From patchwork Sat Dec 14 23:18:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 18 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1f13:b0:5e7:b9eb:58e8 with SMTP id hs19csp1272947mab; Sat, 14 Dec 2024 15:18:35 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVpvV5sPjdd0XMMJOe4dDqyMmZU5+3rrnD2V3jVvSuiMI7RHUv+LEd+rSm+CNy0y4M9VHYmX0RITpE=@openvpn.net X-Google-Smtp-Source: AGHT+IHe/5py1pxNlTRp/My9V1Y5P2dxTnpvMI74d+jCndBtuaE4MWW8Ry4EJe9teD5WK7Dd7iIg X-Received: by 2002:a05:6870:40c4:b0:277:caf7:3631 with SMTP id 586e51a60fabf-2a3ac53f609mr4410736fac.5.1734218315221; Sat, 14 Dec 2024 15:18:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1734218315; cv=none; d=google.com; s=arc-20240605; b=R5xt+xpOt0YMuBi0MQfB/zGb4H8Jr8yALiWZGffgUhFQwdU2neKhck7w1x3JBuZDhJ tOTc+ROjNgdOmvmEACTE5cPN5s5VdejotlzSagP8r1L3s5TdJ52YDyXbKqEPKnApcalS ozmUrG1StXGapLayKoj8ZROfrE28k/MBePqwK0KGTjzgSP2CIJH/zljCRyDzwU14KHwk tHBBJafZKfikXt2DQ3WFMdkFsuLJp9zOI1k4VIeHXGcNLcJTGQyp8ngTDOtMtKVMiMA9 Dpapafes6ypaXMJKEJnll2f4gKxSqjYh7+qatAkYwpaF4giFvmVs+FEAOXAmN2wleuUg I/Kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:to:content-language:user-agent :mime-version:date:message-id:dkim-signature:dkim-signature :dkim-signature; bh=gIvgQayoj0jMNzSnfaT2dMyAIUjZ6Gsad/Tt0x940QY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=NCVCdwBv19IAohrhsrnUojGZ1FxjVNN/ELV79+fvNvPjBPq4sQuFf5Eu3alvM5slG8 jd2aq6RG0KS71XHvzZSHagWhTBfoqS/ZwbAx/xCeQWZwhYA+JoVzZ/v8L/S/dufzJ8NB 08ppUYk4xjf7VOyPVKOqVgZFx8J9X+oG2cIKYEZwM1Qd/qyxaHXizNlcSramye3mQ8pC Q8h5xric6R6NLF4gx97jJ5U8bH5DirBhoyGABIlx3+q5Kzup9CALFwgtB7hBxplPfmpt KG+/Xr4ydopkBdcKC8IOhGkQ64fpHPGD7l5EfiLO/cNv9Ir4aNnkbSz8i6WucQZ+NlvA Lk6w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Qv/GoclP"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IgiAKY8u; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b="k0/DdWpK"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2a3d2445d82si1500077fac.52.2024.12.14.15.18.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Dec 2024 15:18:35 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Qv/GoclP"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IgiAKY8u; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b="k0/DdWpK"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tMbP2-0003ex-Iy; Sat, 14 Dec 2024 23:18:29 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tMbP1-0003er-4S for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:18:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:Subject:From :To:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vqfbGszKVnHgVofc2EKlGZB1AkrvdzTwPsMxUYMtRaE=; b=Qv/GoclPsgZp/6R1bZDJtFWqhi SYD2I7pL64uN0sZlxklzLfCQFnpq2ebNuvoF6S/rR4nXGaTw/VtBNQBH2ktJyQqYveJBhwy1fXaln KrgyCIbqMjLy9GSw5YGEYKxrWuWDCaxcYV7bHPAtOUFzqm0nsMbwRd7BYxUwymiFHyi0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:Subject:From:To:MIME-Version:Date: Message-ID:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=vqfbGszKVnHgVofc2EKlGZB1AkrvdzTwPsMxUYMtRaE=; b=I giAKY8u4pEYukRuw4yh0CD2RNSBiCx76a6FCbJ4dPmwC9Bhr7ALDVy59dKIr/npnca3L9ENMDJnuh