search

notthebee / ansible-easy-vpn

An Ansible playbook that sets up a Wireguard server with ad blocking, DNS-over-HTTPS, and a WebUI with 2FA
Other
1.09k stars 262 forks source link

DNS Feature not yet working (pyOpenSSL issue) #113

Closed sw25481 closed 1 year ago

sw25481 commented 1 year ago

Describe the issue Everything worked well but the DNS role did not execute correctly in the playbook (see bottom for ssl error)

The result was Wireguard client configuration which included a DNS server set to 10.8.2.2 and what seemed at first to be no internet connectivity. In fact only dns resolution does not work. Pings are fine.

Changing the wireguard config for the client to use DNS = 1.1.1.1 worked round it

Logs (if applicable)

Docker container is not running

$ docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e28882b9c105 weejewel/wg-easy:7 "docker-entrypoint.s…" 2 hours ago Up 15 minutes 0.0.0.0:51820->51820/udp, 51821/tcp wg-easy a96465423d3d bunkerity/bunkerweb:1.4.2 "/opt/bunkerweb/help…" 2 hours ago Up 15 minutes (healthy) 80/tcp, 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp bunkerweb 94657a75d429 authelia/authelia:4.36 "/app/entrypoint.sh …" 2 hours ago Up 15 minutes (healthy) 9091/tcp authelia f60eb562b9d3 redis:alpine "docker-entrypoint.s…" 2 hours ago Up 15 minutes 6379/tcp

Re-running the role as root is not working

\~/ansible-easy-vpn# ansible-galaxy install -r requirements.yml Starting galaxy role install process [WARNING]: - chriswayg.msmtp-mailer (master) is already installed - use --force to change version to unspecified Starting galaxy collection install process Nothing to do. All requested collections are already installed. If you want to reinstall them, consider using --force. \~/ansible-easy-vpn# client_loop: send disconnect: Connection reset

\~/ansible-easy-vpn# ansible localhost -m include_role -a name=dns Vault password:

PLAY [Ansible Ad-Hoc] *****

TASK [include_role : dns] *****

TASK [dns : Build the adguard-unbound Docker image] *** An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK' fatal: [localhost]: FAILED! => changed=false module_stderr: |- Traceback (most recent call last): File "/root/.ansible/tmp/ansible-tmp-1672669866.3675923-2523-134598830121521/AnsiballZ_docker_image.py", line 107, in _ansiballz_main() File "/root/.ansible/tmp/ansible-tmp-1672669866.3675923-2523-134598830121521/AnsiballZ_docker_image.py", line 99, in _ansiballz_main invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS) File "/root/.ansible/tmp/ansible-tmp-1672669866.3675923-2523-134598830121521/AnsiballZ_docker_image.py", line 47, in invoke_module runpy.run_module(mod_name='ansible_collections.community.docker.plugins.modules.docker_image', init_globals=dict(_module_fqn='ansible_collections.community.docker.plugins.modules.docker_image', _modlib_path=modlib_path), File "/usr/lib/python3.8/runpy.py", line 207, in run_module return _run_module_code(code, init_globals, run_name, mod_spec) File "/usr/lib/python3.8/runpy.py", line 97, in _run_module_code _run_code(code, mod_globals, init_globals, File "/usr/lib/python3.8/runpy.py", line 87, in _run_code exec(code, run_globals) File "/tmp/ansible_community.docker.docker_image_payload_6n16rffv/ansible_community.docker.docker_image_payload.zip/ansible_collections/community/docker/plugins/modules/docker_image.py", line 342, in File "", line 991, in _find_and_load File "", line 975, in _find_and_load_unlocked File "", line 655, in _load_unlocked File "", line 618, in _load_backward_compatible File "", line 259, in load_module File "/tmp/ansible_community.docker.docker_image_payload_6n16rffv/ansible_community.docker.docker_image_payload.zip/ansible_collections/community/docker/plugins/module_utils/common_api.py", line 23, in File "/usr/lib/python3/dist-packages/requests/init.py", line 95, in from urllib3.contrib import pyopenssl File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in import OpenSSL.SSL File "/usr/lib/python3/dist-packages/OpenSSL/init.py", line 8, in from OpenSSL import crypto, SSL File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1553, in class X509StoreFlags(object): File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1573, in X509StoreFlags CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK' module_stdout: '' msg: |- MODULE FAILURE See stdout/stderr for the exact error rc: 1

PLAY RECAP **** localhost : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Environment:

Running the full playbook fails on the docker task

TASK [docker : Install Docker Module for Python] ** fatal: [localhost]: FAILED! => changed=false cmd:

PLAY RECAP **** localhost : ok=22 changed=2 unreachable=0 failed=1 skipped=2 rescued=0 ignored=0

