This work allows obfuscation of the OpenVPN header to make it harder for layer 7 inspection to identify such traffic, which may come with blocking or recording actions in certain territories of the world. This patch, in a nutshell, can increase privacy and range of communication for its users. The `scramble' option introduced hereby is off by default. The option's usage, history and controversy of the patch is explained in detail on the following wiki page: https://tunnelblick.net/cOpenvpn_xorpatch.html diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/forward.c openvpn-2.5_beta1.new/src/openvpn/forward.c --- openvpn-2.5_beta1.old/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 +++ openvpn-2.5_beta1.new/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 @@ -811,7 +811,10 @@ status = link_socket_read(c->c2.link_socket, &c->c2.buf, - &c->c2.from); + &c->c2.from, + c->options.ce.xormethod, + c->options.ce.xormask, + c->options.ce.xormasklen); if (socket_connection_reset(c->c2.link_socket, status)) { @@ -1621,7 +1624,10 @@ /* Send packet */ size = link_socket_write(c->c2.link_socket, &c->c2.to_link, - to_addr); + to_addr, + c->options.ce.xormethod, + c->options.ce.xormask, + c->options.ce.xormasklen); /* Undo effect of prepend */ link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); diff -u -r -x .DS_Store openvpn-2.5_rc3.old/src/openvpn/options.c openvpn-2.5_rc3.new/src/openvpn/options.c --- openvpn-2.5_rc3.old/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 +++ openvpn-2.5_rc3.new/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 @@ -821,6 +821,9 @@ o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; o->proto_force = -1; + o->ce.xormethod = 0; + o->ce.xormask = "\0"; + o->ce.xormasklen = 0; o->occ = true; #ifdef ENABLE_MANAGEMENT o->management_log_history_cache = 250; @@ -973,6 +976,9 @@ setenv_str_i(es, "local_port", e->local_port, i); setenv_str_i(es, "remote", e->remote, i); setenv_str_i(es, "remote_port", e->remote_port, i); + setenv_int_i(es, "xormethod", e->xormethod, i); + setenv_str_i(es, "xormask", e->xormask, i); + setenv_int_i(es, "xormasklen", e->xormasklen, i); if (e->http_proxy_options) { @@ -1452,6 +1458,9 @@ SHOW_BOOL(bind_ipv6_only); SHOW_INT(connect_retry_seconds); SHOW_INT(connect_timeout); + SHOW_INT (xormethod); + SHOW_STR (xormask); + SHOW_INT (xormasklen); if (o->http_proxy_options) { @@ -6260,6 +6269,46 @@ } options->proto_force = proto_force; } + else if (streq (p[0], "scramble") && p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); + if (streq (p[1], "xormask") && p[2] && (!p[3])) + { + options->ce.xormethod = 1; + options->ce.xormask = p[2]; + options->ce.xormasklen = strlen(options->ce.xormask); + } + else if (streq (p[1], "xorptrpos") && (!p[2])) + { + options->ce.xormethod = 2; + options->ce.xormask = NULL; + options->ce.xormasklen = 0; + } + else if (streq (p[1], "reverse") && (!p[2])) + { + options->ce.xormethod = 3; + options->ce.xormask = NULL; + options->ce.xormasklen = 0; + } + else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) + { + options->ce.xormethod = 4; + options->ce.xormask = p[2]; + options->ce.xormasklen = strlen(options->ce.xormask); + } + else if (!p[2]) + { + msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); + options->ce.xormethod = 1; + options->ce.xormask = p[1]; + options->ce.xormasklen = strlen(options->ce.xormask); + } + else + { + msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); + goto err; + } + } else if (streq(p[0], "http-proxy") && p[1] && !p[5]) { struct http_proxy_options *ho; diff -u -r -x .DS_Store openvpn-2.5_git_57d6f10.old/src/openvpn/options.h openvpn-2.5_git_57d6f10.new/src/openvpn/options.h --- openvpn-2.5_git_57d6f10.old/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 +++ openvpn-2.5_git_57d6f10.new/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 @@ -99,6 +99,9 @@ int connect_retry_seconds; int connect_retry_seconds_max; int connect_timeout; + int xormethod; + const char *xormask; + int xormasklen; struct http_proxy_options *http_proxy_options; const char *socks_proxy_server; const char *socks_proxy_port; --- openvpn-2.5_git_974513e/src/openvpn/socket.c 2017-08-17 11:27:23.000000000 -0400 +++ openvpn-2.5_git_974513e_patched/src/openvpn/socket.c 2017-08-18 18:37:11.000000000 -0400 @@ -54,6 +54,56 @@ IPv6_TCP_HEADER_SIZE, }; +int buffer_mask(struct buffer *buf, const char *mask, int xormasklen) +{ + int i; + uint8_t *b; + if ( xormasklen > 0 ) { + for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { + *b = *b ^ mask[i % xormasklen]; + } + } + return BLEN (buf); +} + +int buffer_xorptrpos(struct buffer *buf) +{ + int i; + uint8_t *b; + for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { + *b = *b ^ i+1; + } + return BLEN (buf); +} + +int buffer_reverse(struct buffer *buf) +{ +/* This function has been rewritten for Tunnelblick. The buffer_reverse function at + * https://github.com/clayface/openvpn_xorpatch + * makes a copy of the buffer and it writes to the byte **after** the + * buffer contents, so if the buffer is full then it writes outside of the buffer. + * This rewritten version does neither. + * + * For interoperability, this rewritten version preserves the behavior of the original + * function: it does not modify the first character of the buffer. So it does not + * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. + * (Of course, the actual buffer contents are bytes, and not necessarily characters.) + */ + int len = BLEN(buf); + if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ + int i; + uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ + uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ + uint8_t tmp; + for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { + tmp = *b_start; + *b_start = *b_end; + *b_end = tmp; + } + } + return len; +} + /* * Convert sockflags/getaddr_flags into getaddr_flags */ diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/socket.h openvpn-2.5_beta1.new/src/openvpn/socket.h --- openvpn-2.5_beta1.old/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 +++ openvpn-2.5_beta1.new/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 @@ -249,6 +249,10 @@ #endif }; +int buffer_mask(struct buffer *buf, const char *xormask, int xormasklen); +int buffer_xorptrpos(struct buffer *buf); +int buffer_reverse(struct buffer *buf); + /* * Some Posix/Win32 differences. */ @@ -1049,30 +1053,56 @@ static inline int link_socket_read(struct link_socket *sock, struct buffer *buf, - struct link_socket_actual *from) + struct link_socket_actual *from, + int xormethod, + const char *xormask, + int xormasklen) { + int res; if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { - int res; #ifdef _WIN32 res = link_socket_read_udp_win32(sock, buf, from); #else res = link_socket_read_udp_posix(sock, buf, from); #endif - return res; } else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ { /* from address was returned by accept */ addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); - return link_socket_read_tcp(sock, buf); + res = link_socket_read_tcp(sock, buf); } else { ASSERT(0); return -1; /* NOTREACHED */ } + switch(xormethod) + { + case 0: + break; + case 1: + buffer_mask(buf,xormask,xormasklen); + break; + case 2: + buffer_xorptrpos(buf); + break; + case 3: + buffer_reverse(buf); + break; + case 4: + buffer_mask(buf,xormask,xormasklen); + buffer_xorptrpos(buf); + buffer_reverse(buf); + buffer_xorptrpos(buf); + break; + default: + ASSERT (0); + return -1; /* NOTREACHED */ + } + return res; } /* @@ -1163,8 +1193,34 @@ static inline int link_socket_write(struct link_socket *sock, struct buffer *buf, - struct link_socket_actual *to) + struct link_socket_actual *to, + int xormethod, + const char *xormask, + int xormasklen) { + switch(xormethod) + { + case 0: + break; + case 1: + buffer_mask(buf,xormask,xormasklen); + break; + case 2: + buffer_xorptrpos(buf); + break; + case 3: + buffer_reverse(buf); + break; + case 4: + buffer_xorptrpos(buf); + buffer_reverse(buf); + buffer_xorptrpos(buf); + buffer_mask(buf,xormask,xormasklen); + break; + default: + ASSERT (0); + return -1; /* NOTREACHED */ + } if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { return link_socket_write_udp(sock, buf, to);