IpC/ZsS/KeyTfcvUuW1hD2JKR8nKwkiioXyv+0FvTADHJTjur4Pc7Yw07OG4uQsChzNvRmD+qx3dC 5I0sJQtYXX+FPKVA=; Received: from mout.gmx.net ([212.227.17.21]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tMbP0-00037i-QP for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:18:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1734218295; x=1734823095; i=corubba@gmx.de; bh=vqfbGszKVnHgVofc2EKlGZB1AkrvdzTwPsMxUYMtRaE=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:To:From:Subject: Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=k0/DdWpKw/hIbFhtgqiFCB5xLy8jl8SAmGRurg4DvR9nX6u9GrNcvJxUFYStQzrT SIGk2lFQrk5kKq5IpKWz+Q/9hOoguESQQsn5LZR00nRH1e7pKCkwvrK90hkMCnS0H PCZ7HxsqXesR9Rf2FlUSLaahya1vRep6TUIg5WdDK+4aHGevxxxUmE46E6cBZrq+1 xrSV5cf+z56ZUmzbaKvuar2cffW+WVcGb7VQzlxv1BkGahtACDk7uJqIwOolgTFON b+flH21K29kDFifNvk4obfcYeSuc4t1VyPSZutJHrtDxj9u9UK0dfHhIKgZs3Uoyz 2U+F4Xc40/j/nChD5A== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.236]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MFKKX-1tP6Ug17LF-006Gp6 for ; Sun, 15 Dec 2024 00:18:15 +0100 Message-ID: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> Date: Sun, 15 Dec 2024 00:18:14 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: de-CH To: openvpn-devel@lists.sourceforge.net X-Provags-ID: V03:K1:2nlJcQm1/MnNT3Z24VnbCVDDZxyXquyhf82WCEJTbPndDISfmWE 6kEJ2yT4tWyd4RjYxoghbnCZ88XMu0L6Z+XFKqWcN1voiU9HCPasbezJQOHgJHGHRiT89I2 NIfxCJ8jjpWvv8JMipCcgIC0XuGuMgRrHHyJ863ppxjnkTzcyKXPrGEq4fA+SWYfAcoDWUj qNu0Ryu+ccg0TJzkUBsyQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:mKeFnTupHiI=;8y9/sXXQGXIi6x1lsKylFNcuCmv FDK8kfGlKJMHWplz3mjNxmhu5H45+/tNVnZtDpGodXMyJKTA7njFdtKsfU1yAloQiHgcRkHk2 Hmoi/sObxgY1AjVSP5+z44MBofn2NWlpKe2geq30wuW2jy+d8GeXAPTcT4SFCaX2/qwSFfi/Q 1DNUPx2871AYy0r5p5yc3kjGQCJ/MpluVwanpLDeTDuMXZngl7KyK6/JDvjr7iSH/nBCywSzJ Mz0uBr74DZhYowSScmHugbQYAyu+11/R09isQjhvtGDDbRVPF6AWGJVVMuAuLxA295CLv/69E 8O6w1e4Il1efh1W8cTlEw027F5lMmnuBZTuM5ryPllXyfYqD2PqWNS9SeJ27UHOD6hhwhOZiq mk1miog8TwglWApD3iArokHg4eYPZVfuyda9gUnUSztWCtTqx32buR1VklX4Nqr4rGHiVFTLL ASR5YkGrs04FOjJM0H5YoHyssiLecLorMObtVElJzvw0zoN/OLRhFFq5U1Uz4RNpbBiCLSE01 0HsPNH0W8OX4gTdzecHf+yvRN+poTw5J+qMT0cELDJvCnc4u6c5i5KJCVRxJAFbKDEDienCJG IobE23DLSj0b6ayoO/KuT0gXwY2ak425ML1y5mQay2WhYmGf/Gj5YGV5R6EBT/MkMF2JHTBuh rCSbY6Opt6hd0Q2SpLlF2f8kJQhV1zvWgRuIDNS/t347mNFPpSbHdQ1K0SWyQjvD+W2R/IMZo z5WUoTPgneRNJZeTmjanBtryv3h0w8g+WtSeWDP72oh51AI0djGKDKgkBHD+rkQe7xShYZlMB kkHTYjovmcph3ym+toTUxchft7Tlqi4MBZhe+LmqHe1B05K0oYW8XAzZaO5/QZWmtVo98EPiE T6JtYUsUzFC1S3d/m1OBdxJ507U5753K4wzz9uXhUpU1Ra33AzSUmHW9lrQPpiv9nsktyfZAY NL8PMhZOJd14ldxItRRXstwwGabVBpENnGnRKbQGscIvL9QtqlMm7cuG8MuTZiyQxR8YDIht+ tMdbhxAb5jQpTSWEBHggo4ro9WdwPmP/GcZhilcODWqr9nevAJG64xt8EKVXxAyjZBUjnlnSa mi8CQPTLYP18N2RsteUWuJjFX6IT9A X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello, since v2.1 (released 2009) OpenVPN has the "port-share" feature, where it listens on a tcp port (like 443) and forwards/proxies all incoming non-OpenVPN connections (like HTTPS) to a different server/ [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in bl.score.senderscore.com] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.21 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.21 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tMbP0-00037i-QP Subject: [Openvpn-devel] [PATCH 0/2] proxy protocol v2 for port-share X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1818459703741576512?