[Resolved] Error establishing the CSTP channel [OpenConnect-GUI] .

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

https://twitter.com/streisandvpn

Other

23.17k stars 1.99k forks source link

[Resolved] Error establishing the CSTP channel [OpenConnect-GUI] . #1546

Open akha666 opened 5 years ago

akha666 commented 5 years ago

Hello, I've got an issue with OpenConnect after the Streisand deployed with DigitalOcean. Error establishing the CSTP channel Disconnected

I disabled "acct = pam" in /etc/ocserv/ocserv.conf, now the OpenConnect-GUI can connect to the server

Ansible Information

Ansible version: 2.6.5
Ansible system: Linux
Host OS: Ubuntu
Host OS version: 16.04
Python interpreter: python
Python version: 2.7.12

Streisand Information

Streisand Git revision: 8f06cadd1500c7cdc02889fe1683d1124e00f78b
Streisand Git clone has untracked changes: no
Genesis role: genesis-digitalocean
Custom SSH key: False

Enabled Roles

Shadowsocks enabled: True
Wireguard enabled: True
OpenVPN enabled: True
stunnel enabled: True
Tor enabled: False
Openconnect enabled: True
TinyProxy enabled: True
SSH forward user enabled: True
Configured number of VPN clients: 3

the-darkvoid commented 5 years ago

With this change, only the main streisand username / password is required to connect. Where did the certificate authentication go?

Edit: Looks like when using OpenConnect through Shimo, Shimo just refuses to do certificate authentication against Streisand ocsserv, even when configured to do so. And because of the "acct = pam" line in the configuration file, user/password authentication fails by default.

JonathanLehner commented 5 years ago

How to log into the Digital Ocean droplet to change the conf file? Since the droplet was created by ansible.

akha666 commented 5 years ago

How to log into the Digital Ocean droplet to change the conf file? Since the droplet was created by ansible.

follow this link https://www.digitalocean.com/docs/droplets/how-to/connect-with-ssh/ and use your generated private key for streisand. the default user name is root.

zee-shany commented 5 years ago

Hello,

I'm still unable to connect via openconnect by commenting this line "acct=pam". Please can someone assist? Thanking in advance.

EDIT: rebooting the server, was able to connect

dol commented 5 years ago

I had the same issue. Commenting out 'acct=pam' in /etc/ocserv/ocserv.conf solved the problem. sudo systemctl restart ocserv instead of a reboot was enough. My client was openconnect on a Ubuntu 18.04 box.

stonedreamforest commented 4 years ago

I had the same issue. Commenting out 'acct=pam' in /etc/ocserv/ocserv.conf solved the problem. sudo systemctl restart ocserv instead of a reboot was enough. My client was openconnect on a Ubuntu 18.04 box.

matteoipri commented 4 years ago

Thank you @akha666 , this solved the issue for me as well. I tried to connect from a PC running Archlinux and I was not able to connect either via command line nor with the NetworkManager openconnect plug-in.

From the ocserv manual I understand that the setting acct = pam is useful when the openconnect user is a local user on the server. Streisand does not create a streisand user in /etc/passwd, at least on my installation.

With this change, only the main streisand username / password is required to connect. Where did the certificate authentication go?

@the-darkvoid Where are the instructions for certificate authentication you mentioned? In the Streisand Gateway pages I only see user and password for openconnect...

matteoipri commented 4 years ago

I just skipped the first part of documentation! My bad! I found the certificates and I can confirm that connection does work with certificates and acct = pam commented.