├── ChangeLog.md ├── LICENSE ├── README.md ├── aws-connect.sh ├── extract.sh ├── openssl-v3.0.14-aws-000-revert-self-signed-cert-logic.patch ├── openvpn-aws.rb ├── openvpn-v2.4.9-aws.patch ├── openvpn-v2.5.1-aws.patch ├── openvpn-v2.6.12-aws.patch ├── server.go └── vpn.conf /ChangeLog.md: -------------------------------------------------------------------------------- 1 | ## 16.4.2004 2 | 3 | - Mention in the documentation that `remote` must be removed from the config 4 | - Update patch and readme to the latest version of the AWS patch 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Alex Samorukov 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # aws-vpn-client 2 | 3 | This is PoC to connect to the AWS Client VPN with OSS OpenVPN using SAML 4 | authentication. Tested on macOS and Linux, should also work on other POSIX OS with a minor changes. 5 | 6 | See [my blog post](https://smallhacks.wordpress.com/2020/07/08/aws-client-vpn-internals/) for the implementation details. 7 | 8 | P.S. Recently [AWS released Linux desktop client](https://aws.amazon.com/about-aws/whats-new/2021/06/aws-client-vpn-launches-desktop-client-for-linux/), however, it is currently available only for Ubuntu, using Mono and is closed source. 9 | 10 | ## Content of the repository 11 | 12 | - [openvpn-v2.4.9-aws.patch](openvpn-v2.4.9-aws.patch) - patch required to build 13 | AWS compatible OpenVPN v2.4.9, based on the 14 | [AWS source code](https://amazon-source-code-downloads.s3.amazonaws.com/aws/clientvpn/osx-v1.2.5/openvpn-2.4.5-aws-2.tar.gz) (thanks to @heprotecbuthealsoattac) for the link. 15 | - [server.go](server.go) - Go server to listed on http://127.0.0.1:35001 and save 16 | SAML Post data to the file 17 | - [aws-connect.sh](aws-connect.sh) - bash wrapper to run OpenVPN. It runs OpenVPN first time to get SAML Redirect and open browser and second time with actual SAML response 18 | 19 | ## How to use 20 | 21 | 1. Build patched openvpn version and put it to the folder with a script 22 | 1. Start HTTP server with `go run server.go` 23 | 1. Set VPN_HOST in the [aws-connect.sh](aws-connect.sh) 24 | 1. Replace CA section in the sample [vpn.conf](vpn.conf) with one from your AWS configuration 25 | 1. Finally run `aws-connect.sh` to connect to the AWS. 26 | 27 | ### Additional Steps 28 | 29 | Inspect your ovpn config and remove the following lines if present 30 | - `auth-user-pass` (we dont want to show user prompt) 31 | - `auth-federate` (propietary AWS keyword) 32 | - `auth-retry interact` (do not retry on failures) 33 | - `remote` and `remote-random-hostname` (already handled in CLI and can cause conflicts with it) 34 | 35 | ## Todo 36 | 37 | Better integrate SAML HTTP server with a script or rewrite everything on golang 38 | -------------------------------------------------------------------------------- /aws-connect.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | # replace with your hostname 6 | VPN_HOST="cvpn-endpoint-.prod.clientvpn.us-east-1.amazonaws.com" 7 | # path to the patched openvpn 8 | OVPN_BIN="./openvpn" 9 | # path to the configuration file 10 | OVPN_CONF="vpn.conf" 11 | PORT=1194 12 | PROTO=udp 13 | 14 | wait_file() { 15 | local file="$1"; shift 16 | local wait_seconds="${1:-10}"; shift # 10 seconds as default timeout 17 | until test $((wait_seconds--)) -eq 0 -o -f "$file" ; do sleep 1; done 18 | ((++wait_seconds)) 19 | } 20 | 21 | # create random hostname prefix for the vpn gw 22 | RAND=$(openssl rand -hex 12) 23 | 24 | # resolv manually hostname to IP, as we have to keep persistent ip address 25 | SRV=$(dig a +short "${RAND}.