search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.18k stars 1.99k forks source link

Problem with the default OpenVPN / SSLDroid configuration #891

Closed dispose256 closed 7 years ago

dispose256 commented 7 years ago

Expected behavior: Connect to streisand server via OpenVPN tunneled through SSLDroid will work.

Actual Behavior: Connection initiates but fails repeatedly reporting MTU size mismatch errors and cypher mismatch error (local vs remote). Connections keep resetting and restarting without completing.

Steps to Reproduce:

  1. Follow steps to use OpenVPN/SSLDroid per the streisand server instructions (to the letter).
  2. Attempt to connect and bang... the problem happens.

Additional Details: The connection without SSLDroid using OpenVPN direct configuration works perfectly without any issues. It looks like the default profiles for OpenVPN / Stunnel are mismatched in some way.

Log output from Ansible or other relevant services (link to Gist for longer output):

*Target Cloud Provider: Digital Ocean
*Operating System of target host: Default server as set up by streisand script (Ubuntu)
*Operating System of client: Android 7.0
Version of Ansible, using ansible --version :
Output from git rev-parse HEAD in your Streisand directory :
dispose256 commented 7 years ago

I also tried it from a windows computer, attached are the log files (partial) from the connection attempt for OpenVPN and STUNNEL, again the direct OpenVPN config works Thu Aug 17 19:31:22 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017 Thu Aug 17 19:31:22 2017 Windows version 6.2 (Windows 8 or greater) 64bit Thu Aug 17 19:31:22 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10 Thu Aug 17 19:31:22 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343 Thu Aug 17 19:31:22 2017 Need hold release from management interface, waiting... Thu Aug 17 19:31:23 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25343 Thu Aug 17 19:31:23 2017 MANAGEMENT: CMD 'state on' Thu Aug 17 19:31:23 2017 MANAGEMENT: CMD 'log all on' Thu Aug 17 19:31:23 2017 MANAGEMENT: CMD 'echo all on' Thu Aug 17 19:31:23 2017 MANAGEMENT: CMD 'hold off' Thu Aug 17 19:31:23 2017 MANAGEMENT: CMD 'hold release' Thu Aug 17 19:31:23 2017 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Thu Aug 17 19:31:23 2017 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Thu Aug 17 19:31:23 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:41194 Thu Aug 17 19:31:23 2017 Socket Buffers: R=[65536->65536] S=[65536->65536] Thu Aug 17 19:31:23 2017 Attempting to establish TCP connection with [AF_INET]127.0.0.1:41194 [nonblock] Thu Aug 17 19:31:23 2017 MANAGEMENT: >STATE:1503012683,TCP_CONNECT,,,,,, Thu Aug 17 19:31:23 2017 TCP connection established with [AF_INET]127.0.0.1:41194 Thu Aug 17 19:31:23 2017 TCP_CLIENT link local: (not bound) Thu Aug 17 19:31:23 2017 TCP_CLIENT link remote: [AF_INET]127.0.0.1:41194 Thu Aug 17 19:31:23 2017 MANAGEMENT: >STATE:1503012683,WAIT,,,,,,

2017.08.17 19:30:55 LOG5[main]: stunnel 5.42 on x86-pc-msvc-1500 platform 2017.08.17 19:30:55 LOG5[main]: Compiled/running with OpenSSL 1.0.2l-fips 25 May 2017 2017.08.17 19:30:55 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2017.08.17 19:30:55 LOG5[main]: Reading configuration from file stunnel.conf 2017.08.17 19:30:55 LOG5[main]: UTF-8 byte order mark not detected 2017.08.17 19:30:55 LOG5[main]: FIPS mode disabled 2017.08.17 19:30:55 LOG4[main]: Service [stunnel] needs authentication to prevent MITM attacks 2017.08.17 19:30:55 LOG5[main]: Configuration successful 2017.08.17 19:31:23 LOG5[0]: Service [stunnel] accepted connection from 127.0.0.1:58673 2017.08.17 19:31:23 LOG5[0]: s_connect: connected 178.62.251.191:993 2017.08.17 19:31:23 LOG5[0]: Service [stunnel] connected remote server from 127.0.0.1:58674

cpu commented 7 years ago

Hi @dispose256, Please fill out the issue template as completely as possible:

Version of Ansible, using ansible --version : Output from git rev-parse HEAD in your Streisand directory :

I also tried it from a windows computer, attached are the log files (partial) from the connection attempt for OpenVPN and STUNNEL, again the direct OpenVPN config works

To clarify: OpenVPN on Windows works? Only if you use the Direct OpenVPN profile or others?

Connection initiates but fails repeatedly reporting MTU size mismatch errors and cypher mismatch error (local vs remote). Connections keep resetting and restarting without completing.

Can you provide a screenshot or copy of the error produced?

alimakki commented 7 years ago

Hi @dispose256,

I have tried to replicate your scenario however it seems to be working on my end (w/ Android 6). After you have configured SSLDroid, did you start the SSLDroid service prior to connecting to the stunnel configured profile?

screenshot_20170820-183741

alimakki commented 7 years ago

Closing this issue as there has been no replies.