# POC现场：使用内置OpenVPN特征，策略无命中

| ID | Creation Date | Assignee | Status |
|----|----------------|----------|--------|
| OMPUB-544 | 2022-07-01T14:14:33.000+0800 | 刘学利 | 已关闭 |


---

POC演示现场，使用OpenVPN内置特征进行阻断，业主的OpenVPN正常访问，策略无命中日志
附件是对应的pcap包 以及 业主OpenVPN的配置文件**liuxueli** commented on *2022-07-04T14:00:10.767+0800*:

* 增加识别方式，参照：https://github.com/ntop/nDPI/blob/dev/src/lib/protocols/openvpn.c



---

**zhangzhihan** commented on *2022-07-11T17:52:39.101+0800*:

[~liuxueli] POC现场更新 app_proto_identify-2.1.2 ，更新后openvpn依然无法拦截 [^openvpn_udp.pcap]  [^openvpn_udp_pure.pcap] 



---

**liuxueli** commented on *2022-07-11T19:06:06.313+0800*:

* 新提供的数据包，读包能识别出openvpn，请确认openvpn的相关策略是否正确。[~zhangzhihan]



---

**gitlab** commented on *2022-07-12T17:39:45.343+0800*:

[刘学利|https://git.mesalab.cn/liuxueli] mentioned this issue in [a commit|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/commit/af0c34f77af99db374f9572ef86c114cf1f7c2e5] of [TSG / tsg-os-buildimage|https://git.mesalab.cn/tsg/tsg-os-buildimage] on branch [update-22.07-firewall-v3|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/tree/update-22.07-firewall-v3]:{quote}更新app_proto_identify、app_sketch_local，修复:{quote}



---

**gitlab** commented on *2022-07-12T17:40:21.416+0800*:

[刘学利|https://git.mesalab.cn/liuxueli] mentioned this issue in [a merge request|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/merge_requests/838] of [TSG / tsg-os-buildimage|https://git.mesalab.cn/tsg/tsg-os-buildimage] on branch [update-22.07-firewall-v3|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/tree/update-22.07-firewall-v3]:{quote}更新app_proto_identify、app_sketch_local，修复:{quote}



---

**gitlab** commented on *2022-07-12T17:40:24.284+0800*:

[刘学利|https://git.mesalab.cn/liuxueli] mentioned this issue in [a commit|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/commit/43c09861448d71fd590a4b96ee9080d024b7c179] of [TSG / tsg-os-buildimage|https://git.mesalab.cn/tsg/tsg-os-buildimage] on branch [update-22.07-firewall-v3|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/tree/update-22.07-firewall-v3]:{quote}更新app_proto_identify、app_sketch_local，修复:{quote}



---

**liuxueli** commented on *2022-07-12T18:18:12.622+0800*:

* 2022/0712 查看现场日志，发现加载配置报错，报错如下：
 ** 
{code:java}
Tue Jul 12 16:25:58 2022, FATAL, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Invalid Redis Key List type 5
Tue Jul 12 16:26:29 2022, INFO, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Initiate full udpate from instance_version 0 to 38.
Tue Jul 12 16:26:29 2022, FATAL, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Invalid Redis Key List type 5
Tue Jul 12 16:27:00 2022, INFO, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Initiate full udpate from instance_version 0 to 38.
Tue Jul 12 16:27:00 2022, FATAL, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Invalid Redis Key List type 5
Tue Jul 12 16:27:31 2022, INFO, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Initiate full udpate from instance_version 0 to 38.
Tue Jul 12 16:27:31 2022, FATAL, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Invalid Redis Key List type 5
Tue Jul 12 16:28:22 2022, INFO, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Initiate full udpate from instance_version 0 to 38.
Tue Jul 12 16:28:22 2022, FATAL, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Invalid Redis Key List type 5
Tue Jul 12 16:29:13 2022, INFO, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Initiate full udpate from instance_version 0 to 38.
Tue Jul 12 16:29:13 2022, FATAL, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Invalid Redis Key List type 5
Tue Jul 12 16:29:50 2022, INFO, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Initiate full udpate from instance_version 0 to 38.
Tue Jul 12 16:29:50 2022, FATAL, ./tsglog/maat/tsg_maat.log, MAAT_REDIS_MONITOR(2167), Invalid Redis Key List type 5 {code}

 * 重启SAPP正常加载配置后，OPENVPN有阻断效果。



---

**gitlab** commented on *2022-07-12T22:24:44.441+0800*:

[付明卫|https://git.mesalab.cn/fumingwei] mentioned this issue in [a commit|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/commit/724fa577188613a8b94a1bbc4dac62348dd14ffe] of [TSG / tsg-os-buildimage|https://git.mesalab.cn/tsg/tsg-os-buildimage] on branch [update-22.07-firewall-v3|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/tree/update-22.07-firewall-v3]:{quote}更新app_proto_identify、app_sketch_local，修复:{quote}



---

**gitlab** commented on *2022-07-12T22:26:21.781+0800*:

[付明卫|https://git.mesalab.cn/fumingwei] mentioned this issue in [a merge request|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/merge_requests/839] of [TSG / tsg-os-buildimage|https://git.mesalab.cn/tsg/tsg-os-buildimage] on branch [dev-22.07|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/tree/dev-22.07]:{quote}2022/7/12{quote}



---



## Attachments

**29253/MMH_JP_CMP.ovpn**

---

**29533/openvpn_udp_pure.pcap**

---

**29532/openvpn_udp.pcap**

---

**29255/OpenVPN+tcpdump_mesa捕包.pcap**

---

**29254/OpenVPN+客户端捕包.cap**

---

**29267/OpenVPN+客户端捕包-1.cap**

---