${VPN_HOST}"|head -n1) 26 | 27 | # cleanup 28 | rm -f saml-response.txt 29 | 30 | echo "Getting SAML redirect URL from the AUTH_FAILED response (host: ${SRV}:${PORT})" 31 | OVPN_OUT=$($OVPN_BIN --config "${OVPN_CONF}" --verb 3 \ 32 | --proto "$PROTO" --remote "${SRV}" "${PORT}" \ 33 | --auth-user-pass <( printf "%s\n%s\n" "N/A" "ACS::35001" ) \ 34 | 2>&1 | grep AUTH_FAILED,CRV1) 35 | 36 | echo "Opening browser and wait for the response file..." 37 | URL=$(echo "$OVPN_OUT" | grep -Eo 'https://.+') 38 | 39 | unameOut="$(uname -s)" 40 | case "${unameOut}" in 41 | Linux*) xdg-open "$URL";; 42 | Darwin*) open "$URL";; 43 | *) echo "Could not determine 'open' command for this OS"; exit 1;; 44 | esac 45 | 46 | wait_file "saml-response.txt" 30 || { 47 | echo "SAML Authentication time out" 48 | exit 1 49 | } 50 | 51 | # get SID from the reply 52 | VPN_SID=$(echo "$OVPN_OUT" | awk -F : '{print $7}') 53 | 54 | echo "Running OpenVPN with sudo. Enter password if requested" 55 | 56 | # Finally OpenVPN with a SAML response we got 57 | # Delete saml-response.txt after connect 58 | sudo bash -c "$OVPN_BIN --config "${OVPN_CONF}" \ 59 | --verb 3 --auth-nocache --inactive 3600 \ 60 | --proto "$PROTO" --remote $SRV $PORT \ 61 | --script-security 2 \ 62 | --route-up '/usr/bin/env rm saml-response.txt' \ 63 | --auth-user-pass <( printf \"%s\n%s\n\" \"N/A\" \"CRV1::${VPN_SID}::$(cat saml-response.txt)\" )" 64 | -------------------------------------------------------------------------------- /extract.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Set the version variable to the openvpn version you want to extract paches from 4 | # and run this script in an empty directory. 5 | 6 | set -eu 7 | 8 | version=2.6.12 9 | 10 | mkdir "patches" 11 | curl -Of "https://amazon-source-code-downloads.s3.amazonaws.com/aws/clientvpn/openvpn-${version}-aws-1.tar.gz" 12 | mkdir "openvpn-$version-aws-1" 13 | tar xvzf "openvpn-$version-aws-1.tar.gz" -C "openvpn-$version-aws-1" 14 | git clone --depth 1 -b "v$version" "https://github.com/OpenVPN/openvpn" "openvpn-${version}" 15 | openssl_version="$( (source "openvpn-$version-aws-1/openssl/VERSION.dat" && echo "$MAJOR.$MINOR.$PATCH" ) )" 16 | for openssl_patch in "openvpn-$version-aws-1/openvpn/openssl-patches/"*; do 17 | cp "$openssl_patch" "patches/openssl-v${openssl_version}-aws-$(basename "$openssl_patch")" 18 | done 19 | pushd "openvpn-$version" 20 | cp -r "../openvpn-$version-aws-1/openvpn/src" ./ 21 | git diff --output="../patches/openvpn-v$version-aws.patch" 22 | popd 23 | echo "Patches extracted to patches/" 24 | -------------------------------------------------------------------------------- /openssl-v3.0.14-aws-000-revert-self-signed-cert-logic.patch: -------------------------------------------------------------------------------- 1 | diff --git a/openssl/crypto/x509/v3_purp.c b/openssl/crypto/x509/v3_purp.c 2 | index 6461189..b2bc410 100644 3 | --- a/openssl/crypto/x509/v3_purp.c 4 | +++ b/openssl/crypto/x509/v3_purp.c 5 | @@ -555,8 +555,7 @@ int ossl_x509v3_cache_extensions(X509 *x) 