OpenVPN-NL

Discussion in 'privacy technology' started by FanJ, Dec 29, 2019.

  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,689
    There has been a previous thread started by @Baserk but I thought to start a new one for those interested.
    Maybe better to first read that previous thread. You can also search the forum for "OpenVPN-NL"; it has been mentioned a few times.

    Site:
    OpenVPN-NL by Fox-IT
    https://openvpn.fox-it.com/index.html

    To start, about the "why" and the "Differences between OpenVPN and OpenVPN-NL" you have to read:
    https://openvpn.fox-it.com/about.html

    About the "Audience":
    "While OpenVPN-NL is targeted for use by Dutch governmental bodies, it is available for anybody who wants to use it. No registration is required for download or use. A low-volume mailing list is available and open to all users to be informed of updates and security issues."
    "OpenVPN-NL is available free of licence costs. One should be aware that deployment and maintenance of any product requires knowledge and manpower, neither of which is free. Neither NBV nor Fox-IT provides free support or consultancy on OpenVPN. The commitment of NBV and Fox-IT is essentially limited to keeping the product up to date, and providing the information which can be found on this site."

    There is a lot more there:

    Deployment
    https://openvpn.fox-it.com/deployment.html

    The OpenVPN-NL lifecycle
    https://openvpn.fox-it.com/lifecycle.html

    Software
    https://openvpn.fox-it.com/software.html
     
  2. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,689
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,218
    So is it backdoored?
     
  4. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    1,861
    given that a gov't is involved in it, i don't see any reason why it wouldn't be. :ninja:
     
  5. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    744
    I tried very hard to grep word "backdoor" :D from their modified version of openvpn 2.4.7 source code and only found this:
    https://www.orwell1984.today/foxit1.png

    Opening that mbedtls/include/mbedtls/dhm.h shows the following:

    https://www.orwell1984.today/foxit2.png

    So it's just a warning from the mbedtls (formerly PolarSSL) that don't use DHM with your SSL connections and instead use elliptic curve
    crypto stuff like ECDH.

    Problem is, mbedtls elliptic curve crypto is horrible compared to OpenSSL (scroll all the way down to "Supported Elliptic Curves":
    https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations

    And if you look the Fox-IT comparison of their version openvpn and vanilla version of openvpn, you see that
    they are actually worse in elliptic curve support (vanilla supports all; theirs only small subset) and even the
    insecure RSA stuff max bit strength is worse than OpenSSL

    https://www.orwell1984.today/foxit3.png
    So why did they choose the crypto library (mbedtls) with less options? o_O
    Especially the x25519 is missing (according to wikipedia) from mbedtls.

    And why did they not just post their changes to upstream as a separate patch?

    I did a very quick diff -Naur openvpn-2.4.7 openvpn-nl/openvpn and most of the
    stuff I see is just removing autotools files (recuired when building from source on Unix/Linux machines),
    some cosmetic rebranding (putting Fox-It here and there) and some documentation changes.
    (source can be downloaded here if interested https://openvpn.fox-it.com/repos/source/)


    The real stuff is in openvpn-nl/openvpn/src/openvpn/allowed_crypto.h and openvpn-nl/openvpn/src/openvpn/allowed_crypto.c
    files which are rather short and just mainly remove most of the ciphers, which is their hardening.

    So the good news is, there probably is no backdoor there but it is still strange why they wanted
    to use the lesser crypto library (mbedtls) of the two crypto libraries supported by openvpn ?

    It's just vanilla openvpn with some weaker ciphers removed.

    But if you really want to build and try it yourself ....

    Building yourself
    Because they removed most of the default configure stuff, you have to go to openvpn-nl/openvpn directory,
    have autools packages installed( dnf install automake autoconf on Fedora apt-get install autoconf automake or something like that
    in Debian clans...) and run autoreconf -fiv

    After that you can give the normal
    ./configure --disable-ofb-cfb && make && make DESTDIR=<some directory of your liking> install
     
    Last edited: Dec 29, 2019
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,689
  7. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    744
    Welcome :)

    I also just found this old conversation from openvpn forum:
    https://forums.openvpn.net/viewtopic.php?t=10180

    So if there is any backdoor, then it would be most likely in the mbedtls (PolarSSL) folder
    from that openvpn-nl source package. That folder is not in the original openvpn-2.4.7 source package.

    EDIT:

    Some their marketing material from wikileaks:
    https://wikileaks.org/spyfiles/document/page/4/#FOXIT

    EDIT2:
    And this is interesting too
    https://blog.puscii.nl/content/whats-wrong-kids-these-days
     
    Last edited: Dec 30, 2019
Loading...
Similar Threads
  1. MonarchX
    Replies:
    4
    Views:
    1,047
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.