search

HirbodBehnam / Shadowsocks-Cloak-Installer

A one-key script to setup Cloak plugin with Shadowsocks on your server
GNU General Public License v3.0
408 stars 85 forks source link

connection problem to ovpn behind cloak #28

Closed A2116 closed 4 years ago

A2116 commented 4 years ago

when I want to connect to ovpn behind of cloak it prompts me in client

time="2020-07-22T05:52:35+04:30" level=error msg="Failed to prepare connection to remote: EOF"

on server it prompt

INFO[0058] failed to read anything after connection is established: read tcp YYY.YYY.YYY.YYY:8443->XXX.XXX.XXX.XXX:65289: i/o timeout remoteAddr="XXX.XXX.XXX.XXX:65289"

HirbodBehnam commented 4 years ago

Hello

  1. Is the openvpn using UDP?
  2. Does shadowsocks work with cloak?
A2116 commented 4 years ago

OpenVPN uses TCP I want to test UDP after success with TCP yes, is it have any incompatibility or conflict between these two?

HirbodBehnam commented 4 years ago

Also Make sure that you have correctly configured the server and client using this guide: https://github.com/cbeuw/Cloak/wiki/Underlying-proxy-configuration-guides#openvpn

A2116 commented 4 years ago

yes I configure them from that doc

HirbodBehnam commented 4 years ago

No I think that there is no incompatibility. TBH, I've never tested openvpn with cloak. I will try it out later to if the problem is with the script, or is it with the cloak itself.

A2116 commented 4 years ago

can it be because of cloak problem in iran?

HirbodBehnam commented 4 years ago

I'm not sure, because you said that the shadowsocks is working + your error messages are different from #24

A2116 commented 4 years ago

no, I did not say shadowsocks is working, I said shadowsocks is installed as I am new to shadowsocks, i not know why it's not working because of my wrong config or censorship but openvpn work fine without cloak

HirbodBehnam commented 4 years ago

Oh! My bad sorry. The config that the scripts gives you must work. If not it might be because of the Iran censorship. If you want to check, you can use nc to setup a TCP server on your server and a TCP client on your own machine then use cloak to connect them. (I can explain the details later if you want to test this) If you think this is because of censorship, please close this issue and refer to #24

A2116 commented 4 years ago

I test ovpn but this time with cloak and without shadowsocks again it prompts like before I should note that mtproto is working on my DSL connection so I think it's not because of fake-tls problem but please explain me the process of testing cloak separately using nc

A2116 commented 4 years ago

how can I increase timeout? it seems all errors is because of i/o timeout

HirbodBehnam commented 4 years ago
  1. I don't think it is the timeout problem because the timeout default is 5 minutes. You can change it in /etc/cloak/ckserver.json.
  2. I think this behavior is somehow like whitelister. The client is received the End of File (That the connection must close) while the server timed out because no data is received. So I'm going to close this issue as the duplicate of #24 . If you think this is a problem with the script, please tell me to re-open the issue.
  3. I will write the nc tutorial later after I fix the bug you have reported earlier.
A2116 commented 4 years ago

ok, I wait for nc tutorial

HirbodBehnam commented 4 years ago

Here is the small tutorial: https://github.com/HirbodBehnam/Shadowsocks-Cloak-Installer/wiki/Test-The-Cloak-With-NetCat

A2116 commented 4 years ago

I build a test VM on my pc and install OpenVPN and cloak on it I test OpenVPN directly and it works fine also, I test cloak using NC and it works fine too but with the same setup for NC and different proxy rule for it not connect behind the cloak in server-side, I add local 127.0.0.1 to the server config file and restart OpenVPN service in client-side, I change the target from 192.168.2.124 to 127.0.0.1 also, I stop ck-server service and run it manually to see it's log

below is server-side log

INFO[0084] Terminating active user UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="no session left" INFO[0084] Session closed UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="Failed to connect to proxy server" sessionID=1279337380 INFO[0084] Terminating active user UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="no session left" INFO[0096] New session UID="arxn/uSbVkeg+eD6xgwI7Q==" sessionID=3716463871 INFO[0120] Session closed UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="a connection has dropped unexpectedly" sessionID=3716463871 INFO[0120] Terminating active user UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="no session left" WARN[0201] invalid proxy method UID="arxn/uSbVkeg+eD6xgwI7Q==" encryptionMethod=1 proxyMethod=cloakovpnloc remoteAddr="192.168.2.123:60022" sessionId=3936174049 WARN[0201] invalid proxy method UID="arxn/uSbVkeg+eD6xgwI7Q==" encryptionMethod=1 proxyMethod=cloakovpnloc remoteAddr="192.168.2.123:60023" sessionId=3936174049 WARN[0201] invalid proxy method UID="arxn/uSbVkeg+eD6xgwI7Q==" encryptionMethod=1 proxyMethod=cloakovpnloc remoteAddr="192.168.2.123:60025" sessionId=3936174049 WARN[0201] invalid proxy method UID="arxn/uSbVkeg+eD6xgwI7Q==" encryptionMethod=1 proxyMethod=cloakovpnloc remoteAddr="192.168.2.123:60024" sessionId=3936174049