6 | if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) { 7 | x->ex_flags |= EXFLAG_SI; /* Cert is self-issued */ 8 | if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */ 9 | - /* .. and the signature alg matches the PUBKEY alg: */ 10 | - && check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK) 11 | + && !ku_reject(x, KU_KEY_CERT_SIGN)) 12 | x->ex_flags |= EXFLAG_SS; /* indicate self-signed */ 13 | /* This is very related to ossl_x509_likely_issued(x, x) == X509_V_OK */ 14 | } 15 | -------------------------------------------------------------------------------- /openvpn-aws.rb: -------------------------------------------------------------------------------- 1 | class OpenvpnAws < Formula 2 | desc "SSL/TLS VPN implementing OSI layer 2 or 3 secure network extension" 3 | homepage "https://openvpn.net/community/" 4 | url "https://swupdate.openvpn.org/community/releases/openvpn-2.5.1.tar.xz" 5 | mirror "https://build.openvpn.net/downloads/releases/openvpn-2.5.1.tar.xz" 6 | sha256 "40930489c837c05f6153f38e1ebaec244431ef1a034e4846ff732d71d59ff194" 7 | license "GPL-2.0-only" => { with: "openvpn-openssl-exception" } 8 | 9 | livecheck do 10 | url "https://openvpn.net/community-downloads/" 11 | regex(/href=.*?openvpn[._-]v?(\d+(?:\.\d+)+)\.t/i) 12 | end 13 | 14 | patch do 15 | url "https://raw.githubusercontent.com/samm-git/aws-vpn-client/master/openvpn-v2.5.1-aws.patch" 16 | sha256 "21834d6dcc6e1ebc79426db9754a7f3f179d9eaa2ff04f27f5041d8a1dc23c1a" 17 | end 18 | 19 | depends_on "pkg-config" => :build 20 | depends_on "lz4" 21 | depends_on "lzo" 22 | 23 | depends_on "openssl@1.1" 24 | depends_on "pkcs11-helper" 25 | 26 | on_linux do 27 | depends_on "linux-pam" 28 | depends_on "net-tools" 29 | end 30 | 31 | def install 32 | system "./configure", "--disable-debug", 33 | "--disable-dependency-tracking", 34 | "--disable-silent-rules", 35 | "--with-crypto-library=openssl", 36 | "--enable-pkcs11", 37 | "--prefix=#{prefix}" 38 | inreplace "sample/sample-plugins/Makefile" do |s| 39 | s.gsub! HOMEBREW_LIBRARY/"Homebrew/shims/mac/super/pkg-config", 40 | Formula["pkg-config"].opt_bin/"pkg-config" 41 | s.gsub! HOMEBREW_LIBRARY/"Homebrew/shims/mac/super/sed", 42 | "/usr/bin/sed" 43 | end 44 | system "make", "install" 45 | 46 | inreplace "sample/sample-config-files/openvpn-startup.sh", 47 | "/etc/openvpn", "#{etc}/openvpn" 48 | 49 | (doc/"samples").install Dir["sample/sample-*"] 50 | (etc/"openvpn").install doc/"samples/sample-config-files/client.conf" 51 | (etc/"openvpn").install doc/"samples/sample-config-files/server.conf" 52 | 53 | # We don't use mbedtls, so this file is unnecessary & somewhat confusing. 54 | rm doc/"README.mbedtls" 55 | end 56 | 57 | def post_install 58 | (var/"run/openvpn").mkpath 59 | end 60 | 61 | plist_options startup: true 62 | 63 | def plist 64 | <<~EOS 65 | 66 | 67 | 68 | 69 | Label 70 | #{plist_name} 71 | ProgramArguments 72 | 73 | #{opt_sbin}/openvpn 74 | --config 75 | #{etc}/openvpn/openvpn.conf 76 | 77 | OnDemand 78 | 79 | RunAtLoad 80 | 81 | TimeOut 82 | 90 83 | WatchPaths 84 | 85 | #{etc}/openvpn 86 | 87 | WorkingDirectory 88 | #{etc}/openvpn 89 | 90 | 91 | EOS 92 | end 93 | 94 | test do 95 | system sbin/"openvpn", "--show-ciphers" 96 | end 97 | end 98 | -------------------------------------------------------------------------------- /openvpn-v2.4.9-aws.patch: -------------------------------------------------------------------------------- 1 | diff --git a/configure.ac b/configure.ac 2 | index 46900281..b48aad56 100644 3 | --- a/configure.ac 4 | +++ b/configure.ac 5 | @@ -1312,9 +1312,10 @@ if test "${enable_werror}" = "yes"; then 6 | CFLAGS="${CFLAGS} -Werror" 7 | fi 8 | 9 | -if test "${WIN32}" = "yes"; then 10 | - test -z "${MAN2HTML}" && AC_MSG_ERROR([man2html is required for win32]) 11 | -fi 12 | +# Disable the check, as it is only required when PKCS is enabled. 13 | +#if test "${WIN32}" = "yes"; then 14 | +# test -z "${MAN2HTML}" && AC_MSG_ERROR([man2html is required for win32]) 15 | +#fi 16 | 17 | if test "${enable_plugin_auth_pam}" = "yes"; then 18 | PLUGIN_AUTH_PAM_CFLAGS="${LIBPAM_CFLAGS}" 19 | diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h 20 | index c510c005..d4712b11 100644 21 | --- a/src/openvpn/buffer.h 22 | +++ b/src/openvpn/buffer.h 23 | @@ -27,7 +27,7 @@ 24 | #include "basic.h" 25 | #include "error.h" 26 | 27 | -#define BUF_SIZE_MAX 1000000 28 | +#define BUF_SIZE_MAX 1 << 21 29 | 30 | /* 31 | * Define verify_align function, otherwise 32 | diff --git a/src/openvpn/common.h b/src/openvpn/common.h 33 | index 0f732008..02f61152 100644 34 | --- a/src/openvpn/common.h 35 | +++ b/src/openvpn/common.h 36 | @@ -77,7 +77,7 @@ typedef unsigned long ptr_type; 37 | * maximum size of a single TLS message (cleartext). 38 | * This parameter must be >= PUSH_BUNDLE_SIZE 39 | */ 40 | -#define TLS_CHANNEL_BUF_SIZE 2048 41 | +#define TLS_CHANNEL_BUF_SIZE 1 << 18 42 | 43 | /* 44 | * This parameter controls the maximum size of a bundle 45 | diff --git a/src/openvpn/error.h b/src/openvpn/error.h 46 | index eaedf172..782ba30c 100644 47 | --- a/src/openvpn/error.h 48 | +++ b/src/openvpn/error.h 49 | @@ -36,7 +36,10 @@ 50 | #ifdef ENABLE_PKCS11 51 | #define ERR_BUF_SIZE 8192 52 | #else 53 | -#define ERR_BUF_SIZE 1280 54 | +/* 55 | + * Increase the error buffer size to 256 KB. 56 | + */ 57 | +#define ERR_BUF_SIZE 1 << 18 58 | #endif 59 | 60 | struct gc_arena; 61 | diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c 62 | index 61d61ef2..136d4125 100644 63 | --- a/src/openvpn/manage.c 64 | +++ b/src/openvpn/manage.c 65 | @@ -2159,7 +2159,7 @@ man_read(struct management *man) 66 | /* 67 | * read command line from socket 68 | */ 69 | - unsigned char buf[256]; 70 | + unsigned char buf[MANAGEMENT_SOCKET_READ_BUFFER_SIZE]; 71 | int len = 0; 72 | 73 | #ifdef TARGET_ANDROID 74 | @@ -2499,7 +2499,7 @@ man_connection_init(struct management *man) 75 | * Allocate helper objects for command line input and 76 | * command output from/to the socket. 77 | */ 78 | - man->connection.in = command_line_new(1024); 79 | + man->connection.in = command_line_new(COMMAND_LINE_OPTION_BUFFER_SIZE); 80 | man->connection.out = buffer_list_new(0); 81 | 82 | /* 83 | diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h 84 | index f286754b..709d271f 100644 85 | --- a/src/openvpn/manage.h 86 | +++ b/src/openvpn/manage.h 87 | @@ -37,6 +37,9 @@ 88 | #define MANAGEMENT_ECHO_BUFFER_SIZE 100 89 | #define MANAGEMENT_STATE_BUFFER_SIZE 100 90 | 91 | +#define COMMAND_LINE_OPTION_BUFFER_SIZE OPTION_PARM_SIZE 92 | +#define MANAGEMENT_SOCKET_READ_BUFFER_SIZE OPTION_PARM_SIZE 93 | + 94 | /* 95 | * Management-interface-based deferred authentication 