search

kota65535 / github-openvpn-connect-action

GitHub Action for connecting to OpenVPN server.
MIT License
81 stars 55 forks source link

VPN with TSL Cert with Private Key Password #57

Open s-nt-s opened 7 months ago

s-nt-s commented 7 months ago

Hello

This is my config.ovpn:

client
dev tun
proto tcp
remote ********** **********
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4 name
cipher AES-256-CBC
data-ciphers-fallback 'AES-256-CBC'
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
**********
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
**********
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
**********
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
**********
-----END OpenVPN Static key V1-----
</tls-crypt>

And it is how I manually connect to it:

$ sudo openvpn --config ./config.ovpn --askpass --up-restart --persist-key --persist-tun

2023-11-26 12:34:22 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-11-26 12:34:22 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
🔐 Enter Private Key Password: ****************************************************************
2023-11-26 12:34:33 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-11-26 12:34:33 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-11-26 12:34:33 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-11-26 12:34:33 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-11-26 12:34:33 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.69:443
2023-11-26 12:34:33 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-11-26 12:34:33 Attempting to establish TCP connection with [AF_INET]192.168.1.69:443 [nonblock]
2023-11-26 12:34:34 TCP connection established with [AF_INET]192.168.1.69:443
2023-11-26 12:34:34 TCP_CLIENT link local: (not bound)
2023-11-26 12:34:34 TCP_CLIENT link remote: [AF_INET]192.168.1.69:443
2023-11-26 12:34:34 TLS: Initial packet from [AF_INET]192.168.1.69:443, sid=1ae92fa2 9b782996
2023-11-26 12:34:34 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-11-26 12:34:34 VERIFY KU OK
2023-11-26 12:34:34 Validating certificate extended key usage
2023-11-26 12:34:34 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-11-26 12:34:34 VERIFY EKU OK
2023-11-26 12:34:34 VERIFY X509NAME OK: CN=bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4
2023-11-26 12:34:34 VERIFY OK: depth=0, CN=bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4
2023-11-26 12:34:34 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
2023-11-26 12:34:34 [bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4] Peer Connection Initiated with [AF_INET]192.168.1.69:443
2023-11-26 12:34:34 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 10.17.231.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.17.231.4 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-11-26 12:34:34 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.5.5)
2023-11-26 12:34:34 OPTIONS IMPORT: timers and/or timeouts modified
2023-11-26 12:34:34 OPTIONS IMPORT: --ifconfig/up options modified
2023-11-26 12:34:34 OPTIONS IMPORT: route options modified
2023-11-26 12:34:34 OPTIONS IMPORT: route-related options modified
2023-11-26 12:34:34 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-11-26 12:34:34 OPTIONS IMPORT: peer-id set
2023-11-26 12:34:34 OPTIONS IMPORT: adjusting link_mtu to 1626
2023-11-26 12:34:34 OPTIONS IMPORT: data channel crypto options modified
2023-11-26 12:34:34 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-11-26 12:34:34 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-11-26 12:34:34 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-11-26 12:34:34 net_route_v4_best_gw query: dst 0.0.0.0
2023-11-26 12:34:34 net_route_v4_best_gw result: via 192.168.1.1 dev wlp4s0
2023-11-26 12:34:34 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp4s0 HWADDR=e4:b3:18:d2:f4:33
2023-11-26 12:34:34 TUN/TAP device tun0 opened
2023-11-26 12:34:34 net_iface_mtu_set: mtu 1500 for tun0
2023-11-26 12:34:34 net_iface_up: set tun0 up
2023-11-26 12:34:34 net_addr_v4_add: 10.17.231.4/24 dev tun0
2023-11-26 12:34:34 net_route_v4_add: 192.168.1.69/32 via 192.168.1.1 dev wlp4s0 table 0 metric -1
2023-11-26 12:34:34 net_route_v4_add: 0.0.0.0/1 via 10.17.231.1 dev [NULL] table 0 metric -1
2023-11-26 12:34:34 net_route_v4_add: 128.0.0.0/1 via 10.17.231.1 dev [NULL] table 0 metric -1
2023-11-26 12:34:34 Initialization Sequence Completed
2023-11-26 12:34:34 Connection reset, restarting [-1]
2023-11-26 12:34:34 SIGUSR1[soft,connection-reset] received, process restarting
2023-11-26 12:34:34 Restart pause, 5 second(s)
2023-11-26 12:34:39 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-11-26 12:34:39 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-11-26 12:34:39 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-11-26 12:34:39 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-11-26 12:34:39 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.69:443
2023-11-26 12:34:39 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-11-26 12:34:39 Attempting to establish TCP connection with [AF_INET]192.168.1.69:443 [nonblock]
2023-11-26 12:34:39 TCP connection established with [AF_INET]192.168.1.69:443
2023-11-26 12:34:39 TCP_CLIENT link local: (not bound)
2023-11-26 12:34:39 TCP_CLIENT link remote: [AF_INET]192.168.1.69:443
2023-11-26 12:34:39 TLS: Initial packet from [AF_INET]192.168.1.69:443, sid=e1ef43b9 e900a3da
2023-11-26 12:34:39 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-11-26 12:34:39 VERIFY KU OK
2023-11-26 12:34:39 Validating certificate extended key usage
2023-11-26 12:34:39 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-11-26 12:34:39 VERIFY EKU OK
2023-11-26 12:34:39 VERIFY X509NAME OK: CN=bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4
2023-11-26 12:34:39 VERIFY OK: depth=0, CN=bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4
2023-11-26 12:34:39 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
2023-11-26 12:34:39 [bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4] Peer Connection Initiated with [AF_INET]192.168.1.69:443
2023-11-26 12:34:39 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 10.17.231.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.17.231.4 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-11-26 12:34:39 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.5.5)
2023-11-26 12:34:39 OPTIONS IMPORT: timers and/or timeouts modified
2023-11-26 12:34:39 OPTIONS IMPORT: --ifconfig/up options modified
2023-11-26 12:34:39 OPTIONS IMPORT: route options modified
2023-11-26 12:34:39 OPTIONS IMPORT: route-related options modified
2023-11-26 12:34:39 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-11-26 12:34:39 OPTIONS IMPORT: peer-id set
2023-11-26 12:34:39 OPTIONS IMPORT: adjusting link_mtu to 1626
2023-11-26 12:34:39 OPTIONS IMPORT: data channel crypto options modified
2023-11-26 12:34:39 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-11-26 12:34:39 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-11-26 12:34:39 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-11-26 12:34:39 Preserving previous TUN/TAP instance: tun0
2023-11-26 12:34:39 Initialization Sequence Completed

