ovizii
commented
1 year ago Does anyone have a current status on GHOSTPATH? Is it currently working in this container?
Closed brossow closed 11 months ago
ovizii
commented
1 year ago Does anyone have a current status on GHOSTPATH? Is it currently working in this container?
brossow
commented
1 year ago GP isn't working for me at all. I have a ticket open with them as of yesterday and will report my findings. It appears their certificate doesn't meet current OpenSSL requirements by default, and if you edit the OVPN file to work around that so the original warning is ignored, then it says the certificate is expired. Not my address of expertise by a long shot, but I can post logs here if it would help the devs, but my gut feeling is that it's a GP problem to solve.
ovizii
commented
1 year ago I came to the same conclusion that its not me, its not this container image but rather GP itself after having a look at the logs.
ovizii
commented
1 year ago I got a reply from Ghostpath staff sending me a new .ovpn file and as far as I can tell the only new addition is this line:
tls-cipher “DEFAULT:@SECLEVEL=0”
which tells my client to bypass the SSL verification which makes no sense to me.
brossow
commented
1 year ago That's weird, because when I opened my ticket with them, I explicitly told them I'd already tried that (wouldn't surprise me if that's where they got the idea to suggest it to you) and while it bypasses the security warning, it then refuses to complete the connection. They haven't even replied to me. They just need to update their certificate, for Pete's sake. 😡
ovizii
commented
1 year ago Here is the config they supplied to me, there's nothing secret in here that I can spot, so I am sharing it here.
# host/port of vpn server
remote iad4.gpvpn.com 8080
# file containing username and password
#auth-user-pass openvpn.userpass
# ... or prompt for authentication
auth-user-pass
# equivalent to pull, tls-client
client
tls-cipher "DEFAULT:@SECLEVEL=0"
# redirect all outgoing traffic to the vpn gateway
redirect-gateway
# verify the server certificate for authenticity
remote-cert-tls server
#cipher
cipher AES-256-CBC
proto udp
dev tun
nobind
<ca>
-----BEGIN CERTIFICATE-----
MIIESDCCAzCgAwIBAgIJAKHK5bbBPSU2MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
BAYTAlVTMQwwCgYDVQQIEwNWUE4xDDAKBgNVBAcTA1ZQTjEMMAoGA1UEChMDVlBO
MQwwCgYDVQQLEwNWUE4xDDAKBgNVBAMTA1ZQTjEMMAoGA1UEKRMDVlBOMRIwEAYJ
KoZIhvcNAQkBFgNWUE4wHhcNMjIwMjE0MjEzNDQwWhcNMzIwMjEyMjEzNDQwWjB1
MQswCQYDVQQGEwJVUzEMMAoGA1UECBMDVlBOMQwwCgYDVQQHEwNWUE4xDDAKBgNV
BAoTA1ZQTjEMMAoGA1UECxMDVlBOMQwwCgYDVQQDEwNWUE4xDDAKBgNVBCkTA1ZQ
TjESMBAGCSqGSIb3DQEJARYDVlBOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwUl1XkfGo3c1uFsvgbO3C3yvu0+cHs9IUSsju5U9cPNCo53mqRHU/qnt
CC+ldIDKN+dNWn7eURIDszy+flutkgucs0qgETy5fzpXnVMtiKmMiOYWiJDor7j7
QivRaxoT/O2fyjxvVCL8gMa60ekWSGBT6isYY8t8BnwTPVP0KvDm36wdaqLmubhf
2XGvka/hhNx0SXMmz2x3OJ8BcoypZVLLk/+Qm6DJh1KxyDi4kI+jBC41QuaKKDNw
b0kth1304eqZoUeCXtGkzl91y76ODAfdqzXf9WYJdgkXpOm53Cg7FtB42AqPRqHJ
VwYxDnQyrFwy4a3CWqFJnKtxJM/WlwIDAQABo4HaMIHXMB0GA1UdDgQWBBRSzxAt
ISfbSRPr0fmhwNZc8kOeKzCBpwYDVR0jBIGfMIGcgBRSzxAtISfbSRPr0fmhwNZc
8kOeK6F5pHcwdTELMAkGA1UEBhMCVVMxDDAKBgNVBAgTA1ZQTjEMMAoGA1UEBxMD
VlBOMQwwCgYDVQQKEwNWUE4xDDAKBgNVBAsTA1ZQTjEMMAoGA1UEAxMDVlBOMQww
CgYDVQQpEwNWUE4xEjAQBgkqhkiG9w0BCQEWA1ZQToIJAKHK5bbBPSU2MAwGA1Ud
EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAGuKFW765F3D5wax5IFSQbEtr+rV
HgjR8jiYTzxOCmbLaU4oj6phOhfQJiTTADQYgCIC/DN0HsAEEqrKkwEn8KdAoNiA
WfqCV/eqnK83y7yRDGx6/zfsch+PAzKZouMJLrvR9RYbHq7m3adZv84YLge7FE1J
qFk1j6rSa4dUUnGQPrQgr9Sasnz8O8KK45XH6fqKrsd4p485n+BXPDzWVsHl4M5d
qQV7qUZTazbzzh4NyP5/RQ6Oh5jqMN7po4qiqWv1pu0EKDxUG6gcECc2cTQwHhIO
PeCGdHS7uuI2FlLnHaCUFBgi8zTsZxaeaPuPch5M7Zxbdg0GBhS2SmNi+io=
-----END CERTIFICATE-----
</ca>Does anyone have a workaround? Do I need to get a new VPN provider? Any suggestions?
Do you have the latest provider files?
Have you tested the provider files?
Can you create a PR for this config?
Provider details
Ghostpath has updated their certificate and as a result I'm getting this error in the log when I try to open Transmission: "OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed." I've tested using the custom provider option and it's working fine for me now, but I don't have the resources at the moment to create a PR and thought I should at least report it. Would someone be able to update the certificate file for this provider? You can find all of the latest Ghostpath configs, any of which contains the new certificate, here: https://ghostpath.com/servers. Thanks in advance!
Anything else?
No response