search

OpenVPN / openvpn3

OpenVPN 3 is a C++ class library that implements the functionality of an OpenVPN client, and is protocol-compatible with the OpenVPN 2.x branch.
https://openvpn.net
Other
1k stars 401 forks source link

MacOS 3.10.3 build paired with priviledged agent no longer connects #344

Closed savely-krasovsky closed 2 weeks ago

savely-krasovsky commented 3 weeks ago

Service logs:

POST unix://[/var/run/appagent.sock]/tun-setup : 400 Bad Request
route_gateway_error: GDG: problem writing to routing socket: -1 errno: 3 msg: No such process

Agent logs:

Thu Nov  7 18:22:02.803 2024 HTTP request received from LOCAL
HTTP Request
method=POST
uri=/tun-setup
version=1/1
[0] Host=/var/run/appagent.sock
[1] Content-Type=application/json
[2] Content-Length=2849
[3] Connection=keep-alive
[4] Accept=*/*

Thu Nov  7 18:22:02.803 2024 Watchdog already set for pid 91257, won't set for pid 91257
Thu Nov  7 18:22:02.818 2024 INSTANCE STOP : E_SUCCESS : Succeeded

I guess it relates to this commits: https://github.com/OpenVPN/openvpn3/commit/053600556abf483dde30d37800f8750df3a2fc03 https://github.com/OpenVPN/openvpn3/commit/09697ef80b8790cda8a5bd8a989659f0c586a4bd

@lstipakov as a commit author do you have any ideas?

schwabe commented 3 weeks ago

Please include the full client log as well so we have an idea what is happening.

savely-krasovsky commented 3 weeks ago

@schwabe full connection log:

Details

``` OpenVPN core 3.10.3 mac arm64 64-bit Frame=512/2112/512 mssfix-ctrl=1250 NOTE: This configuration contains options that were not used: Unused options, probably specified multiple times in the configuration file 0 [dev] [tun] Contacting 777.777.777.777:1194 via UDP UnixCommandAgent: transmitting bypass route to /var/run/appagent.sock { "host" : "777.777.777.777", "ipv6" : false, "pid" : 91257 } Connecting to [777.777.777.777]:1194 (777.777.777.777) via UDP Tunnel Options:V4,dev-type tun,link-mtu 1469,tun-mtu 1400,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client Creds: Username/Password Sending Peer Info: IV_VER=3.10.3 IV_PLAT=mac IV_NCP=2 IV_TCPNL=1 IV_PROTO=2974 IV_MTU=1600 IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305 IV_SSL=OpenSSL 3.2.0 23 Nov 2023 IV_HWADDR=a0:78:17:9b:52:a8 VERIFY OK: depth=2, /C=DE/O=DOMAIN.com/OU=DOMAIN.com Internal Certificate Authority/CN=Example Root CA 1, signature: RSA-SHA512 VERIFY OK: depth=1, /C=DE/O=DOMAIN.com/OU=DOMAIN.com Internal Certificate Authority/CN=Example TLS CA, signature: RSA-SHA512 VERIFY OK: depth=0, /C=DE/ST=Berlin/L=Berlin/O=INTERNET LLC/CN=domain.com, signature: RSA-SHA512 SSL Handshake: peer certificate: CN=domain.com, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD Session is ACTIVE Sending PUSH_REQUEST to server... Options continuation... OPTIONS: 0 [dhcp-option] [PROXY_AUTO_CONFIG_URL] [http://wpad] 1 [ping-restart] [60] 2 [dhcp-option] [DNS] [777.777.777.777] 3 [dhcp-option] [ADAPTER_DOMAIN_SUFFIX] [domain.com] 4 [dhcp-option] [DOMAIN] [domain.com] 5 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 6 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 7 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 8 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 9 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 10 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 11 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 12 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 13 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 14 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 15 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 16 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 17 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 18 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 19 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 20 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 21 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 22 [dhcp-option] [DOMAIN-SEARCH] [domain.com] 23 [dhcp-option] [DOMAIN-SEARCH] [OZON] 24 [block-outside-dns] 25 [route] [777.777.777.777] [777.777.777.777] [net_gateway] 26 [route] [777.777.777.777] [777.777.777.777] [net_gateway] 27 [push-continuation] [2] 28 [route] [777.777.777.777] [777.777.777.777] [net_gateway] 29 [route] [777.777.777.777] [777.777.777.777] [net_gateway] 30 [route] [777.777.777.777] [777.777.777.777] [net_gateway] 31 [route] [777.777.777.777] [777.777.777.777] [net_gateway] 32 [route] [777.777.777.777] [777.777.777.777] [vpn_gateway] 33 [route-gateway] [777.777.777.777] 34 [topology] [subnet] 35 [ping] [10] 36 [ping-restart] [30] 37 [ifconfig] [777.777.777.777] [777.777.777.777] 38 [peer-id] [1] 39 [cipher] [AES-256-GCM] 40 [push-continuation] [1] PROTOCOL OPTIONS: cipher: AES-256-GCM digest: none key-derivation: OpenVPN PRF compress: NONE peer ID: 1 TunPersist: short-term connection scope TunPersist: new tun context CAPTURED OPTIONS: Session Name: 777.777.777.777 Layer: OSI_LAYER_3 MTU: 1400 Remote Address: 777.777.777.777 Tunnel Addresses: 777.777.777.777/25 -> 777.777.777.777 Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ] Block IPv4: no Block IPv6: no Block local DNS: yes Add Routes: 777.777.777.777/8 Exclude Routes: 777.777.777.777/32 777.777.777.777/24 777.777.777.777/24 777.777.777.777/24 777.777.777.777/24 777.777.777.777/24 DNS Servers: 777.777.777.777 Search Domains: DOMAIN.com Adapter Domain Suffix: DOMAIN.com Proxy Auto Config URL: http://wpad SetupClient: transmitting tun setup list to /var/run/appagent.sock { "config" : { "iface_name" : "", "layer" : "OSI_LAYER_3", "tun_prefix" : false }, "pid" : 91257, "tun" : { "adapter_domain_suffix" : "domain.com", "add_routes" : [ { "address" : "777.777.777.777", "gateway" : "", "ipv6" : false, "metric" : -1, "net30" : false, "prefix_length" : 8 } ], "block_ipv6" : false, "block_outside_dns" : true, "dns_options" : { "servers" : {} }, "dns_servers" : [ { "address" : "777.777.777.777", "ipv6" : false } ], "exclude_routes" : [ { "address" : "777.777.777.777", "gateway" : "", "ipv6" : false, "metric" : -1, "net30" : false, "prefix_length" : 32 }, { "address" : "777.777.777.777", "gateway" : "", "ipv6" : false, "metric" : -1, "net30" : false, "prefix_length" : 24 }, { "address" : "777.777.777.777", "gateway" : "", "ipv6" : false, "metric" : -1, "net30" : false, "prefix_length" : 24 }, { "address" : "777.777.777.777", "gateway" : "", "ipv6" : false, "metric" : -1, "net30" : false, "prefix_length" : 24 }, { "address" : "777.777.777.777", "gateway" : "", "ipv6" : false, "metric" : -1, "net30" : false, "prefix_length" : 24 }, { "address" : "777.777.777.777", "gateway" : "", "ipv6" : false, "metric" : -1, "net30" : false, "prefix_length" : 24 } ], "layer" : 3, "mtu" : 1400, "proxy_auto_config_url" : { "url" : "http://wpad" }, "remote_address" : { "address" : "777.777.777.777", "ipv6" : false }, "reroute_gw" : { "flags" : 256, "ipv4" : false, "ipv6" : false }, "route_metric_default" : -1, "search_domains" : [ { "domain" : "DOMAIN.com" } ], "session_name" : "777.777.777.777", "tunnel_address_index_ipv4" : 0, "tunnel_address_index_ipv6" : -1, "tunnel_addresses" : [ { "address" : "777.777.777.777", "gateway" : "777.777.777.777", "ipv6" : false, "metric" : -1, "net30" : false, "prefix_length" : 25 } ] } } POST unix://[/var/run/appagent.sock]/tun-setup : 400 Bad Request route_gateway_error: GDG: problem writing to routing socket: -1 errno: 3 msg: No such process Client exception in transport_recv: tun_exception: not connected ```

savely-krasovsky commented 3 weeks ago

Just to clarify: Windows build based on 3.10.3 works perfectly.

schwabe commented 3 weeks ago

Unfortunately you made that log useless by replacing all the network and routing information. Debugging a routing issue when all the routing information has been made replace by nonsense information is not useful.

lstipakov commented 3 weeks ago

The change is mac-specifc so we don't expect Windows to break :) But thanks for reporting it. It would be nice if you could provide reproducible example. If you want feel free to send details in private to me or Arne.

lstipakov commented 3 weeks ago

@savely-krasovsky We're looking into it, but so far I was not able to reproduce this. It seems that it happens when looking for default gateway for exclude routes, namely in those lines in mac/client/tunsetup.hpp:

// get default gateways
MacGatewayInfo gw4{IP::Addr::from_ipv4(IPv4::Addr::from_zero())};
MacGatewayInfo gw6{IP::Addr::from_ipv6(IPv6::Addr::from_zero())};

Are you able to step into under debugger and check which lines causes the issue?

savely-krasovsky commented 3 weeks ago

@lstipakov I could probably try to implement basic C++ client and run it with our config, but it will require some time. I cannot step into native code since we are using Go with SWIG.

lstipakov commented 3 weeks ago

The library already includes test command-line client, see the "mac-debug" CMake preset and "ovpcli" target.

lstipakov commented 3 weeks ago

Do you have a default route on that machine?

lstipakov commented 3 weeks ago

We managed to reproduce it with limited IPv4 network (without IPv6) and also without default gateway In IPv4.

savely-krasovsky commented 3 weeks ago

Oh, that's cool! Probably that's the case. We don't use IPv6 and default gateway. Our case is pretty basic in my opinion. We use OpenVPN in split tunnel configuration so workers can access internet and internal resources without switching.

lstipakov commented 3 weeks ago

The fix should be in this branch. After some testing and code review it should be pushed to our main repo.

savely-krasovsky commented 3 weeks ago

I will cherry-pick and test it, thanks!

savely-krasovsky commented 3 weeks ago

So it connects and at first glance everything works. But we will do complete regress testing and return with feedback later.

savely-krasovsky commented 3 weeks ago

We didn't notice any regress, app works as previosly. Will wait proper release. Thanks for the help @lstipakov, @schwabe!

lstipakov commented 2 weeks ago

Fixed in https://github.com/OpenVPN/openvpn3/releases/tag/release%2F3.10.4