search

twitchyliquid64 / subnet

Simple, auditable & elegant VPN, built with TLS mutual authentication and TUN.
MIT License
1.06k stars 79 forks source link

ON MAC,the client is not stable #11

Closed luckypoem closed 5 years ago

luckypoem commented 6 years ago

hi. after i run: sudo subnet -gw 182.168.69.1 -network 182.168.69.4/24 -cert client.certPEM -key client.keyPEM -ca ca.certPEM server-ip

it shows: 2018/02/27 16:50:53 Created iface utun1 2018/02/27 16:50:54 Remote presented certificate 8947204077936876025 with time bounds (2018-02-27 06:47:34 +0000 UTC-2018-08-27 05:47:34 +0000 UTC). Verification error for certificate: 2018/02/27 16:50:54 IP of utun1 set to 182.168.69.4, localNetMask 255.255.255.0 2018/02/27 16:50:54 Default gateway is 192.168.1.1 on en0 2018/02/27 16:50:54 Traffic to my-vps-ip now routed via 192.168.1.1 on en0)

there is such words above: "Verification error for certificate: "

in china, then i open firefox,sometimes i can't visit some blogspot.com sites. why?it's bcoz "Verification error for certificate: "? how to fix it?tks

twitchyliquid64 commented 6 years ago

Hi,

If the client shows Verification error for certificate: <nil>, that means that verification of the remote certificate was successful (no error). The client connection is working correctly.

Are you sure blogspot was online at the time?

If you check your IP in firefox (using https://www.whatismyip.com or similar), are you on your home IP or your VPS IP? That is what matters.

luckypoem commented 5 years ago

hi.

bogon:subnet brite$ sudo subnet -gw 182.168.69.1 -network 182.168.69.4/24 -cert client.certPEM -key client.keyPEM -ca ca.certPEM my-vps-ip 2018/09/23 12:29:53 Created iface utun1 2018/09/23 12:29:56 Remote presented certificate 2087385896096648852 with time bounds (2018-03-21 04:56:31 +0000 UTC-2018-09-21 04:56:31 +0000 UTC). Verification error for certificate: Certificate expired or used too soon 2018/09/23 12:29:56 subnet.NewClient() err: Certificate expired or used too soon bogon:subnet brite$

how to fix "Certificate expired or used too soon"? tks a lot.

luckypoem commented 5 years ago

i checked the commands: subnet --mode init-server-certs --cert server.certPEM --key server.keyPEM --ca ca.certPEM --ca_key ca.keyPEM

subnet --mode server --key server.keyPEM --cert server.certPEM --ca ca.certPEM --network 182.168.69.1/24

both commands don't specify the expiry date of the certificates,why i encountered the hint:"Certificate expired"?

twitchyliquid64 commented 5 years ago

Looking at the code that generates the certificate: https://github.com/twitchyliquid64/subnet/blob/master/subnet/cert/gen.go#L81

It appears I accidentally put the expiry silently at 6 months. I think this applies to both the CA cert and the server cert.

Sorry about this, my mistake. If both the CA cert and the server cert are expired, you will need to generate them both again.

I'm going to change this two 1 year, and make a print message to indicate the expiry.

luckypoem commented 5 years ago

hi. still not working. i removed subnet from /root/go/gopath/bin/,and reinstalled subnet with command: go get -u -v github.com/twitchyliquid64/subnet in /root/go/gopath/,

on linux vps,i removed all the certs and key files,and re-run: subnet --mode init-server-certs --cert server.certPEM --key server.keyPEM --ca ca.certPEM --ca_key ca.keyPEM

and subnet --mode make-client-cert --ca ca.certPEM --ca_key ca.keyPEM client.certPEM client.keyPEM

then i removed ca.certPEM, client.certPEM, client.keyPEM FROM MY MAC,AND re-download ca.certPEM, client.certPEM, client.keyPEM from vps to my mac.

then, bogon:subnet yuming$ sudo subnet -gw 182.168.69.1 -network 182.168.69.4/24 -cert client.certPEM -key client.keyPEM -ca ca.certPEM my-vps-ip 2018/09/25 06:42:02 Created iface utun1

2018/09/25 06:42:10 Remote presented certificate 8109303859703935876 with time bounds (2018-09-25 10:22:32 +0000 UTC-2019-09-25 10:22:32 +0000 UTC). Verification error for certificate: Certificate expired or used too soon 2018/09/25 06:42:10 subnet.NewClient() err: Certificate expired or used too soon bogon:subnet brite$

hwo to fix it ?

twitchyliquid64 commented 5 years ago

Are your clocks correct on both systems?

luckypoem commented 5 years ago

hello. now it's ok,my mac's clock isn't correct.

luckypoem commented 5 years ago

now it's not ok again. i ran client command,it shows: ... Traffic to my-vps-ip now routed via 192.168.1.1 on en0

and also ran: networksetup -setdnsservers "Wi-Fi" "Empty" && networksetup -setdnsservers "Wi-Fi" 8.8.8.8

but i just can't open any website in chrome. at the left bottom corner of chrome window,there is a hint: resolving host...

it always shows "resolving host...", but i just can't open any website in chrome. why? how to fix it?

twitchyliquid64 commented 5 years ago

Next time it happens try to ping your VPS IP, and try pinging 8.8.8.8 & google.com.

If VPS works but not the others, IP forwarding is not working on your VPS (remember the command to enable it).

If VPS & 8.8.8.8 work but not google.com, your DNS resolver is not working.

If none work, there is something wrong with your connection or subnet.

luckypoem commented 5 years ago

i see,i restarted vps but forget to run "iptables -t nat -A POSTROUTING -j MASQUERADE" now it's ok