This content originally appeared on DEV Community 👩💻👨💻 and was authored by Axel Navarro
Caution! This is a developer horror story 👻, Halloween 2022 comes with a nightmare for those who use a VPN. OpenSSL released the version 3.0.7 as the latest stable, if you compare that we're talking about a jump from 1.1.1 to 3.0.7 we can think that any already deprecated protocol was removed to guarantee the security of our systems! And, it happened.
Arch Linux, with its philosophy of using the latest stable release of everything, applied the OpenSSL v3 on Saturday morning November 5.
Surprise! You can't use the BF-CBC cipher on OpenVPN anymore, because it was removed from OpenSSL itself; OpenVPN plans to remove it on 2.7 but we're currently in 2.5.8 at the moment.
Downgrading the openssl package is a possible solution but not the best. Should I move my development environment to a virtual machine? 🙀 Change to an old Ubuntu version? Not for me. Here is when the hero 🦸 of this story appears to save us, and its name is Docker 🐳.
The solution
The containers can use the same network of the host, this avoids the container being network isolated, and the VPN tunnel is shared with our host system.
Creating the image
For this example I'll use a simple ovpn file, but with a few tweaks I'm sure this will work for you too.
FROM ubuntu:jammy
RUN apt update && \
apt install -y openvpn && \
rm -rf /var/lib/apt/lists/*
COPY profile.ovpn /etc/openvpn/client/
CMD ["openvpn", "/etc/openvpn/client/profile.ovpn"]
We based our image on Ubuntu 22.04 LTS (Jammy Jellyfish), just install the openvpn package and copy your OpenVPN configuration file inside. Maybe you need a .p12, .key, or .crt files just to copy them too.
Build the image with the following command:
docker build -t openvpn .
Starting the container
Now, we can run the container!
docker run --name vpn --cap-add=NET_ADMIN --network=host --device /dev/net/tun -it openvpn
The container needs the Linux kernel capability of network administration to create a VPN tunnel with the --cap-add=NET_ADMIN argument. Also --device /dev/net/tun gives access to the tunnel device of the host.
⚠️ Don't give kernel capabilities or access to devices if you don't trust the publisher.
Once started, the container could ask for your credentials (username and password) to establish the VPN connection and it's done! 🎉
Conclusion
Some changes can't be applied in enterprise environments without analyzing all possible scenarios, and the change of this cipher could take some time. That's where Docker could help us to continue using old software in a controlled way for specific tasks without compromising the security of our system.
I hope you don't get scared with this story, but Super-Docker saves the day, one more time. Tell me in the comments if this helped you, or if you found another solution.
This content originally appeared on DEV Community 👩💻👨💻 and was authored by Axel Navarro
Axel Navarro | Sciencx (2022-11-14T12:33:19+00:00) Connecting through OpenVPN with deprecated ciphers, using Docker. Retrieved from https://www.scien.cx/2022/11/14/connecting-through-openvpn-with-deprecated-ciphers-using-docker/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.