But when I use kota65535/github-openvpn-connect-action in order to connect from a github action it always fail:

running command: sudo openvpn --config ./client.ovpn --daemon --log openvpn.log --writepid openvpn.pid

2023-11-25 23:59:55 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-11-25 23:59:55 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Error: VPN connection failed.
kota65535 commented 7 months ago

I've never used a private key with a passphrase, but I think we cannot use them because GitHub Action runner does not have TTY and we have no chance to type the passphrase. cf. https://github.com/actions/runner/issues/241

s-nt-s commented 7 months ago

You can append in client.ovpn a line like askpass pass.txt where pass.txt is a file that contains the password.

Morriz commented 4 months ago

I see the action makes this modification:

auth-user-pass up.txt

does that mean it now is supported @kota65535 ?

Morriz commented 4 months ago

I still can't use it and I DO use a passphrase for my key. Let me try without...

Morriz commented 4 months ago

I created a new issue for this: #63 Feel free to mark it as dupe if you think it is...

anxo-outeiral commented 3 months ago

Same issue here such as @s-nt-s and same `client.ovpn" file.

You can append in client.ovpn a line like askpass pass.txt where pass.txt is a file that contains the password.

This works for me too, but it's not really security saving the password in text plain.

Morriz commented 3 months ago

@anxo-outeiral that is not an issue when it is injected in a container in a GitHub pipeline just for that run, where nobody can get to it...

Anyway, I forked this repo and made it accept all the configuration needed imo: https://github.com/Morriz/github-openvpn-connect-action

anxo-outeiral commented 3 months ago

@anxo-outeiral that is not an issue when it is injected in a container in a GitHub pipeline just for that run, where nobody can get to it...

Anyway, I forked this repo and made it accept all the configuration needed imo: https://github.com/Morriz/github-openvpn-connect-action

Thanks @Morriz . I'll check it!