mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-20 04:02:15 +02:00
9c0397ebd3
to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth> |
||
---|---|---|
.. | ||
continuation.hpp | ||
merge.hpp | ||
sanitize.hpp | ||
servpush.hpp |