OpenVPN – NTLM e quel proxy infame

Questo articolo è rivolto a coloro che hanno problemi a far dialogare OpenVPN con proxy che richiedono autenticazione NTLM.

Al momento della stesura di questo articolo, la versione di ovpn è la 2.1.3, versioni successive a questa potrebbero non soffrire dello stesso male.

Utilizzando l’autenticazione di tipo NTLM ho notato che la comunicazione si interrompe subito dopo l’invio del messaggio di tipo 1 da parte del client. In pratica il proxy non si degna di dare una risposta negativa o positiva che sia.

Per maggiori informazioni sulla comunicazione tipo NTLM potete visitare il sito:

http://davenport.sourceforge.net/ntlm.html

Dando uno sguardo al codice sorgente ho notato che la stringa inviata dal client al proxy è la seguente:

TlRMTVNTUAABAAAAAgIAAA==

ed è una costante definita nel file ntlm.c

Dopo aver portato a termine qualche prova con uno sniffer di rete mi sono accorto che altri prorammi come ad esempio firefox, funzionano perfettamente con il proxy così mi sono chiesto quali fossero le differenze. In effetti il messaggio di fase 1 inviato dal browser è sostanzialmente diverso:

TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

e sembra essere più gradito.

A questo punto ho modificato il codice sorgente nell’unica riga necessaria:

const char *
ntlm_phase_1 (const struct http_proxy_info *p, struct gc_arena *gc)
{
  struct buffer out = alloc_buf_gc (96, gc);
  /* try a minimal NTLM handshake
   *
   * http://davenport.sourceforge.net/ntlm.html
   *
   * This message contains only the NTLMSSP signature,
   * the NTLM message type,
   * and the minimal set of flags (Negotiate NTLM and Negotiate OEM).
   *
   */
  // buf_printf (&out, "%s", "TlRMTVNTUAABAAAAAgIAAA==");
   buf_printf (&out, "%s", "TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==");
  return (BSTR (&out));
}

e dopo aver ricompilato l’eseguibile, tutto funziona correttamente.

Alla prossima.

Leave a comment

14 Comments.

  1. Thank you! This change worked for me….

  2. Hi,

    do you have a patched File for v2.2.1?
    because the Problem is in v2.2.1 too.

  3. Did you try to apply this anyway? I think we should submit a request in order to permanently solve this issue

  4. Hi,

    i spend a whole night on building openvpn 2.2.1 with your patch…
    now i have two problems.

    1) If i use Visual Studio 2010, i can build and run openvpn.exe, but it can’t connet to my server because i always get the following:
    Thu Nov 10 14:02:05 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Nov 10 2011
    Thu Nov 10 14:02:05 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Thu Nov 10 14:02:05 2011 NOTE: OpenVPN 2.1 requires ‘–script-security 2′ or higher to call user-defined scripts or executables
    Thu Nov 10 14:02:05 2011 LZO compression initialized
    Thu Nov 10 14:02:05 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Thu Nov 10 14:02:05 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Thu Nov 10 14:02:05 2011 RESOLVE: NOTE: proxy.xxxx.xxx resolves to 2 addresses
    Thu Nov 10 14:02:05 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Thu Nov 10 14:02:05 2011 Local Options hash (VER=V4): ’69109d17′
    Thu Nov 10 14:02:05 2011 Expected Remote Options hash (VER=V4): ‘c0103fa8′
    Thu Nov 10 14:02:05 2011 Attempting to establish TCP connection with xxx.xxx.xxx.xxx:8080 [nonblock]
    Thu Nov 10 14:02:05 2011 TCP: connect to xxx.xxx.xxx.xxx:8080 failed, will try again in 5 seconds: Operation would block (WSAEWOULDBLOCK)
    Thu Nov 10 14:02:10 2011 RESOLVE: NOTE: proxy.xxxx.xxx resolves to 2 addresses
    Thu Nov 10 14:02:10 2011 TCP: connect to yyy.yyy.yyy.yyy:8080 failed, will try again in 5 seconds: Operation would block (WSAEWOULDBLOCK)
    Thu Nov 10 14:02:15 2011 RESOLVE: NOTE: proxy.xxxx.xxx resolves to 2 addresses
    Thu Nov 10 14:02:15 2011 TCP: connect to xxx.xxx.xxx.xxx:8080 failed, will try again in 5 seconds: Operation would block (WSAEWOULDBLOCK)
    Thu Nov 10 14:02:20 2011 RESOLVE: NOTE: proxy.xxxx.xxx resolves to 2 addresses
    Thu Nov 10 14:02:20 2011 TCP: connect to yyy.yyy.yyy.yyy:8080 failed, will try again in 5 seconds: Operation would block (WSAEWOULDBLOCK)

    2) If i build it with Visual Studio 2008 i can’t run openvpn.exe, if i do, i only get an Messagebox with this error:
    Runtime Error!
    Programm: c:\Program Files\OpenVPN\bin\openvpn.exe
    R6034
    An Application has made an attempt to loade the C runtime library incorrectly.
    Please contact the application’s support team for more information.

    i have tested it with many versions of the msvcr90.dll but nothing worked.

  5. Hi, are you sure you reach the proxy server? do you have this issue with a non patched ver of openvpn?

  6. I just know that the two Proxy IPs are correct and i think it can’t connect (your 2.1.4 fixed exe can).
    I’m not a c++ developer, 98% of my business ist Dot Net. i don’t know why the VS2008 version can’t even run.

  7. I’ll try to apply the current patch to the last software release if you like. Let me know.

  8. Yes please, that would be great!

  9. Did it work?

  10. I sent you an email with a new exe but you didn’t reply.

  11. Do you still Work on that problem?
    Today i testet Open VPN 2.3 Alpha 3 and i have still the same problem.

  12. The patch I made works for me but I’m unable to make more tests since I don’t have the right environment. have you tried my file?

  13. I tested your exe file but it doesn’t work.

    The first thing was, that the libssl32.dll was missing (the original exe file doesn’t need it)
    after copying the missing dll from my openssl folder to the openvpn bin folder your exe file could start, but it crashes very quickly (Windows just tell me that the “openvpn.exe doesn’t work anymore”

    Here is the logfile:

    OpenVPN 2.2.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 18 2011

    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    NOTE: OpenVPN 2.1 requires ‘–script-security 2′ or higher to call user-defined scripts or executables

    LZO compression initialized

Leave a Reply


[ Ctrl + Enter ]