Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add openVPN analyzer #114

Merged
merged 6 commits into from
Apr 2, 2024
Merged

feat: add openVPN analyzer #114

merged 6 commits into from
Apr 2, 2024

Conversation

KujouRinka
Copy link
Contributor

添加了一个 OpenVPN 的 analyzer,我参考了下面一些东西:

据官方,OpenVPN 有 pre-shared secret 和 tls 两种模式,前者可以认为所有数据均为密文,难以分析指纹,但应该能够用 FETAnalyzer 识别出来,现在实现的 OpenVPN analyzer 用于识别 tls 模式

PropMap:

{
  "openvpn_tcp": {
    "rx_pkt_cnt": 0,
    "tx_pkt_cnt": 0
  },
  "openvpn_udp": {
    "rx_pkt_cnt": 0,
    "tx_pkt_cnt": 0
  }
}

rx_pkt_cnttx_pkt_cnt 分别为这条连接上被判断为可能是 OpenVPN 包收到/发送的数量,所以 block 规则可以这样写:

- name: block openvpn tcp
  action: block
  expr: openvpn_tcp.rx_pkt_cnt + openvpn_tcp.tx_pkt_cnt > 50

- name: block openvpn udp
  action: block
  expr: openvpn_udp.rx_pkt_cnt + openvpn_udp.tx_pkt_cnt > 50

包的数量越多,假阳性越低。假阳性的概率大致可以这样计算:3/32 * 2/32 * (6/32)^(rx_pkt_cnt + tx_pkt_cnt)

目前限制了最多判别 256 个包,依据是这样假阳性概率大致能达到要求,并且在正常网络活动的情况下,达到这个数量的包所需要的时间不会超过 10s

关于假阴性,TCP 有可靠的流,理论上不会有假阴性。但 UDP 可能在较差的网络环境下具有较高的假阴性,当 OpenVPN 的 P_CONTROL_HARD_RESET_CLIENT_*P_CONTROL_HARD_RESET_SERVER_* 这两个控制包,即 OpenVPN 握手阶段才会发送的包被丢包时就会出现假阴性的情况,目前代码里面没有引入 invalidCount 来解决,原因是考虑到可能会提高 UDP 的假阳性,需要的话也许后续可以加上(?)

@tobyxdd
Copy link
Collaborator

tobyxdd commented Mar 29, 2024

感谢!我这周末 review 下。能把 TCP 和 UDP 的逻辑合并到同一个 analyzer 吗?同一个 analyzer 是可以同时实现 TCP/UDP 的接口的,可以参考已有的 DNS analyzer

@tobyxdd
Copy link
Collaborator

tobyxdd commented Mar 29, 2024

对于用 psk 的情况,我在考虑让 FET analyzer 支持 UDP... 应该可以对付开了 tls-crypt 的 OpenVPN

@KujouRinka
Copy link
Contributor Author

现在把逻辑都合并到 analyzer/udp/openvpn.go 里面了,PropMap 是下面这样:

{
  "openvpn": {
    "rx_pkt_cnt": 0,
    "tx_pkt_cnt": 0
  }
}

@tobyxdd tobyxdd requested review from tobyxdd and haruue March 30, 2024 18:07
@tobyxdd tobyxdd self-assigned this Mar 30, 2024
@tobyxdd tobyxdd added the enhancement New feature or request label Mar 30, 2024
tobyxdd
tobyxdd approved these changes Mar 30, 2024
View reviewed changes
Copy link
Collaborator

@tobyxdd tobyxdd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I can confirm this works as expected

@tobyxdd tobyxdd merged commit ab28fc2 into apernet:master Apr 2, 2024
2 checks passed
@ghost
Copy link

ghost commented Apr 16, 2024

openvpn udp tls1.3 aes-256-gcm
1
也能分析出来吗?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haruue haruue haruue approved these changes

@tobyxdd tobyxdd tobyxdd approved these changes

Assignees

@tobyxdd tobyxdd

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KujouRinka @tobyxdd @haruue