[Openvpn-devel,0/2] proxy protocol v2 for port-share

Message ID	7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Message-ID: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> Date: Sun, 15 Dec 2024 00:18:14 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: de-CH To: openvpn-devel@lists.sourceforge.net UI-OutboundReport: notjunk:1;M01:P0:mKeFnTupHiI=;8y9/sXXQGXIi6x1lsKylFNcuCmv FDK8kfGlKJMHWplz3mjNxmhu5H45+/tNVnZtDpGodXMyJKTA7njFdtKsfU1yAloQiHgcRkHk2 Hmoi/sObxgY1AjVSP5+z44MBofn2NWlpKe2geq30wuW2jy+d8GeXAPTcT4SFCaX2/qwSFfi/Q 1DNUPx2871AYy0r5p5yc3kjGQCJ/MpluVwanpLDeTDuMXZngl7KyK6/JDvjr7iSH/nBCywSzJ Mz0uBr74DZhYowSScmHugbQYAyu+11/R09isQjhvtGDDbRVPF6AWGJVVMuAuLxA295CLv/69E 8O6w1e4Il1efh1W8cTlEw027F5lMmnuBZTuM5ryPllXyfYqD2PqWNS9SeJ27UHOD6hhwhOZiq mk1miog8TwglWApD3iArokHg4eYPZVfuyda9gUnUSztWCtTqx32buR1VklX4Nqr4rGHiVFTLL ASR5YkGrs04FOjJM0H5YoHyssiLecLorMObtVElJzvw0zoN/OLRhFFq5U1Uz4RNpbBiCLSE01 0HsPNH0W8OX4gTdzecHf+yvRN+poTw5J+qMT0cELDJvCnc4u6c5i5KJCVRxJAFbKDEDienCJG IobE23DLSj0b6ayoO/KuT0gXwY2ak425ML1y5mQay2WhYmGf/Gj5YGV5R6EBT/MkMF2JHTBuh rCSbY6Opt6hd0Q2SpLlF2f8kJQhV1zvWgRuIDNS/t347mNFPpSbHdQ1K0SWyQjvD+W2R/IMZo z5WUoTPgneRNJZeTmjanBtryv3h0w8g+WtSeWDP72oh51AI0djGKDKgkBHD+rkQe7xShYZlMB kkHTYjovmcph3ym+toTUxchft7Tlqi4MBZhe+LmqHe1B05K0oYW8XAzZaO5/QZWmtVo98EPiE T6JtYUsUzFC1S3d/m1OBdxJ507U5753K4wzz9uXhUpU1Ra33AzSUmHW9lrQPpiv9nsktyfZAY NL8PMhZOJd14ldxItRRXstwwGabVBpENnGnRKbQGscIvL9QtqlMm7cuG8MuTZiyQxR8YDIht+ tMdbhxAb5jQpTSWEBHggo4ro9WdwPmP/GcZhilcODWqr9nevAJG64xt8EKVXxAyjZBUjnlnSa mi8CQPTLYP18N2RsteUWuJjFX6IT9A preview: Hello, since v2.1 (released 2009) OpenVPN has the "port-share" feature, where it listens on a tcp port (like 443) and forwards/proxies all incoming non-OpenVPN connections (like HTTPS) to a different server/ [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in bl.score.senderscore.com] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.21 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.21 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Subject: [Openvpn-devel] [PATCH 0/2] proxy protocol v2 for port-share Precedence: list From: corubba via Openvpn-devel <openvpn-devel@lists.sourceforge.net> Reply-To: corubba <corubba@gmx.de> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	proxy protocol v2 for port-share \| expand [Openvpn-devel,0/2] proxy protocol v2 for port-share [Openvpn-devel,1/2] port-share: Normalize IPv4-mapped IPv6 addresses [Openvpn-devel,2/2] port-share: Add proxy protocol v2 support [Openvpn-devel,3/2] port-share: Add unix-socket and udp support for proxy protocol

