search

ultrahorizon / UH-VPN-Docs

Documentation, bug tracker and feature request system for UH VPN
https://docs.uh-vpn.com
8 stars 1 forks source link

BUG: Tunnel Borked #2

Closed marina8888 closed 5 years ago

marina8888 commented 5 years ago

Cannot reconnect to network without disconnecting from UH Enterprise first.

To Reproduce

  1. Connect to UH Enterprise, fast server.
  2. Browse internet normally (on chrome?) for approx 1 hour. The error will repeat every hour (approx.) of browsing.

Expected behavior Internet becomes no longer accessible until you disconnect from UH Enterprise, showing a page "your connection was interrupted". Once you are disconnected, the internet is accessible again and it is possible to reconnect to UH Enterprise.

  1. The Error will repeat after another (approx) hour of browsing while connected to UH Enterprise.

Screenshots

Screenshot 2019-09-30 at 23 46 45 Screenshot 2019-09-30 at 23 47 01 Screenshot 2019-09-30 at 23 47 15 Screenshot 2019-09-30 at 23 47 27

Web Console (please complete the following information):

Additional context Error witnessed by James Webb at 10.15-10.25 p.m. 30/09/2019 Video not attachable but emailed directly.

Thank you, Marina

jwsi commented 5 years ago

Ok so this looks like a potential reachability issue (which should be picked up and fixed in iOS testing) and can be caused by a WAN failure (which I noticed when macOS WiFi icon flashed). Essentially, if WAN fails, the VPN should reconnect and bind to a new available address and port pair. If this process does not happen, the tunnel will remain unresponsive.

On the other hand, since this seems to be repetative (once every hour), it could instead link to a renegotiation issue. Data channel encryption keys are changed every hour and this renegotiation process could be failing. I will search for any exception in the logs for you at this time and report any feedback here.

marina8888 commented 5 years ago

Just spoke to Irena and she said BT hub disconnects briefly every hour or so anyway… please feel free to assume that disconnection itself is not linked to the uh enterprise- apologies if I misled you.

Marina

On 1 Oct 2019, at 00:18, James Webb notifications@github.com wrote:

Ok so this looks like a potential reachability issue (which should be picked up and fixed in iOS testing) and can be caused by a WAN failure (which I noticed when macOS WiFi icon flashed). Essentially, if WAN fails, the VPN should reconnect and bind to a new available address and port pair. If this process does not happen, the tunnel will remain unresponsive.

On the other hand, since this seems to be repetative (once every hour), it could instead link to a renegotiation issue. Data channel encryption keys are changed every hour and this renegotiation process could be failing. I will search for any exception in the logs for you at this time and report any feedback here.

jwsi commented 5 years ago

No this is actually an issue with renegotiation. Logs are showing many issues with decrypting using the obfuscation keys and then complaining about TLS keys being out of sync => reneg failed.

@AnthonyWharton for reference server side:

TLS Error: tls-crypt unwrapping failed
tls-crypt unwrap error: bad packet ID (may be a replay): [ #8 / time = (1569877927) Mon Sep 30 22:12:07 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

TLS Error: local/remote TLS keys are out of sync

Think this might be a macOS client issue...

jwsi commented 5 years ago

This has now been fixed. UH Enterprise clients now control the key renegotation time instead of the server which presented issues. Each client now defines: