search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.17k stars 1.99k forks source link

vpn not connecting under linux #1493

Open covici opened 5 years ago

covici commented 5 years ago

Expected behavior:

vpn should connect to remote server and I should be able to ping and get dns

Actual Behavior:

vpn does not connect, ping and dns do not work

Steps to Reproduce:

1.install OpenVPN under Gentoo linux

  1. run OpenVPN with my configuration file

[ contents of streisand-diagnostics.md here ]

Ansible Information

Streisand Information

Enabled Roles

Additional Details:

Log output from Ansible or other relevant services (link to Gist for longer output):

Target Cloud Provider:
Operating System of target host:
Operating System of client:
Version of Ansible, using ansible --version :
Output from git rev-parse HEAD in your Streisand directory :

When I tried to use the config file, it complained bad comp option lz4. I then commented it out in the config and ran it again and I got the log file below.

covici commented 5 years ago

OpenVPN.log I can't seem to attach, so here it is.

Wed Dec 5 15:03:03 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 10 2018 Wed Dec 5 15:03:03 2018 library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10 Wed Dec 5 15:03:03 2018 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Wed Dec 5 15:03:03 2018 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Dec 5 15:03:03 2018 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Wed Dec 5 15:03:03 2018 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Dec 5 15:03:03 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]45.56.99.38:636 Wed Dec 5 15:03:03 2018 Socket Buffers: R=[87380->87380] S=[16384->16384] Wed Dec 5 15:03:03 2018 Attempting to establish TCP connection with [AF_INET]45.56.99.38:636 [nonblock] Wed Dec 5 15:03:04 2018 TCP connection established with [AF_INET]45.56.99.38:636 Wed Dec 5 15:03:04 2018 TCP_CLIENT link local: (not bound) Wed Dec 5 15:03:04 2018 TCP_CLIENT link remote: [AF_INET]45.56.99.38:636 Wed Dec 5 15:03:04 2018 TLS: Initial packet from [AF_INET]45.56.99.38:636, sid=103d69f3 10371a5a Wed Dec 5 15:03:04 2018 VERIFY OK: depth=1, C=US, ST=California, L=Beverly Hills, O=ACME CORPORATION, OU=Anvil Department, CN=ca-certificate Wed Dec 5 15:03:04 2018 VERIFY KU OK Wed Dec 5 15:03:04 2018 Validating certificate extended key usage Wed Dec 5 15:03:04 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Dec 5 15:03:04 2018 VERIFY EKU OK Wed Dec 5 15:03:04 2018 VERIFY X509NAME OK: C=US, ST=California, L=Beverly Hills, O=ACME CORPORATION, OU=Anvil Department, CN=ribbon-walnut-humble Wed Dec 5 15:03:04 2018 VERIFY OK: depth=0, C=US, ST=California, L=Beverly Hills, O=ACME CORPORATION, OU=Anvil Department, CN=ribbon-walnut-humble Wed Dec 5 15:03:04 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1571', remote='link-mtu 1572' Wed Dec 5 15:03:04 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Wed Dec 5 15:03:04 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Wed Dec 5 15:03:04 2018 [ribbon-walnut-humble] Peer Connection Initiated with [AF_INET]45.56.99.38:636 Wed Dec 5 15:03:05 2018 SENT CONTROL [ribbon-walnut-humble]: 'PUSH_REQUEST' (status=1) Wed Dec 5 15:03:05 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,redirect-gateway def1,block-outside-dns,route 10.8.0.0 255.255.255.0,topology net30,ping 1800,ping-restart 3600,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' Wed Dec 5 15:03:05 2018 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.6) Wed Dec 5 15:03:05 2018 OPTIONS IMPORT: timers and/or timeouts modified Wed Dec 5 15:03:05 2018 OPTIONS IMPORT: --ifconfig/up options modified Wed Dec 5 15:03:05 2018 OPTIONS IMPORT: route options modified Wed Dec 5 15:03:05 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Dec 5 15:03:05 2018 OPTIONS IMPORT: peer-id set Wed Dec 5 15:03:05 2018 OPTIONS IMPORT: adjusting link_mtu to 1626 Wed Dec 5 15:03:05 2018 OPTIONS IMPORT: data channel crypto options modified Wed Dec 5 15:03:05 2018 Data Channel: using negotiated cipher 'AES-256-GCM' Wed Dec 5 15:03:05 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Dec 5 15:03:05 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Dec 5 15:03:05 2018 ROUTE_GATEWAY 70.109.53.1/255.255.255.0 IFACE=eth2 HWADDR=00:1b:21:c6:d1:3c Wed Dec 5 15:03:05 2018 TUN/TAP device tun0 opened Wed Dec 5 15:03:05 2018 TUN/TAP TX queue length set to 100 Wed Dec 5 15:03:05 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Wed Dec 5 15:03:05 2018 /bin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500 Wed Dec 5 15:03:05 2018 /bin/route add -net 45.56.99.38 netmask 255.255.255.255 gw 70.109.53.1 Wed Dec 5 15:03:05 2018 /bin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5 Wed Dec 5 15:03:05 2018 /bin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5 Wed Dec 5 15:03:05 2018 /bin/route add -net 45.56.99.38 netmask 255.255.255.255 gw 70.109.53.1 SIOCADDRT: File exists Wed Dec 5 15:03:05 2018 ERROR: Linux route add command failed: external program exited with error status: 7 Wed Dec 5 15:03:05 2018 /bin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5 Wed Dec 5 15:03:05 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed Dec 5 15:03:05 2018 Initialization Sequence Completed Wed Dec 5 15:05:45 2018 event_wait : Interrupted system call (code=4) Wed Dec 5 15:05:45 2018 /bin/route del -net 10.8.0.0 netmask 255.255.255.0 Wed Dec 5 15:05:45 2018 /bin/route del -net 45.56.99.38 netmask 255.255.255.255 Wed Dec 5 15:05:45 2018 /bin/route del -net 0.0.0.0 netmask 128.0.0.0 Wed Dec 5 15:05:45 2018 /bin/route del -net 128.0.0.0 netmask 128.0.0.0 Wed Dec 5 15:05:45 2018 Closing TUN/TAP interface Wed Dec 5 15:05:45 2018 /bin/ifconfig tun0 0.0.0.0 Wed Dec 5 15:05:45 2018 SIGTERM[hard,] received, process exiting

genewitch commented 5 years ago

when you emerge openvpn do USE="lz4" emerge -avN net-vpn/openvpn you can store that permanently in /etc/portage/ in the package.use file or folder, depending on which you have on your system.

covici commented 5 years ago

Thanks, that will fix the lz4, but then why does it not actually work, does the log tell you anything?

On Mon, 10 Dec 2018 10:56:32 -0500, genewitch wrote:

[1 <text/plain; UTF-8 (7bit)>] [2 <text/html; UTF-8 (7bit)>] when you emerge openvpn do USE="lz4" emerge -avN net-vpn/openvpn

― You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

-- Your life is like a penny. You're going to lose it. The question is: How do you spend it?

     John Covici wb2una
     covici@ccs.covici.com
mbenitog commented 5 years ago

Hi, I'm having the exact same issue as you, but in two Raspberry Pi Debian based distros (DietPi and Raspbian). My log looks pretty similar to yours. Same errors. I think the issue is here:

Wed Dec 5 15:03:05 2018 /bin/route add -net 45.56.99.38 netmask 255.255.255.255 gw 70.109.53.1 SIOCADDRT: File exists Wed Dec 5 15:03:05 2018 ERROR: Linux route add command failed: external program exited with error status: 7