96 | */ 97 | diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h 98 | index 8a34f431..27852e81 100644 99 | --- a/src/openvpn/misc.h 100 | +++ b/src/openvpn/misc.h 101 | @@ -184,7 +184,10 @@ struct user_pass 102 | #ifdef ENABLE_PKCS11 103 | #define USER_PASS_LEN 4096 104 | #else 105 | -#define USER_PASS_LEN 128 106 | +/* 107 | + * Increase the username and password length size to 128KB. 108 | + */ 109 | +#define USER_PASS_LEN 1 << 17 110 | #endif 111 | char username[USER_PASS_LEN]; 112 | char password[USER_PASS_LEN]; 113 | diff --git a/src/openvpn/options.h b/src/openvpn/options.h 114 | index f3cafeaf..973aa066 100644 115 | --- a/src/openvpn/options.h 116 | +++ b/src/openvpn/options.h 117 | @@ -55,8 +55,8 @@ 118 | /* 119 | * Max size of options line and parameter. 120 | */ 121 | -#define OPTION_PARM_SIZE 256 122 | -#define OPTION_LINE_SIZE 256 123 | +#define OPTION_PARM_SIZE USER_PASS_LEN 124 | +#define OPTION_LINE_SIZE OPTION_PARM_SIZE 125 | 126 | extern const char title_string[]; 127 | 128 | diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c 129 | index cf668998..2473671e 100644 130 | --- a/src/openvpn/ssl.c 131 | +++ b/src/openvpn/ssl.c 132 | @@ -2157,7 +2157,7 @@ key_state_soft_reset(struct tls_session *session) 133 | static bool 134 | write_empty_string(struct buffer *buf) 135 | { 136 | - if (!buf_write_u16(buf, 0)) 137 | + if (!buf_write_u32(buf, 0)) 138 | { 139 | return false; 140 | } 141 | @@ -2172,7 +2172,7 @@ write_string(struct buffer *buf, const char *str, const int maxlen) 142 | { 143 | return false; 144 | } 145 | - if (!buf_write_u16(buf, len)) 146 | + if (!buf_write_u32(buf, len)) 147 | { 148 | return false; 149 | } 150 | @@ -2475,6 +2475,10 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) 151 | } 152 | } 153 | 154 | + // Write key length in the first 4 octets of the buffer. 155 | + uint32_t length = BLEN(buf); 156 | + memcpy(buf->data, &length, sizeof(length)); 157 | + 158 | return true; 159 | 160 | error: 161 | -------------------------------------------------------------------------------- /openvpn-v2.5.1-aws.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h 2 | index 1722ffd5..640564bb 100644 3 | --- a/src/openvpn/buffer.h 4 | +++ b/src/openvpn/buffer.h 5 | @@ -27,7 +27,7 @@ 6 | #include "basic.h" 7 | #include "error.h" 8 | 9 | -#define BUF_SIZE_MAX 1000000 10 | +#define BUF_SIZE_MAX 1 << 21 11 | 12 | /* 13 | * Define verify_align function, otherwise 14 | diff --git a/src/openvpn/common.h b/src/openvpn/common.h 15 | index 623b3e0d..ce53f614 100644 16 | --- a/src/openvpn/common.h 17 | +++ b/src/openvpn/common.h 18 | @@ -75,7 +75,7 @@ typedef unsigned long ptr_type; 19 | * maximum size of a single TLS message (cleartext). 20 | * This parameter must be >= PUSH_BUNDLE_SIZE 21 | */ 22 | -#define TLS_CHANNEL_BUF_SIZE 2048 23 | +#define TLS_CHANNEL_BUF_SIZE 1 << 18 24 | 25 | /* 26 | * This parameter controls the maximum size of a bundle 27 | diff --git a/src/openvpn/error.h b/src/openvpn/error.h 28 | index eaedf172..782ba30c 100644 29 | --- a/src/openvpn/error.h 30 | +++ b/src/openvpn/error.h 31 | @@ -36,7 +36,10 @@ 32 | #ifdef ENABLE_PKCS11 33 | #define ERR_BUF_SIZE 8192 34 | #else 35 | -#define ERR_BUF_SIZE 1280 36 | +/* 37 | + * Increase the error buffer size to 256 KB. 38 | + */ 39 | +#define ERR_BUF_SIZE 1 << 18 40 | #endif 41 | 42 | struct gc_arena; 43 | diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c 44 | index d86b6a79..d979a441 100644 45 | --- a/src/openvpn/manage.c 46 | +++ b/src/openvpn/manage.c 47 | @@ -2240,7 +2240,7 @@ man_read(struct management *man) 48 | /* 49 | * read command line from socket 50 | */ 51 | - unsigned char buf[256]; 52 | + unsigned char buf[MANAGEMENT_SOCKET_READ_BUFFER_SIZE]; 53 | int len = 0; 54 | 55 | #ifdef TARGET_ANDROID 56 | @@ -2580,7 +2580,7 @@ man_connection_init(struct management *man) 57 | * Allocate helper objects for command line input and 58 | * command output from/to the socket. 59 | */ 60 | - man->connection.in = command_line_new(1024); 61 | + man->connection.in = command_line_new(COMMAND_LINE_OPTION_BUFFER_SIZE); 62 | man->connection.out = buffer_list_new(0); 63 | 64 | /* 65 | diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h 66 | index 881bfb14..3f12a82a 100644 67 | --- a/src/openvpn/manage.h 68 | +++ b/src/openvpn/manage.h 69 | @@ -37,6 +37,9 @@ 70 | #define MANAGEMENT_ECHO_BUFFER_SIZE 100 71 | #define MANAGEMENT_STATE_BUFFER_SIZE 100 72 | 73 | +#define COMMAND_LINE_OPTION_BUFFER_SIZE OPTION_PARM_SIZE 74 | +#define MANAGEMENT_SOCKET_READ_BUFFER_SIZE OPTION_PARM_SIZE 75 | + 76 | /* 77 | * Management-interface-based deferred authentication 78 | */ 79 | diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h 80 | index e4342b0d..e3900b7d 100644 81 | --- a/src/openvpn/misc.h 82 | +++ b/src/openvpn/misc.h 83 | @@ -69,7 +69,10 @@ struct user_pass 84 | #ifdef ENABLE_PKCS11 85 | #define USER_PASS_LEN 4096 86 | #else 87 | -#define USER_PASS_LEN 128 88 | +/* 89 | + * Increase the username and password length size to 128KB. 90 | + */ 91 | +#define USER_PASS_LEN 1 << 17 92 | #endif 93 | char username[USER_PASS_LEN]; 94 | char password[USER_PASS_LEN]; 95 | diff --git a/src/openvpn/options.h b/src/openvpn/options.h 96 | index 877e9396..c385d135 100644 97 | --- a/src/openvpn/options.h 98 | +++ b/src/openvpn/options.h 99 | @@ -53,8 +53,8 @@ 100 | /* 101 | * Max size of options line and parameter. 102 | */ 103 | -#define OPTION_PARM_SIZE 256 104 | -#define OPTION_LINE_SIZE 256 105 | +#define OPTION_PARM_SIZE USER_PASS_LEN 106 | +#define OPTION_LINE_SIZE OPTION_PARM_SIZE 107 | 108 | extern const char title_string[]; 109 | 110 | diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c 111 | index d7494c2b..addb2769 100644 112 | --- a/src/openvpn/ssl.c 113 | +++ b/src/openvpn/ssl.c 114 | @@ -2110,7 +2110,7 @@ key_state_soft_reset(struct tls_session *session) 115 | static bool 116 | write_empty_string(struct buffer *buf) 117 | { 118 | - if (!buf_write_u16(buf, 0)) 119 | + if (!buf_write_u32(buf, 0)) 120 | { 121 | return false; 122 | } 123 | @@ -2125,7 +2125,7 @@ write_string(struct buffer *buf, const char *str, const int maxlen) 124 | { 125 | return false; 126 | } 127 | - if (!buf_write_u16(buf, len)) 128 | + if (!buf_write_u32(buf, len)) 129 | { 130 | return false; 131 | } 132 | @@ -2403,6 +2403,10 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) 133 | } 134 | } 135 | 136 | + // Write key length in the first 4 octets of the buffer. 137 | + uint32_t length = BLEN(buf); 138 | + memcpy(buf->data, &length, sizeof(length)); 139 | + 140 | return true; 141 | 142 | error: 143 | -------------------------------------------------------------------------------- /openvpn-v2.6.12-aws.