search

schwabe / ics-openvpn

OpenVPN for Android
3.35k stars 1.2k forks source link

Segmentation fault when start vpn via binary file #1582

Closed tonhathuy closed 1 year ago

tonhathuy commented 1 year ago

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

  1. Android Version 7.1.2
  2. Custom ROM
  3. Device: my custom
  4. Version of the app self-built 0.7.41
  5. Architecture x86_64

    Description of the issue

    I'm tried to start vpn via openvpn core ( compiled binary ) . I used below command but Segmentation fault error occurred. I tried running the ovpn file with your application, it works perfectly fine. Please tell me if I am missing a step or is it not possible to launch the vpn. LD_LIBRARY_PATH=/data/app/de.blinkt.openvpn-1/lib/x86_64/ ./cache/c_pie_openvpn.x86_64 --config /assets/client.ovpn

    Log (if applicable)

WARNING: linker: /data/data/de.blinkt.openvpn/cache/c_pie_openvpn.x86_64: unsupported flags DT_FLAGS_1=0x8000001
2023-02-20 03:39:11 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback 'BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-02-20 03:39:11 OpenVPN 2.6-icsopenvpn [git:icsopenvpn/v0.7.40-0-g28cb5982] x86_64 [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 15 2023
2023-02-20 03:39:11 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2023-02-20 03:39:11 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2023-02-20 03:39:11 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2023-02-20 03:39:11 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2023-02-20 03:39:11 TCP/UDP: Preserving recently used remote address: [AF_INET]54.69.183.138:1194
2023-02-20 03:39:11 Socket Buffers: R=[212992->200000] S=[212992->200000]
Segmentation fault

Logcat :

02-20 03:41:21.460 31271 31271 W linker  : /data/data/de.blinkt.openvpn/cache/c_pie_openvpn.x86_64: unsupported flags DT_FLAGS_1=0x8000001
--------- beginning of crash
02-20 03:41:21.475 31271 31271 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x428 in tid 31271 (c_pie_openvpn.x)
02-20 03:41:21.475  1257  1257 W         : debuggerd: handling request: pid=31271 uid=0 gid=0 tid=31271
02-20 03:41:21.530 31272 31272 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
02-20 03:41:21.531 31272 31272 F DEBUG   : Build fingerprint: ':7.1.2/NJH47B/ubuntu02080234:userdebug/dev-keys'
02-20 03:41:21.531 31272 31272 F DEBUG   : Revision: '0'
02-20 03:41:21.531 31272 31272 F DEBUG   : ABI: 'x86_64'
02-20 03:41:21.531 31272 31272 F DEBUG   : pid: 31271, tid: 31271, name: c_pie_openvpn.x  >>> ./cache/c_pie_openvpn.x86_64 <<<
02-20 03:41:21.531 31272 31272 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x428
02-20 03:41:21.531 31272 31272 F DEBUG   :     rax 000072517a08af98  rbx 0000000000000003  rcx 0000000000000022  rdx 0000725179400000
02-20 03:41:21.531 31272 31272 F DEBUG   :     rsi 00007ffe8bdd70d4  rdi 0000000000000000
02-20 03:41:21.531 31272 31272 F DEBUG   :     r8  fffffffffffffff0  r9  000072517a22ab40  r10 0000000000000000  r11 0000000000000246
02-20 03:41:21.531 31272 31272 F DEBUG   :     r12 000072517a08afb8  r13 0000000000000004  r14 0000000000000000  r15 00007251794eb000
02-20 03:41:21.531 31272 31272 F DEBUG   :     cs  0000000000000033  ss  000000000000002b
02-20 03:41:21.531 31272 31272 F DEBUG   :     rip 0000725179da18d4  rbp 0000000000000003  rsp 00007ffe8bdd61f0  eflags 0000000000010297
02-20 03:41:21.532 31272 31272 F DEBUG   : 
02-20 03:41:21.532 31272 31272 F DEBUG   : backtrace:
02-20 03:41:21.532 31272 31272 F DEBUG   :     #00 pc 000000000027d8d4  /data/app/de.blinkt.openvpn-1/lib/x86_64/libopenvpn.so
02-20 03:41:21.532 31272 31272 F DEBUG   :     #01 pc 000000000027ea3e  /data/app/de.blinkt.openvpn-1/lib/x86_64/libopenvpn.so (link_socket_init_phase2+2206)
02-20 03:41:21.532 31272 31272 F DEBUG   :     #02 pc 000000000023d336  /data/app/de.blinkt.openvpn-1/lib/x86_64/libopenvpn.so (init_instance+6374)
02-20 03:41:21.532 31272 31272 F DEBUG   :     #03 pc 000000000023ba0f  /data/app/de.blinkt.openvpn-1/lib/x86_64/libopenvpn.so (init_instance_handle_signals+31)
02-20 03:41:21.532 31272 31272 F DEBUG   :     #04 pc 00000000002556b0  /data/app/de.blinkt.openvpn-1/lib/x86_64/libopenvpn.so (main+624)
02-20 03:41:21.532 31272 31272 F DEBUG   :     #05 pc 000000000001c994  /system/lib64/libc.so (__libc_init+84)
02-20 03:41:21.532 31272 31272 F DEBUG   :     #06 pc 00000000000005b7  /data/data/de.blinkt.openvpn/cache/c_pie_openvpn.x86_64
02-20 03:41:21.532 31272 31272 F DEBUG   :     #07 pc 000000000000057d  /data/data/de.blinkt.openvpn/cache/c_pie_openvpn.x86_64
schwabe commented 1 year ago

