StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.21k stars 1.99k forks source link

AnyConnect Android app asks for username/password #847

Open sammoth opened 7 years ago

sammoth commented 7 years ago

I have followed the Android instructions on the OpenConnect page on Streisand. After step 21 (Tap Connect on the group selection screen), the app prompts me for a username/password and won't connect if I enter nothing. Have I done something wrong?

Thanks

cpu commented 7 years ago

@alimakki @jlund Have either of you used AnyConnect on Android (or otherwise) recently?

alimakki commented 7 years ago

@cpu Recently when I tested the revert to 0.11.7, seemed to work fine on my end. Looking back setting up AnyConnect is a somewhat involved processes and its easy to overlook a step which I have done several times.

OP may also need to spin up a new instance in case the version of ocserv installed is 0.11.8

sammoth commented 7 years ago

I'm using a fresh install and it's definitely the right version:

# ocserv --version
ocserv 0.11.7

I reset the app and ran through the steps again carefully and got the same, so I definitely think it is not working as expected.

This isn't important to me as I have OpenVPN running now instead.

alimakki commented 7 years ago

@sammoth seems odd. In any case I'll give it another go tomorrow.

HougeLangley commented 7 years ago

Same issue happen in my phone. I used linux client configure user name and password connect success.

alimakki commented 7 years ago

Very odd. I was testing today and it appears to be working on my end.

jrodrigosm commented 7 years ago

Hi, I just installed AnyConnect on my Android phone today, and I'm having the same issue when starting the AnyConnect VPN: I'm being prompted for user/password.

The streisand server was installed last week, so it's quite recent.

I don't really know what to do, but if you give me some pointers I'm willing to help. I can even (privately) share my server credentials (I will spin up a new one afterwards).

I'm running version 4.0.09030 of AnyConnect, on Android 7.1.1.

alimakki commented 7 years ago

@jrodrigosm can you let me know the result of git rev-parse HEAD on your streisand directory?

nopdotcom commented 7 years ago

I feel your pain.

smartselectimage_2017-08-07-16-34-41 copy 4

(This is not exactly a stock Samsung 6.0 ROM, so I’ll try this in the simulator later.)

This is a deployment against 9cc77832 in nopdotcom/streisand, which is a null diff to jlund/streisand 24841095.

jrodrigosm commented 7 years ago

Running git rev-parse HEAD on my local copy of the streisand repo gives f2bd962f3541b370fca5d1ca5a0ac06ac4399030

dcava commented 7 years ago

Same issue here on new install with stock Pixel android - username is asked.

Works fine from Mac openconnect client (albeit with certificate errors - hostname mismatch).

Any new changes in the Anyconnect app recently?

alimakki commented 7 years ago

@dcava There has been (on iOS), which has been updated to use the latest VPN framework. Legacy AnyConnect works as intended.

Edit: Didn't notice you mentioned pixel. My Android device is running 6.0 but I can't seem to be able to reproduce the issue on my end :(

nopdotcom commented 7 years ago

If you’re seeing this problem, it would be interesting to see if it existed on a second (temporary) server deployed from the same source tree to the same place.

cpu commented 7 years ago

As of yet no one has been able to identify the root cause of this but @nopdotcom has documented a workaround in master as of today.

dcava commented 7 years ago

@nopdotcom Can confirm same issue on a gcloud deployment and vultr deployment on new servers.

Confirm the workaround using "streisand" and the ocserv password from the config works.

Looking through the AnyConnect logs, the only things I can see are:

No profile available for host X
certAuthHasFailed
Certificate authentication requested from gateway, no valid certs found in users cert store.

Message type prompt sent to user: Please enter your password

But not really sure how significant....

alimakki commented 7 years ago

There's an alternative OpenConnect app on the play store that should be more cooperative; it seemed to work fine during my testing with the additional benefit of being able to configure the client to use PFS.

or2me commented 6 years ago

first,

ocpasswd -c /etc/ocserv/ocpasswd MY_name

set a new user with a simple password

then

/etc/init.d/ocserv restart

so you can login with a shorter username/password now .