/include/mbedtls/dhm.h shows the following:

    So it's just a warning from the mbedtls (formerly PolarSSL) that don't use DHM with your SSL connections and instead use elliptic curve
    crypto stuff like ECDH.

    Problem is, mbedtls elliptic curve crypto is horrible compared to OpenSSL (scroll all the way down to "Supported Elliptic Curves":

    And if you look the Fox-IT comparison of their version openvpn and vanilla version of openvpn, you see that
    they are actually worse in elliptic curve support (vanilla supports all; theirs only small subset) and even the
    insecure RSA stuff max bit strength is worse than OpenSSL
    So why did they choose the crypto library (mbedtls) with less options? o_O
    Especially the x25519 is missing (according to wikipedia) from mbedtls.

    And why did they not just post their changes to upstream as a separate patch?

    I did a very quick diff -Naur openvpn-2.4.7 openvpn-nl/openvpn and most of the
    stuff I see is just removing autotools files (recuired when building from source on Unix/Linux machines),
    some cosmetic rebranding (putting Fox-It here and there) and some documentation changes.
    (source can be downloaded here if interested

    The real stuff is in openvpn-nl/openvpn/src/openvpn/allowed_crypto.h and openvpn-nl/openvpn/src/openvpn/allowed_crypto.c
    files which are rather short and just mainly remove most of the ciphers, which is their hardening.

    So the good news is, there probably is no backdoor there but it is still strange why they wanted
    to use the lesser crypto library (mbedtls) of the two crypto libraries supported by openvpn ?

    It's just vanilla openvpn with some weaker ciphers removed.

    But if you really want to build and try it yourself ....

    Building yourself
    Because they removed most of the default configure stuff, you have to go to openvpn-nl/openvpn directory,
    have autools packages installed( dnf install automake autoconf on Fedora apt-get install autoconf automake or something like that
    in Debian clans...) and run autoreconf -fiv

    After that you can give the normal
    ./configure --disable-ofb-cfb && make && make DESTDIR=<some directory of your liking> install
    Last edited: Dec 29, 2019
  6. FanJ

    FanJ Updates Team

    Feb 9, 2002
  7. Stefan Froberg

    Stefan Froberg Registered Member

    Jul 30, 2014
    Welcome :)

    I also just found this old conversation from openvpn forum:

    So if there is any backdoor, then it would be most likely in the mbedtls (PolarSSL) folder
    from that openvpn-nl source package. That folder is not in the original openvpn-2.4.7 source package.


    Some their marketing material from wikileaks:

    And this is interesting too
    Last edited: Dec 30, 2019
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.