Bug 200215

Summary: security/openvpn: Add option to enable Tunnelblick XOR patch
Product: Ports & Packages Reporter: Franco Fichtner <franco>
Component: Individual Port(s)Assignee: Matthias Andree <mandree>
Status: Closed FIXED    
Severity: Affects Only Me CC: garga, koobs, mandree
Priority: --- Keywords: easy, patch, patch-ready
Version: LatestFlags: bugzilla: maintainer-feedback? (mandree)
Hardware: Any   
OS: Any   
Attachments:
Description Flags
option + patch as flat diff against head
none
option + patch as git diff
none
portlint output
none
poudriere build log
none
option + annotated patch as git diff
none
option + annotated patch as git diff koobs: maintainer-approval? (mandree)

Description Franco Fichtner 2015-05-15 06:25:21 UTC
Created attachment 156792 [details]
option + patch as flat diff against head

via: https://code.google.com/p/tunnelblick/wiki/cOpenvpn_xorpatch
Comment 1 Franco Fichtner 2015-06-01 08:38:52 UTC
Created attachment 157330 [details]
option + patch as git diff
Comment 2 Franco Fichtner 2015-06-01 08:39:09 UTC
Created attachment 157331 [details]
portlint output
Comment 3 Franco Fichtner 2015-06-01 08:39:29 UTC
Created attachment 157332 [details]
poudriere build log
Comment 4 Matthias Andree freebsd_committer freebsd_triage 2015-06-10 19:18:36 UTC
Comment on attachment 157330 [details]
option + patch as git diff

This is hard to judge for me without further context.
What is the patch supposed to do?
Comment 5 Franco Fichtner 2015-06-10 19:54:09 UTC
The history and controversy of the patch is explained in detail on the following wiki page: https://code.google.com/p/tunnelblick/wiki/cOpenvpn_xorpatch

The patch obfuscates the OpenVPN header to make it harder for layer 7 inspection to identify such traffic, which may come with blocking or recording actions in certain territories of the world.  This patch, in a nutshell, increases privacy and range of communication for some users.

The patch made its way into OPNsense's ports; I am providing this PR in order to enable FreeBSD to pull in an off-by-default option of this patch.


Thanks,
Franco
Comment 6 Franco Fichtner 2015-06-28 08:55:28 UTC
Any new thoughts on this?
Comment 7 Matthias Andree freebsd_committer freebsd_triage 2015-07-02 05:39:31 UTC
What does upstream say?

If at all, this could be an experimental patch, disabled by default.
Comment 8 Franco Fichtner 2015-07-08 09:42:23 UTC
Citing the wiki page provided says upstream won't have this, but multiple OpenVPN clients including Tunnelblick have this patch included.  It is *not* a default option.

I can mark it as experimental if you want.
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2015-10-02 08:37:30 UTC
I would suggest adding at least a comment above TXP_EXTRA_PATCHES line providing references/URL's to the Tunneblick wiki. That way there is information that users can use to make an informed decision.

Franco, if you could update your patch accordingly that would be great.

Resetting timeout for MAINTAINER feedback.
Comment 10 Matthias Andree freebsd_committer freebsd_triage 2015-10-13 07:29:28 UTC
Franco, can you add a note with URL references to the Tunnelblick Wiki to the patch?
Comment 11 Franco Fichtner 2015-10-13 07:39:57 UTC
Matthias, sure thing.  Where do you want the note to appear exactly?
Comment 12 Matthias Andree freebsd_committer freebsd_triage 2015-10-13 08:04:14 UTC
Franco, please see comment #9 by Kubilay Kocak.
Comment 13 Franco Fichtner 2015-10-13 08:08:51 UTC
Ah, got it, thanks. Patch tonight. :)
Comment 14 Franco Fichtner 2015-10-14 06:07:34 UTC
Created attachment 162012 [details]
option + annotated patch as git diff
Comment 15 Franco Fichtner 2015-10-14 06:10:19 UTC
Annotated the patch with a description and the latest wiki URL. Reworded it slightly to make sure that this is remains opt-in even when compiled into OpenVPN.  :)
Comment 16 Kubilay Kocak freebsd_committer freebsd_triage 2015-10-14 06:17:19 UTC
@franco, no further testing required for the updated version?
Comment 17 Franco Fichtner 2015-10-14 06:38:00 UTC
We've shipped this particular version in OPNsense in August:

https://forum.opnsense.org/index.php?topic=1247

I don't know of any problems.

https://forum.opnsense.org/index.php?topic=398.0

Cheers mate :)
Comment 18 Franco Fichtner 2015-10-21 06:38:08 UTC
Created attachment 162270 [details]
option + annotated patch as git diff

New diff to adapt to current HEAD
Comment 19 Kubilay Kocak freebsd_committer freebsd_triage 2015-10-21 06:41:21 UTC
Comment on attachment 162270 [details]
option + annotated patch as git diff

Thanks Franco!
Comment 20 Franco Fichtner 2015-11-20 07:34:09 UTC
Anything missing here? Please let me know. :)
Comment 21 commit-hook freebsd_committer freebsd_triage 2015-11-20 18:41:29 UTC
A commit references this bug:

Author: mandree
Date: Fri Nov 20 18:41:16 UTC 2015
New revision: 402095
URL: https://svnweb.freebsd.org/changeset/ports/402095

Log:
  Add optional extra patch for Tunnelblick obfuscation.

  Adds a --scramble method to the executable but not documentation.
  Requires careful review of implications before enabling, and has not
  been accepted upstream.  https://tunnelblick.net/cOpenvpn_xorpatch.html

  PR:		200215
  Submitted by:	Franco Fichtner

Changes:
  head/security/openvpn/Makefile
  head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch
  head/security/openvpn/pkg-help
Comment 22 Franco Fichtner 2015-11-20 18:47:49 UTC
Thank you, Matthias! Closing ticket. :)