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h 2 | index d988ef2..3760175 100644 3 | --- a/src/openvpn/buffer.h 4 | +++ b/src/openvpn/buffer.h 5 | @@ -27,7 +27,7 @@ 6 | #include "basic.h" 7 | #include "error.h" 8 | 9 | -#define BUF_SIZE_MAX 1000000 10 | +#define BUF_SIZE_MAX 1 << 21 11 | 12 | /* 13 | * Define verify_align function, otherwise 14 | diff --git a/src/openvpn/common.h b/src/openvpn/common.h 15 | index 3a84541..61ee72e 100644 16 | --- a/src/openvpn/common.h 17 | +++ b/src/openvpn/common.h 18 | @@ -66,7 +66,7 @@ typedef unsigned long ptr_type; 19 | * maximum size of a single TLS message (cleartext). 20 | * This parameter must be >= PUSH_BUNDLE_SIZE 21 | */ 22 | -#define TLS_CHANNEL_BUF_SIZE 2048 23 | +#define TLS_CHANNEL_BUF_SIZE 1 << 18 24 | 25 | /* TLS control buffer minimum size 26 | * 27 | diff --git a/src/openvpn/error.h b/src/openvpn/error.h 28 | index ab2872a..cb0c68e 100644 29 | --- a/src/openvpn/error.h 30 | +++ b/src/openvpn/error.h 31 | @@ -34,7 +34,10 @@ 32 | #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT) 33 | #define ERR_BUF_SIZE 10240 34 | #else 35 | -#define ERR_BUF_SIZE 1280 36 | +/* 37 | + * Increase the error buffer size to 256 KB. 38 | + */ 39 | +#define ERR_BUF_SIZE 1 << 18 40 | #endif 41 | 42 | struct gc_arena; 43 | diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c 44 | index feb3227..cf2cf78 100644 45 | --- a/src/openvpn/manage.c 46 | +++ b/src/openvpn/manage.c 47 | @@ -2245,7 +2245,7 @@ man_read(struct management *man) 48 | /* 49 | * read command line from socket 50 | */ 51 | - unsigned char buf[256]; 52 | + unsigned char buf[MANAGEMENT_SOCKET_READ_BUFFER_SIZE]; 53 | int len = 0; 54 | 55 | #ifdef TARGET_ANDROID 56 | @@ -2336,7 +2336,7 @@ man_read(struct management *man) 57 | static int 58 | man_write(struct management *man) 59 | { 60 | - const int size_hint = 1024; 61 | + const int size_hint = 8192; 62 | int sent = 0; 63 | const struct buffer *buf; 64 | 65 | @@ -2581,7 +2581,7 @@ man_connection_init(struct management *man) 66 | * Allocate helper objects for command line input and 67 | * command output from/to the socket. 68 | */ 69 | - man->connection.in = command_line_new(1024); 70 | + man->connection.in = command_line_new(COMMAND_LINE_OPTION_BUFFER_SIZE); 71 | man->connection.out = buffer_list_new(); 72 | 73 | /* 74 | diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h 75 | index 1896510..7284f10 100644 76 | --- a/src/openvpn/manage.h 77 | +++ b/src/openvpn/manage.h 78 | @@ -55,9 +55,12 @@ 79 | #define MANAGEMENT_VERSION 5 80 | #define MANAGEMENT_N_PASSWORD_RETRIES 3 81 | #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 82 | -#define MANAGEMENT_ECHO_BUFFER_SIZE 100 83 | +#define MANAGEMENT_ECHO_BUFFER_SIZE 8192 84 | #define MANAGEMENT_STATE_BUFFER_SIZE 100 85 | 86 | +#define COMMAND_LINE_OPTION_BUFFER_SIZE OPTION_PARM_SIZE 87 | +#define MANAGEMENT_SOCKET_READ_BUFFER_SIZE OPTION_PARM_SIZE 88 | + 89 | /* 90 | * Management-interface-based deferred authentication 91 | */ 92 | diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h 93 | index 0dc0883..39e8373 100644 94 | --- a/src/openvpn/misc.h 95 | +++ b/src/openvpn/misc.h 96 | @@ -65,7 +65,10 @@ struct user_pass 97 | #ifdef ENABLE_PKCS11 98 | #define USER_PASS_LEN 4096 99 | #else 100 | -#define USER_PASS_LEN 128 101 | +/* 102 | + * Increase the username and password length size to 128KB. 103 | + */ 104 | +#define USER_PASS_LEN 1 << 17 105 | #endif 106 | /* Note that username and password are expected to be null-terminated */ 107 | char username[USER_PASS_LEN]; 108 | diff --git a/src/openvpn/options.h b/src/openvpn/options.h 109 | index e85d806..f53149f 100644 110 | --- a/src/openvpn/options.h 111 | +++ b/src/openvpn/options.h 112 | @@ -54,8 +54,8 @@ 113 | /* 114 | * Max size of options line and parameter. 