I fixed this by follwing the advice from https://github.com/pyca/pyopenssl/issues/1143 and https://askubuntu.com/questions/1428181/module-lib-has-no-attribute-x509-v-flag-cb-issuer-check/1433089#1433089

Download latest from https://pypi.org/project/pyOpenSSL/#files

Then install with

python3 -m easy_install pyOpenSSL-23.0.0-py3-none-any.whl

Now the playbooks run

notthebee commented 1 year ago

What OS are you running this on?

sw25481 commented 1 year ago

.# uname -a Linux racknerd-xxxxx 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

.# cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=20.04 DISTRIB_CODENAME=focal DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS"

Spoke too soon the container still does not run - looking into that next

$ docker container ls -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6ca24bd8f3c5 adguard-unbound-doh "/opt/entrypoint.sh" 13 minutes ago Created adguard-unbound-doh e28882b9c105 weejewel/wg-easy:7 "docker-entrypoint.s…" 4 hours ago Up 9 minutes 0.0.0.0:51820->51820/udp, 51821/tcp wg-easy a96465423d3d bunkerity/bunkerweb:1.4.2 "/opt/bunkerweb/help…" 4 hours ago Up 9 minutes (healthy) 80/tcp, 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp bunkerweb 94657a75d429 authelia/authelia:4.36 "/app/entrypoint.sh …" 4 hours ago Up 9 minutes (healthy) 9091/tcp authelia f60eb562b9d3 redis:alpine "docker-entrypoint.s…" 4 hours ago Up 9 minutes 6379/tcp redis

notthebee commented 1 year ago

Thank you, will investigate further 👍

notthebee commented 1 year ago

10.8.2.2 being the DNS server in the Wireguard config is intentional, since this is the IP address of the Adguard container. Wireguard forwards all the DNS requests to the container, and then the Adguard takes care of the actual DNS resolution.

That being said, I couldn't reproduce the issue with the DNS resolution. After connecting to the Wireguard server (Ubuntu 20.04), I was able to access the Internet and the DNS requests showed up in the AdGuard's WebUI

I did, however, encounter the pyOpenSSL error. It seems to be related to this bug in pyOpenSSL: https://github.com/pyca/pyopenssl/issues/1143

For now, I've pinned cryptography and pyOpenSSL packages to older verisons, and the X509_V_FLAG_CB_ISSUER_CHECK error seems to be gone.

Also, in your second log, the container does seem to be running:

$ docker container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6ca24bd8f3c5 adguard-unbound-doh "/opt/entrypoint.sh" 13 minutes ago Created adguard-unbound-doh <<< this one
e28882b9c105 weejewel/wg-easy:7 "docker-entrypoint.s…" 4 hours ago Up 9 minutes 0.0.0.0:51820->51820/udp, 51821/tcp wg-easy
a96465423d3d bunkerity/bunkerweb:1.4.2 "/opt/bunkerweb/help…" 4 hours ago Up 9 minutes (healthy) 80/tcp, 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp bunkerweb
94657a75d429 authelia/authelia:4.36 "/app/entrypoint.sh …" 4 hours ago Up 9 minutes (healthy) 9091/tcp authelia
f60eb562b9d3 redis:alpine "docker-entrypoint.s…" 4 hours ago Up 9 minutes 6379/tcp redis

Let me know if the issue persists for you.

sw25481 commented 1 year ago

Thank you for taking a look. I see the merged PR

I'll initiate a full rebuild and see if I encounter it again

sw25481 commented 1 year ago

Did a reinstall of the VM. Ran through the install from scratch. No failed roles in the playbooks, no nasty errors.

Same problem

The issue is this

root@racknerd-xxxxx:~/ansible-easy-vpn/roles/dns/tasks# grep 10 /root/ansible-easy-vpn/roles/dns/tasks/main.yml ipv4_address: 10.8.2.2

This IP is being used by authelia

Changing it to 10.8.2.6 fixes it (lets the container start and DNS now works if you change your client to point DNS to 10.8.2.6) however Wireguard still gives out 10.8.2.2 as the DNS server to new clients

sw25481 commented 1 year ago

That is fixed by updating /root/ansible-easy-vpn/roles/wireguard/tasks/main.yml to 

    {%- set wg_dns = "10.8.2.6" -%}

and re-running the playbook

Or perhaps I have gone about this wrong and you actually wanted Authelia to run on 10.8.2.6

notthebee commented 1 year ago

Good catch!

This happens because a static IP address is only set for the DNS container, but not for Authelia, Wireguard or Bunkerweb. So what happens is the Authelia role runs before the DNS role, and automatically gets assigned the first available IP in the pool (18.0.2.2)

I've set static IP addresses for other containers as well in 5fcf3c4 so this shouldn't happen anymore.

notthebee commented 1 year ago

The issue was (hopefully) solved in 5fcf3c4. Feel free to re-open if you're stil experiencing it