While it should probably not segfault, the binary while not work without the management interface from the app. It needs the management interface + app to do all the privileged operations. If you want to run OpenVPN standalone you need to compile it with Linux as target and not Android

tonhathuy commented 1 year ago

Thanks for the response, I wonder what you mean i need to compile a version of OpenVPN with linux then run it on android using the above command. Second, where can I find OpenVPN standalone, I have seen this issue but the link doesn't exist anymore.

schwabe commented 1 year ago

My binaries use TARGET_ANDROID instead of the normal TARGET_LINUX in OpenVPN. I meant that it needs to be compiled as a normal Linux target and not as the special Android target.

schwabe commented 1 year ago

Patch to fix the segfault: https://patchwork.openvpn.net/project/openvpn2/patch/20230220131424.1749736-1-arne@rfc2549.org/

tonhathuy commented 1 year ago

Hi @schwabe Thank you for patch to fix segfault, but I've got a problem: I tried rebuild your app and replace #define TARGET_ANDROID with #define TARGET_LINUX in config.h file. I found that there were quite a lot of errors inside the tun file during build in Android studio , so I cloned the openVPN repo to android and built from here , it seems that inside android lacks many other tools like gcc , build-essential package to build on this.

Log in Android studio:

ld: error: undefined symbol: net_addr_v4_del
>>> referenced by tun.c:1632 (/home/huy/Downloads/OVPN/ics-openvpn/main/src/main/cpp/openvpn/src/openvpn/tun.c:1632)
>>>               CMakeFiles/openvpn.dir/openvpn/src/openvpn/tun.c.o:(undo_ifconfig_ipv4)

ld: error: undefined symbol: net_addr_v6_del

Update: Yeah I built OpenVPN on termux ( I installed the necessary build tools through pkg ) . And it seems to be working and I guess I have to tweak a few places to make it work properly log : 

WARNING: linker: /data/data/com.termux/files/home/openvpn-2.6.0/src/openvpn/openvpn: unsupported flags DT_FLAGS_1=0x8000001
2023-02-22 10:51:48 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-02-22 10:51:48 OpenVPN 2.6.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2023-02-22 10:51:48 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-02-22 10:51:48 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2023-02-22 10:51:48 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2023-02-22 10:51:48 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2023-02-22 10:51:48 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XXX.90.211:1194
2023-02-22 10:51:48 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-02-22 10:51:48 UDPv4 link local: (not bound)
2023-02-22 10:51:48 UDPv4 link remote: [AF_INET]XX.XXX.90.211:1194
2023-02-22 10:51:48 TLS: Initial packet from [AF_INET]XX.XXX.90.211:1194, sid=80d57a5e ae80c587
2023-02-22 10:51:48 net_route_v4_best_gw query: dst 0.0.0.0
2023-02-22 10:51:48 net_route_v4_best_gw result: via 0.0.0.0 dev 
2023-02-22 10:51:49 VERIFY OK: depth=1, CN=OpenVPN CA
2023-02-22 10:51:49 VERIFY OK: nsCertType=SERVER
2023-02-22 10:51:49 VERIFY OK: depth=0, CN=OpenVPN Server
2023-02-22 10:51:49 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-02-22 10:51:49 [OpenVPN Server] Peer Connection Initiated with [AF_INET]XX.XXX.90.211:1194
2023-02-22 10:51:49 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-02-22 10:51:49 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-02-22 10:51:50 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
2023-02-22 10:51:50 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,redirect-private bypass-dns,route-gateway 172.27.232.1,route 172.27.224.0 255.255.240.0,route 172.28.224.0 255.255.240.0,route 172.31.0.0 255.255.0.0,block-ipv6,ifconfig 172.27.233.58 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
2023-02-22 10:51:50 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.6.0)
2023-02-22 10:51:50 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.6.0)
2023-02-22 10:51:50 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.6.0)
2023-02-22 10:51:50 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2023-02-22 10:51:50 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2023-02-22 10:51:50 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2023-02-22 10:51:50 OPTIONS IMPORT: timers and/or timeouts modified
2023-02-22 10:51:50 OPTIONS IMPORT: explicit notify parm(s) modified
2023-02-22 10:51:50 OPTIONS IMPORT: compression parms modified
2023-02-22 10:51:50 OPTIONS IMPORT: --ifconfig/up options modified
2023-02-22 10:51:50 OPTIONS IMPORT: route options modified
2023-02-22 10:51:50 OPTIONS IMPORT: route-related options modified
2023-02-22 10:51:50 OPTIONS IMPORT: peer-id set
2023-02-22 10:51:50 OPTIONS IMPORT: data channel crypto options modified
2023-02-22 10:51:50 net_route_v4_best_gw query: dst 0.0.0.0
2023-02-22 10:51:50 net_route_v4_best_gw result: via 0.0.0.0 dev 
2023-02-22 10:51:50 ROUTE_GATEWAY 0.0.0.0
2023-02-22 10:51:50 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
2023-02-22 10:51:50 Exiting due to fatal error
schwabe commented 1 year ago

The undefined errors are there since the android version does not compile things like networking_sitnl.c as those files are not needed for the Android version. You will have to modify the CmakeLists.txt to include them.

As for the error of /dev/net/tun. Yes. that is expected. Android is not a normal Linux and things work different there. I think at least older Android version still had /dev/tun . But Android's routing/forward is configured COMPLETLY different from a typical Linux system so be prepared that OpenVPN'x route and ifconfig commands wreak havoc.