115 | */ 116 | -#define OPTION_PARM_SIZE 256 117 | -#define OPTION_LINE_SIZE 256 118 | +#define OPTION_PARM_SIZE USER_PASS_LEN 119 | +#define OPTION_LINE_SIZE OPTION_PARM_SIZE 120 | 121 | extern const char title_string[]; 122 | 123 | diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c 124 | index e37ebc1..65eb90f 100644 125 | --- a/src/openvpn/ssl.c 126 | +++ b/src/openvpn/ssl.c 127 | @@ -1945,7 +1945,7 @@ tls_session_soft_reset(struct tls_multi *tls_multi) 128 | static bool 129 | write_empty_string(struct buffer *buf) 130 | { 131 | - if (!buf_write_u16(buf, 0)) 132 | + if (!buf_write_u32(buf, 0)) 133 | { 134 | return false; 135 | } 136 | @@ -1960,7 +1960,7 @@ write_string(struct buffer *buf, const char *str, const int maxlen) 137 | { 138 | return false; 139 | } 140 | - if (!buf_write_u16(buf, len)) 141 | + if (!buf_write_u32(buf, len)) 142 | { 143 | return false; 144 | } 145 | @@ -2300,6 +2300,10 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi 146 | p2p_mode_ncp(multi, session); 147 | } 148 | 149 | + // Write key length in the first 4 octets of the buffer. 150 | + uint32_t length = BLEN(buf); 151 | + memcpy(buf->data, &length, sizeof(length)); 152 | + 153 | return true; 154 | 155 | error: 156 | -------------------------------------------------------------------------------- /server.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "log" 7 | "net/http" 8 | "net/url" 9 | ) 10 | 11 | func main() { 12 | http.HandleFunc("/", SAMLServer) 13 | log.Printf("Starting HTTP server at 127.0.0.1:35001") 14 | http.ListenAndServe("127.0.0.1:35001", nil) 15 | } 16 | 17 | func SAMLServer(w http.ResponseWriter, r *http.Request) { 18 | switch r.Method { 19 | case "POST": 20 | if err := r.ParseForm(); err != nil { 21 | fmt.Fprintf(w, "ParseForm() err: %v", err) 22 | return 23 | } 24 | SAMLResponse := r.FormValue("SAMLResponse") 25 | if len(SAMLResponse) == 0 { 26 | log.Printf("SAMLResponse field is empty or not exists") 27 | return 28 | } 29 | ioutil.WriteFile("saml-response.txt", []byte(url.QueryEscape(SAMLResponse)), 0600) 30 | fmt.Fprintf(w, "Got SAMLResponse field, it is now safe to close this window\n") 31 | log.Printf("Got SAMLResponse field and saved it to the saml-response.txt file") 32 | return 33 | default: 34 | fmt.Fprintf(w, "Error: POST method expected, %s recieved", r.Method) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /vpn.conf: -------------------------------------------------------------------------------- 1 | # this is sample configuration. 2 | # replace with one from AWS VPN 3 | client 4 | dev tun 5 | proto tcp 6 | nobind 7 | persist-key 8 | persist-tun 9 | remote-cert-tls server 10 | cipher AES-256-GCM 11 | 12 | FIXME ADD YOUR CA CHAIN HERE 13 | 14 | 15 | auth-nocache 16 | reneg-sec 0 17 | --------------------------------------------------------------------------------