Message ID

7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Message-ID: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de>
Date: Sun, 15 Dec 2024 00:18:14 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: de-CH
To: openvpn-devel@lists.sourceforge.net
UI-OutboundReport: notjunk:1;M01:P0:mKeFnTupHiI=;8y9/sXXQGXIi6x1lsKylFNcuCmv
 FDK8kfGlKJMHWplz3mjNxmhu5H45+/tNVnZtDpGodXMyJKTA7njFdtKsfU1yAloQiHgcRkHk2
 Hmoi/sObxgY1AjVSP5+z44MBofn2NWlpKe2geq30wuW2jy+d8GeXAPTcT4SFCaX2/qwSFfi/Q
 1DNUPx2871AYy0r5p5yc3kjGQCJ/MpluVwanpLDeTDuMXZngl7KyK6/JDvjr7iSH/nBCywSzJ
 Mz0uBr74DZhYowSScmHugbQYAyu+11/R09isQjhvtGDDbRVPF6AWGJVVMuAuLxA295CLv/69E
 8O6w1e4Il1efh1W8cTlEw027F5lMmnuBZTuM5ryPllXyfYqD2PqWNS9SeJ27UHOD6hhwhOZiq
 mk1miog8TwglWApD3iArokHg4eYPZVfuyda9gUnUSztWCtTqx32buR1VklX4Nqr4rGHiVFTLL
 ASR5YkGrs04FOjJM0H5YoHyssiLecLorMObtVElJzvw0zoN/OLRhFFq5U1Uz4RNpbBiCLSE01
 0HsPNH0W8OX4gTdzecHf+yvRN+poTw5J+qMT0cELDJvCnc4u6c5i5KJCVRxJAFbKDEDienCJG
 IobE23DLSj0b6ayoO/KuT0gXwY2ak425ML1y5mQay2WhYmGf/Gj5YGV5R6EBT/MkMF2JHTBuh
 rCSbY6Opt6hd0Q2SpLlF2f8kJQhV1zvWgRuIDNS/t347mNFPpSbHdQ1K0SWyQjvD+W2R/IMZo
 z5WUoTPgneRNJZeTmjanBtryv3h0w8g+WtSeWDP72oh51AI0djGKDKgkBHD+rkQe7xShYZlMB
 kkHTYjovmcph3ym+toTUxchft7Tlqi4MBZhe+LmqHe1B05K0oYW8XAzZaO5/QZWmtVo98EPiE
 T6JtYUsUzFC1S3d/m1OBdxJ507U5753K4wzz9uXhUpU1Ra33AzSUmHW9lrQPpiv9nsktyfZAY
 NL8PMhZOJd14ldxItRRXstwwGabVBpENnGnRKbQGscIvL9QtqlMm7cuG8MuTZiyQxR8YDIht+
 tMdbhxAb5jQpTSWEBHggo4ro9WdwPmP/GcZhilcODWqr9nevAJG64xt8EKVXxAyjZBUjnlnSa
 mi8CQPTLYP18N2RsteUWuJjFX6IT9A
Subject: [Openvpn-devel] [PATCH 0/2] proxy protocol v2 for port-share
Precedence: list
From: corubba via Openvpn-devel <openvpn-devel@lists.sourceforge.net>
Reply-To: corubba <corubba@gmx.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

proxy protocol v2 for port-share | expand

Message

corubba Dec. 14, 2024, 11:18 p.m. UTC

Hello,

since v2.1 (released 2009) OpenVPN has the "port-share" feature, where
it listens on a tcp port (like 443) and forwards/proxies all incoming
non-OpenVPN connections (like HTTPS) to a different server/port
(hereafter called the "downstream server"). Because this terminates the
tcp connection and the downstream server does not see the actual client
ip, in v2.3 (released 2013) a "journal directory" feature was added
where OpenVPN writes temporary files for every forwarded connection
which the downstream server can use to determine the real client ip.
While this works okay, it has a few drawbacks:

1) Since this is a custom solution, you also need a custom integration
   in the downstream server software to consume the journal files.
2) It is relatively straight forward to use on the same host, getting it
   to work across hosts is more difficult; but not impossible.
3) Because it basically is an side channel, there is the potential for
   race conditions. For example is the journal file written *after* the
   connection to the downstream server is opened, so it may not exist
   yet when the downstream server tries to access/read it.

The goal of this patch set is to add an additional mechanism for
transmitting the real client ip to the downstream server using the
PROXY protocol [0]. It was created by the fine people from HAProxy,
releasing the specification of protocol version 1 in 2010, followed by
version 2 in 2012. OpenVPNs port-share feature behaves like a "dumb
proxy", for which that protocol was designed. Compared to the "journal
directory" feature, it does not suffer from the above-mentioned
drawbacks:

1) Standardized protocol which is natively supported by a wide range of
   software, allowing plug-and-play deployment.
2) Easy to use on the same or across different hosts.
3) Uses in-band transmission, no side-channel required.

The first patch adds normalization of IPv4-mapped IPv6 addresses to
plain IPv4 addresses, which can be seen as a general improvement of the
"journal" feature. The second patch adds the PROXY protocol (version 2)
implementation.

The third patch extends the PROXY protocol implementation beyond what
is currently required. It is not meant to be merged as-is right now, but
only attached for completeness should these features ever be needed.

This patch set was not created out of necessity, but rather as an
exercise while playing around with the port-share feature. Feel free to
consider accepting this patch set without any pressure. I do believe it
has merit thought, and it may be worth considering to go as far as to
completely deprecate/replace the "journal directory" with it.


[0] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt


Best regards
--
Corubba