search

passepartoutvpn / tunnelkit

VPN client library for Apple platforms.
GNU General Public License v3.0
10 stars 8 forks source link

Disconnects when traffic starts #261

Closed Jdgmx closed 2 years ago

Jdgmx commented 2 years ago

Summary

This is a continuation of issue 260. The connection to the VPN is stablished, but as soon as traffic starts it gets disconnected.

This happens with the demo app in tunnelkit.

Steps to reproduce

The OVPN configuration files looks like this:

remote redacted 1194 client proto udp remote-cert-tls server verb 2 dev tun0 cipher AES-256-CBC auth SHA256 comp-lzo sndbuf 524288 rcvbuf 524288 redirect-gateway def1 plus the keys & certificates

What is the current bug behavior?

As mentioned in the previos bug I get the following interesting stuff in my local console:

debug MyVPN com.apple.CFBundle Bundle: CFBundle 0x7fcba231f3f0 </System/Library/Frameworks/CoreFoundation.framework> (framework, loaded), key: TunnelKitOpenVPN, value: TunnelKitOpenVPN, table: Error, localizationName: (null), result: TunnelKitOpenVPN debug nesessionmanager com.apple.networkextension NESMVPNSession[Primary Tunnel:MyVPN MTD:0B3D3E6F-8B62-4736-BB7C-7E8021ABD79F:(null)]: Received a info fetch request with type "extended status" from MyVPN[6420] default MyVPN com.apple.networkextension Last disconnect error changed from "The operation couldn’t be completed. (TunnelKitOpenVPN error 303.)" to "none"

But I get this in the server log:

Jun 22 19:31:11 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:63133 SENT CONTROL [redacted_email@address]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.5 255.255.0.0' (status=1) Jun 22 19:31:18 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:63133 Bad LZO decompression header byte: 69 Jun 22 19:31:21 hub-pri openvpn-vtun0[13108]: message repeated 7 times: [ redacted_email@address/73.206.0.1:63133 Bad LZO decompression header byte: 69] Jun 22 19:33:12 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:63133 [redacted_email@address] Inactivity timeout (--ping-restart), restarting Jun 22 19:33:12 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:63133 SIGUSR1[soft,ping-restart] received, client-instance restarting Jun 22 19:33:33 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 TLS: Initial packet from [AF_INET]73.206.0.1:49630, sid=e1abba81 65e485d8 Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 VERIFY OK: depth=1, CN=Easy-RSA CA Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 VERIFY OK: depth=0, CN=redacted_email@address Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1570' Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500' Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: 73.206.0.1:49630 [redacted_email@address] Peer Connection Initiated with [AF_INET]73.206.0.1:49630 Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:49630 OPTIONS IMPORT: reading client specific options from: /opt/vyatta/etc/openvpn/ccd/vtun0/redacted_email@address Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:49630 MULTI: Learn: 10.8.0.5 -> redacted_email@address/73.206.0.1:49630 Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:49630 MULTI: primary virtual IP for redacted_email@address/73.206.0.1:49630: 10.8.0.5 Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:49630 PUSH: Received control message: 'PUSH_REQUEST' Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:49630 send_push_reply(): safe_cap=940 Jun 22 19:33:34 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:49630 SENT CONTROL [redacted_email@address]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.5 255.255.0.0' (status=1) Jun 22 19:33:40 hub-pri openvpn-vtun0[13108]: redacted_email@address/73.206.0.1:49630 SIGTERM[soft,remote-exit] received, client-instance exiting Jun 22 19:33:42 hub-pri openvpn-vtun0[13108]: event_wait : Interrupted system call (code=4) Jun 22 19:33:42 hub-pri openvpn-vtun0[13108]: Closing TUN/TAP interface Jun 22 19:33:42 hub-pri openvpn-vtun0[13108]: /sbin/ip addr del dev vtun0 10.8.0.1/16 Jun 22 19:33:42 hub-pri openvpn-vtun0[13108]: SIGTERM[hard,] received, process exiting

Of interest IMO are the messages: Bad LZO decompression header byte: 69, SIGTERM[soft,remote-exit] received, client-instance exiting and SIGTERM[hard,] received, process exiting. In other words the server is crashing.

If I use the same OVPN config file in the official OpenVPN client everything works correctly.

Server configuration looks like this:

encryption 'aes256' firewall in ipv6-name 'ipv6-IN' firewall in name 'VPN-IN' hash 'sha512' local-port '1194' mode 'server' openvpn-option 'txqueuelen 1000' openvpn-option 'sndbuf 524288' openvpn-option 'rcvbuf 524288' openvpn-option 'fragment 0' openvpn-option 'mssfix 0' openvpn-option 'cipher AES-256-CBC' openvpn-option 'auth SHA256' openvpn-option 'tls-version-min 1.2' openvpn-option 'comp-lzo' persistent-tunnel protocol 'udp' server client redacted_email@address ip '10.8.0.5' server subnet '10.8.0.0/16' tls ca-cert-file '/config/auth/ca.crt' tls cert-file '/config/auth/server.crt' tls dh-file '/config/auth/dh2048.pem' tls key-file '/config/auth/server.key' use-lzo-compression

What is the expected correct behavior?

Connects and lets traffic flow through the tunnel.

Jdgmx commented 2 years ago

Now that I'm thinking, I modified the Demo app in tunnelkit to read a OVPN file. And I'm using the same code in my test app to read it, so it's the thing in common. My code to do it looks like this:

// where ovpnCfg is the URL to the config file
func connectWithOVPN(conf ovpnCfg: URL) async
{
   do {
      let conf = try OpenVPN.ConfigurationParser.parsed(fromURL: ovpnCfg)
      let ovpnConf = conf.configuration // OpenVPN.Configuration
      let builder = ovpnConf.builder()
      let customConfiguration = builder.build()
      cfg = OpenVPN.ProviderConfiguration("TunnelKit.OpenVPN", 
                                          appGroup: appGroup, 
                                          configuration: customConfiguration)
      try await vpn.reconnect(tunnelIdentifier,
                              configuration: cfg!, // needs to be NetworkExtensionConfiguration
                              extra: NetworkExtensionExtra(),
                              after: .seconds(2))
   } catch (let error) {
      print("**** The error is \(error.localizedDescription)")
   }
}

Is it correct?

Jdgmx commented 2 years ago

Found my error: Remember to include the package TunnelKitLZO in both the main application AND in the tunnel Network Extension.