search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.17k stars 2k forks source link

OpenVPN doesn't work on Ubuntu 14.04 #463

Closed ibayer closed 7 years ago

ibayer commented 7 years ago

The setup of streisand on DigitialOcean worked very well. Thanks for this great project!

The only issue I currently have is that I can't connect from a 14.04 ubuntu installation to streisand (reproducable on multiple machines) while connecting from a 16.04 ubuntu machine works just fine.

I suspect that is caused by a fairly old openvpn version on 14.04. Any idea how to fix this?

This is output from ubuntu 16.04 (everything works)

openvpn --version
OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

This is output from ubuntu 14.04 (vpn can't connect)

openvpn --version
OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no

14.04

xxx@xxxx$  sudo openvpn xxx-direct.ovpn
[sudo] password for xxx:
Options error: Unrecognized option or missing parameter(s) in 46.101.221.58-direct.ovpn:13: tls-version-min (2.3.2)
Use --help for more information.

14.04 after commenting out tls-version-min (2.3.2)

xxx@xxx$  sudo openvpn xxx-direct.ovpn
Sun Dec 25 13:15:11 2016 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Sun Dec 25 13:15:11 2016 Control Channel Authentication: tls-auth using INLINE static key file
Sun Dec 25 13:15:11 2016 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Dec 25 13:15:11 2016 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Dec 25 13:15:11 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Sun Dec 25 13:15:11 2016 Attempting to establish TCP connection with [AF_INET]46.101.221.58:636 [nonblock]
Sun Dec 25 13:15:12 2016 TCP connection established with [AF_INET]46.101.221.58:636
Sun Dec 25 13:15:12 2016 TCPv4_CLIENT link local: [undef]
Sun Dec 25 13:15:12 2016 TCPv4_CLIENT link remote: [AF_INET]46.101.221.58:636
alimakki commented 7 years ago

I'm assuming that the Ubuntu 14.04 machine is a client machine, and the 16.04 is the server. Yes, the 14.04 OpenVPN's installation will need to be upgraded.

There are several ways that you can do this:

  1. Compile and install OpenVPN from source.

    • Visit https://openvpn.net/index.php/download/community-downloads.html
    • Download the source archive, for example wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.14.tar.gz
    • expand the archive tar -xzvf openvpn-2.3.14.tar.gz then change directory, cd openvpn-2.3.14
    • configure, make and make install: ./configure then make then sudo make install
    • try running openvpn --version, you should be seeing the latest build number

  2. Add the OpenVPN deb repository to your client machine, purge OpenVPN and re-install from the repo.

    • I'll point you to OpenVPNs instructions for doing so: OpenVPN Software Repo
    • For your client machine (14.04, after importing GPG keys), your line should look like the following: $ echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
    • After adding the repo, you'll want to remove your installations' OpenVPN version, update the apt cache, the re-install, as such:
      • sudo apt-get remove openvpn
      • sudo apt update
      • sudo apt install openvpn

I hoe that helps answer your questions.

Good luck :)

ibayer commented 7 years ago

I'm assuming that the Ubuntu 14.04 machine is a client machine, and the 16.04 is the server. Yes, the 14.04 OpenVPN's installation will need to be upgraded.

Yes

@alimakki Thanks for your fast and comprehensive answer. Maybe this should be added to the doc. It took me quite a while to understand why the openvpn connection failed on ubuntu 14.04. I first thought that the streisand deployment didn't work.

Would it be possible to make streisand compatible with older openvpn versions (like the one from 14.04)? The openvpn upgrade isn't difficult for me but will cause problems for the people I wanted to give access to my streisand deployment.

alimakki commented 7 years ago

I can definitely work on adding some extra documentation to highlight OpenVPN version incompatibilities.

Would it be possible to make streisand compatible with older openvpn versions (like the one from 14.04)? The openvpn upgrade isn't difficult for me but will cause problems for the people I wanted to give access to my streisand deployment.

This might be a bit tricky. To make Streisand's OpenVPN compatible with older versions effectively means either configuring it with parameters older clients would accept or downgrading the server's (read Streisand's) version of OpenVPN, which in my opinion are both detrimental to security.

ibayer commented 7 years ago

I can definitely work on adding some extra documentation to highlight OpenVPN version incompatibilities.

Great, I'm sure this will save quite a few people from trouble. I know many people who are still running ubuntu 14.04 (with an old openvpn version).

means either configuring it with parameters older clients would accept

Can this be done on the client side? This would allow to provide two configurations (one less secure).

or downgrading the server's (read Streisand's) version of OpenVPN, which in my opinion are both detrimental to security.

I completely agree with your position to force user to upgrade openvpn If the compatibility issues can only be fixed server side, and would therefore affect all user.

alimakki commented 7 years ago

Can this be done on the client side? This would allow to provide two configurations (one less secure). If you haven't upgraded your client side openvpn installation yet, you could experiment; open the .ovpn fine, and comment out the line :

tls-version-min 1.2 as such #tls-version-min 1.2

and attempt to reconnect.

ibayer commented 7 years ago

Doesn't help (you can see the resulting output in my opening comment). Well, it solves the first problem but also creates another.

cpu commented 7 years ago

I believe this issue is sufficiently stale as to be unactionable. Please open a new issue providing the information requested by the issue template if you still have this problem with a fresh Streisand server deployed using the latest code from master. Thanks!