MichaIng / DietPi

Lightweight justice for your single-board computer!
https://dietpi.com/
GNU General Public License v2.0
4.88k stars 497 forks source link

DietPi-VPN | Unable to enter private key decryption password #6788

Open dnielso5 opened 11 months ago

dnielso5 commented 11 months ago

Creating a bug report/issue

Required Information

Additional Information (if applicable)

Steps to reproduce

1) generate openvpn.ovpn from server at my house 2) open dietpi-vpn, use custom service, load up my openvpn.ovpn file 3) enter username and password 4) click "apply" 5) when it asks for private key password but before you can type in the password it tries to connect to the server.

7e67f802e20eecf227635681c0c388d82a9ed89a

Expected behaviour

After clicking apply i should have the option to type in the private key password

Actual behaviour

-see SS above

Extra details

MichaIng commented 11 months ago

Got it, so you are not (only) authenticating at your provider via username and password but (also) via encrypted private key. I never saw this case with OpenVPN, but makes sense that it is supported. Interesting that OpenVPN is able to pass the decryption prompt through the systemd service via this systemd-tty-ask-password-agent tool, while the process runs in background without any STDIN.

We need to detect this agent prompt and then wait for it. Sadly it seems to not hold the systemctl start dietpi-vpn, despite that it is type notify, i.e. OpenVPN sends a signal once it has finished startup, but this signal seems to be sent before the key password was entered.

Can you try the following:

  1. Exit dietpi-vpn when you run into this timeout.
  2. From console, start it manually: G_EXEC systemctl restart dietpi-vpn
  3. Verify that you see [ OK ] systemctl restart dietpi-vpn, so this step has successfully finished before the password prompt appears.
  4. And that shortly after the above OK message, you get the input prompt.
  5. On a second SSH session, that this shows a PID as output: pgrep -f systemd-tty-ask-password-agent
  6. That you can actually enter the key passphrase there.
  7. And that after doing so the VPN connection is actually established.
dnielso5 commented 11 months ago

Sorry i was busy the last week. at the moment i switched to wire guard as openVPN capped me at 3MB/s and wireguard gives me 13MB/s.

If you give me a day or two i can test for you.

dnielso5 commented 11 months ago

Can you try the following:

1. Exit `dietpi-vpn` when you run into this timeout.

2. From console, start it manually: `G_EXEC systemctl restart dietpi-vpn`

3. Verify that you see `[  OK  ] systemctl restart dietpi-vpn`, so this step has successfully finished before the password prompt appears.

4. And that shortly after the above OK message, you get the input prompt.

5. On a second SSH session, that this shows a PID as output: `pgrep -f systemd-tty-ask-password-agent`

6. That you can actually enter the key passphrase there.

7. And that after doing so the VPN connection is actually established.

Ok, so i got to step 5 and got a PID of 33535, what am i supposed to do on step 6? redoing G_EXEC systemctl restart dietpi-vpn or opening dietpi-vpn still does the same thing.

MichaIng commented 11 months ago

Ok, so i got to step 5 and got a PID of 33535, what am i supposed to do on step 6? redoing G_EXEC systemctl restart dietpi-vpn or opening dietpi-vpn still does the same thing.

Is there no password prompt in the screen/session where you can G_EXEC systemctl restart dietpi-vpn? As systemd-tty-ask-password-agent was running in step 5, the prompt should have appeared.

dnielso5 commented 11 months ago

When i do G_EXEC systemctl restart dietpi-vpn i do get the [ OK ] systemctl restart dietpi-vpn but then it does the same

Broadcast message from root@DietPi (Mon 2023-12-11 10:37:27 PST):

Password entry required for 'Enter Private Key Password:' (PID 33535).
Please enter password with the systemd-tty-ask-password-agent tool.

after the message comes up i can type, but when i do it gives me -bash: MyPassword: command not found

MichaIng commented 11 months ago

Okay so the systemd-tty-ask-password-agent has its STDOUT attached to the console, but not its STDIN, so you see the prompt but cannot enter a password. This must be coming from a config with is not meant to be run via systemd service.

Re-reading your original post, are you trying to connect to your own OpenVPN server, or is this a public provide? If it's your own, how did you create the ovpn config, and does it contain a line askpass?

Reading the man page, this line is to prompt for a password in case the private is encrypted. But this cannot work when starting OpenVPN via service, but only when you start it from console manually (as you did and succeeded). It is possible to add a password file with the askpass option. Could you try that in case this option is present? Create a file with only the password as content. And then change the askpass line to askpass /path/to/passwordfile and systemctl restart dietpi-vpn.

But having a file with the plain text password the decrypt the private key sort of breaks the security benefit of encrypting the key. So if you did manually create the ovpn config for your own OpenVPN server, you should be able to recreate it with unencrypted key.

But what we could do when a custom config is used:

dnielso5 commented 11 months ago

Yes this is my own openVPN server. I used piVPN to create the .opvn file.

This is the file that is generated, i dont see the "askpass" line

client
dev tun
proto udp
remote HomeIP address 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name laptop_0cab89b0-12bc-4e0e-a18f-6691f7e91620 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----

-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>
MichaIng commented 10 months ago

I just learned that PiVPN asks you whether you want to encrypt the config/key. Please recreate the config without this encryption. It would be possible to add support for such to dietpi-vpn, but it means that you have a dedicated plain text password file: Everyone who can read the OpenVPN config (which should be root only), can also read this password file, and hence can easily decrypt the key. So this has no benefit.

Generally: This kind of systemd-tty-ask-password-agent password input works only when STDIN (the keyboard) is connected to the OpenVPN process, which is not the case when it runs as service.

dnielso5 commented 10 months ago

doing "pivpn -a nopass" i can create an .opvn config file and connect using the dietpi-vpn page. An oddity is that when you select "custom" in the vpn config page you are forced to enter a username/password even though its not being used.

image

image

image

image

It might be helpful to add a checkbox, or another question after selecting "custom" that allows the bypass of the username/password requirement.

MichaIng commented 10 months ago

Or we could do it like in DietPi-DDNS: Allow entering the value 0 if not user/pass is required. But good that it seems to be ignored when dummy entries are set. Is it possible to enable user/password authentication in PiVPN?

To be true: When designing DietPi-VPN, we had public VPN providers in mind, which all use user/password authentication and no encrypted private keys. But good good to start supporting these things as well.

dnielso5 commented 10 months ago

Is it possible to enable user/password authentication in PiVPN?

No, when you create a "user" its not actually a user but a client name that's associated with the unique certs that the server uses to track info: image

you are supposed to make a new client for each device you want to use, if you used the same config file on multiple devices at the same time it "should" cause errors, but i have not tested.

MichaIng commented 10 months ago

Okay, generally it is possible to add this via auth-user-pass-verify OpenVPN config key, but it is indeed weaker or redundant when you use individual keys, and in case even encrypt them. The public provider configs have a (shared) tls-auth key, but no user authentication key. I guess it is just simpler to tell users their name and password, instead of a multi-line key, which needs to be stored into or besides and linked in the OVPN config.