Pasting PSK Missing newline OVPN P2P

francio87 commented 4 years ago

Creating a new OVPN Server Tunnel (P2P) via Cockpit, pasting the PSK generated elsewhere, the configuration get applied but the tunnel won't start if you don't add a newline at the end of the key.

Nethserver: Static Public ip Other Side rt: Dinamyc Public ip

Other Side rt generate the PSK, for easy connection NS will be the Server Side, since it has a Static Public IP

Steps to reproduce

Create a New OVPN Server Tunnel (P2P)
Fill in all relevant data
Paste PSK Key without adding a final newline

Expected behavior

OVPN Server Tunnel start

Actual behavior

The VPN get created on the GUI, but logs reports:

ERROR: Endtag </secret> missing

Checking the cfg file [root@fw ~]# cat /etc/openvpn/s2svpn.conf :

71eb912d45372bced1e126de16981583
8401bb7dac74278dda3ceef63fa2f679
-----END OpenVPN Static key V1-----</secret>

The </secret> ending tag it's on the same line of the psk, adding few newline allow the tunnel to get up without issue.

Components

nethserver-vpn-ui-1.2.10-1.ns7.noarch

nethbot commented 4 years ago

in 7.7.1908/testing:

nethserver-vpn-ui-1.2.10-1.1.gc3c4aa0.ns7.noarch.rpm x86_64 armhfp aarch64

gsanchietti commented 4 years ago

Test case 1

Create a tunnel server and set P2P mode
Do not modify the PSK
Check the created tunnel starts correctly

Test case 2

Create a tunnel client using PSK
Paste the PSK
Check the created tunnel starts correctly

Test case 3

Create a tunnel client using certificates
Paste certificate and private key
Check the created tunnel starts correctly

Test case 4

Check the bug is not reproducible

francio87 commented 4 years ago

[root@rt01 ~]# rpm -qa |grep vpn
nethserver-vpn-ui-1.2.10-1.1.gc3c4aa0.ns7.noarch
nethserver-openvpn-1.9.2-1.ns7.noarch
openvpn-2.4.8-1.el7.x86_64

Test Case 1 : OK

Fri Apr  3 08:33:18 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Apr  3 08:33:18 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
Fri Apr  3 08:33:18 2020 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Fri Apr  3 08:33:18 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/n2n-test-case-1
Fri Apr  3 08:33:18 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:33:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:33:18 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:33:18 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:33:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:33:18 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:33:18 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:33:18 2020 TUN/TAP device tuntest-case-1 opened
Fri Apr  3 08:33:18 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:33:18 2020 /sbin/ip link set dev tuntest-case-1 up mtu 1500
Fri Apr  3 08:33:18 2020 /sbin/ip addr add dev tuntest-case-1 local 10.212.156.1 peer 10.212.156.2
Fri Apr  3 08:33:18 2020 /sbin/ip route add 192.168.44.0/24 via 10.212.156.2
Fri Apr  3 08:33:18 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Apr  3 08:33:18 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr  3 08:33:18 2020 UDPv4 link local (bound): [AF_INET][undef]:1204
Fri Apr  3 08:33:18 2020 UDPv4 link remote: [AF_UNSPEC]
Fri Apr  3 08:33:23 2020 MANAGEMENT: Client connected from /var/spool/openvpn/n2n-test-case-1
Fri Apr  3 08:33:23 2020 MANAGEMENT: CMD 'status 3'

Test Case 2 : OK

Fri Apr  3 08:40:18 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
Fri Apr  3 08:40:18 2020 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Fri Apr  3 08:40:18 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/n2n-test-c-2
Fri Apr  3 08:40:18 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:18 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:18 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:18 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:18 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:18 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:40:18 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr  3 08:40:18 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:40:18 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr  3 08:40:18 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:18 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr  3 08:40:18 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:18 2020 Could not determine IPv4/IPv6 protocol
Fri Apr  3 08:40:18 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr  3 08:40:18 2020 Closing TUN/TAP interface
Fri Apr  3 08:40:18 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:18 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr  3 08:40:18 2020 Restart pause, 5 second(s)
Fri Apr  3 08:40:23 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:23 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:23 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:23 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:23 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:23 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:23 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:23 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:40:23 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr  3 08:40:23 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:40:23 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr  3 08:40:23 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:23 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr  3 08:40:23 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:23 2020 Could not determine IPv4/IPv6 protocol
Fri Apr  3 08:40:23 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr  3 08:40:23 2020 Closing TUN/TAP interface
Fri Apr  3 08:40:23 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:23 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr  3 08:40:23 2020 Restart pause, 5 second(s)
Fri Apr  3 08:40:23 2020 MANAGEMENT: Client connected from /var/spool/openvpn/n2n-test-c-2
Fri Apr  3 08:40:23 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:40:23 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:40:23 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:40:23 2020 MANAGEMENT: TCP recv error: Connection reset by peer
Fri Apr  3 08:40:23 2020 MANAGEMENT: Client disconnected
Fri Apr  3 08:40:28 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:28 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:28 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:28 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:28 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:28 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:28 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:28 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:40:28 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr  3 08:40:28 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:40:28 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr  3 08:40:28 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:28 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr  3 08:40:28 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:28 2020 Could not determine IPv4/IPv6 protocol
Fri Apr  3 08:40:28 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr  3 08:40:28 2020 Closing TUN/TAP interface
Fri Apr  3 08:40:28 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:28 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr  3 08:40:28 2020 Restart pause, 5 second(s)
Fri Apr  3 08:40:33 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:33 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:33 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:33 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:33 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:33 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:33 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:33 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:40:33 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr  3 08:40:33 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:40:33 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr  3 08:40:33 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:33 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr  3 08:40:33 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:33 2020 Could not determine IPv4/IPv6 protocol
Fri Apr  3 08:40:33 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr  3 08:40:33 2020 Closing TUN/TAP interface
Fri Apr  3 08:40:33 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:33 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr  3 08:40:33 2020 Restart pause, 5 second(s)

Test Case 3: OK

Fri Apr  3 08:50:06 2020 WARNING: file '/var/lib/nethserver/certs/clients/test-c3-c.pem' is group or others accessible
Fri Apr  3 08:50:06 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
Fri Apr  3 08:50:06 2020 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Fri Apr  3 08:50:06 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/n2n-test-c3-c
Fri Apr  3 08:50:06 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Apr  3 08:50:06 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]8.8.8.8:12342
Fri Apr  3 08:50:06 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr  3 08:50:06 2020 UDP link local: (not bound)
Fri Apr  3 08:50:06 2020 UDP link remote: [AF_INET]8.8.8.8:12342
Fri Apr  3 08:50:12 2020 MANAGEMENT: Client connected from /var/spool/openvpn/n2n-test-c3-c
Fri Apr  3 08:50:12 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:50:12 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:50:12 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:50:12 2020 MANAGEMENT: TCP recv error: Connection reset by peer
Fri Apr  3 08:50:12 2020 MANAGEMENT: Client disconnected

Test Case 4: OK Can confirm, even pasting psk or cert without a newline at the end of it, NS add it by itself, if i edit the vpn tunnel/client the New Line at the end of the PSK / Cert it's auto added

nethbot commented 4 years ago

in 7.7.1908/updates:

nethserver-vpn-ui-1.2.11-1.ns7.noarch.rpm x86_64 armhfp aarch64

NethServer / dev

Pasting PSK Missing newline OVPN P2P #6103