and this is client-side log

time="2020-07-22T23:27:11+04:30" level=info msg="Starting standalone mode" time="2020-07-22T23:27:11+04:30" level=info msg="Listening on TCP 127.0.0.1:48443 for cloakovpnlocal client" time="2020-07-22T23:27:15+04:30" level=info msg="Attempting to start a new session"

below server config file

local 127.0.0.1 port 48443 proto tcp dev tun user nobody group nobody persist-key persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 192.168.2.110" push "redirect-gateway def1 bypass-dhcp" dh none ecdh-curve prime256v1 tls-crypt tls-crypt.key 0 crl-verify crl.pem ca ca.crt cert server_rdQZnfuKyj3kmvUB.crt key server_rdQZnfuKyj3kmvUB.key auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 client-config-dir /etc/openvpn/ccd status /var/log/openvpn/status.log verb 3

below is the client config file

client proto tcp-client remote 127.0.0.1 48443 dev tun resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server verify-x509-name server_rdQZnfuKyj3kmvUB name auth SHA256 auth-nocache cipher AES-128-GCM tls-client tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3

below is ckserver.json file

{ "ProxyBook": { "cloakovpnlocal":["tcp","127.0.0.1:48443"] , "panel":["tcp","127.0.0.1:0"] , "nclocal":["tcp","127.0.0.1:12345"] }, "BypassUID": [ "ZU3pfZUc6OQ+vvZ0gEmA4A==", "arxn/uSbVkeg+eD6xgwI7Q==" ], "BindAddr":[":8443"], "RedirAddr": "204.79.197.200", "PrivateKey": "+GooAh1+lfmjTz4ppuCFmPDkdI8xSeS/skwwh7hr3lQ=", "AdminUID": "8mSgMtBc6hKuyuoIgcJrVg==", "DatabasePath": "userinfo.db", "StreamTimeout": 300 }

below is cloakovpnlocal.json file

{ "ProxyMethod":"cloakovpnlocal", "EncryptionMethod":"aes-gcm", "UID":"arxn/uSbVkeg+eD6xgwI7Q==", "PublicKey":"ZSprHBRoo6RlkTKQ7UxswLF5yxrHUU4SF78vTTppiFY=", "ServerName":"204.79.197.200", "NumConn":4, "BrowserSig":"chrome", "StreamTimeout": 300 }

what is the problem and what should I do?

A2116 commented 4 years ago

beside of Iran censorship, there is an incompatibility between cloak and OpenVPN I installed cloak and it enables firewalld then I add TCP and UDP port for OpenVPN to firewalld OpenVPN can connect but web browsing is impossible I think it's a problem about nameservers when cloak run on the server even if the client connect to OpenVPN directly there is a problem on DNS service that doesn't let websurfing I think the system can't resolve web addresses to IP so web surfing becomes impossible and I don't know why and what should I do

HirbodBehnam commented 4 years ago

Ok now something catch my eye. If you read here you will see that the proxy method is 12 bytes. However your proxy method is 14 bytes. I suggest that you change your proxy name and try again. Also later I will add a limiter to the script to limit the proxy name to 12 characters. Also I tested my script to see if the new rules are added to server config and I haven't actually tested to see if you are able to connect through them or not! I will test that too. I don't know if your openvpn config is correct or not because 1. I'm a noob and 2. I haven't worked with openvpn alot. To ask more about openvpn, it is a good idea to continue this thread here

Update: I have tested the nc myself and it is working. However, I realized that I cannot use uppercase characters in my proxyMethod. I will add a warning about this in my script.

A2116 commented 4 years ago

by decreasing the proxy method length the problem in local server solved but in ovh it has the problem that perhaps is because of datacenter network limitations because it works fine on another server

A2116 commented 4 years ago

the problem between OpenVPN and cloak is the firewall method, angristan script for OpenVPN use iptables, and your script for cloak use firewalld by restarting OpenVPN-iptables.service that adds VPN forwarding and routing rules the problem solved, and the funny thing is I should restart it twice because every time at first restart it exits with an error but if we want a fully automated server that does its job after boot without any manual command we should add service restart to the startup script