= X-GMAIL-MSGID: =?utf-8?q?1818459703741576512?= Hello, since v2.1 (released 2009) OpenVPN has the "port-share" feature, where it listens on a tcp port (like 443) and forwards/proxies all incoming non-OpenVPN connections (like HTTPS) to a different server/port (hereafter called the "downstream server"). Because this terminates the tcp connection and the downstream server does not see the actual client ip, in v2.3 (released 2013) a "journal directory" feature was added where OpenVPN writes temporary files for every forwarded connection which the downstream server can use to determine the real client ip. While this works okay, it has a few drawbacks: 1) Since this is a custom solution, you also need a custom integration in the downstream server software to consume the journal files. 2) It is relatively straight forward to use on the same host, getting it to work across hosts is more difficult; but not impossible. 3) Because it basically is an side channel, there is the potential for race conditions. For example is the journal file written *after* the connection to the downstream server is opened, so it may not exist yet when the downstream server tries to access/read it. The goal of this patch set is to add an additional mechanism for transmitting the real client ip to the downstream server using the PROXY protocol [0]. It was created by the fine people from HAProxy, releasing the specification of protocol version 1 in 2010, followed by version 2 in 2012. OpenVPNs port-share feature behaves like a "dumb proxy", for which that protocol was designed. Compared to the "journal directory" feature, it does not suffer from the above-mentioned drawbacks: 1) Standardized protocol which is natively supported by a wide range of software, allowing plug-and-play deployment. 2) Easy to use on the same or across different hosts. 3) Uses in-band transmission, no side-channel required. The first patch adds normalization of IPv4-mapped IPv6 addresses to plain IPv4 addresses, which can be seen as a general improvement of the "journal" feature. The second patch adds the PROXY protocol (version 2) implementation. The third patch extends the PROXY protocol implementation beyond what is currently required. It is not meant to be merged as-is right now, but only attached for completeness should these features ever be needed. This patch set was not created out of necessity, but rather as an exercise while playing around with the port-share feature. Feel free to consider accepting this patch set without any pressure. I do believe it has merit thought, and it may be worth considering to go as far as to completely deprecate/replace the "journal directory" with it. [0] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt Best regards --- Corubba