search

vimagick / dockerfiles

:whale: A curated list of delicious docker recipes 🇺🇦🇮🇱 (Let's Fight Against Dictatorship)
https://hub.docker.com/u/vimagick/
3.13k stars 787 forks source link

DTLS handshake failed: Error in the push function. #122

Open ukaleq opened 4 years ago

ukaleq commented 4 years ago

As mention in subject, Debian Stretch / openconnect 7.08-1 / network-manager-openconnect 1.2.4-1 run on host, I would like to establish a tunnel by openconnect to ocserv docker image which fresh deploy on vps.

Procedure on host as below, How to use both tcp and especially UDP.

~$ openconnect https://*.*.*.*:4443
POST https://*.*.*.*:4443/                                     
Connected to *.*.*.*:4443                     
SSL negotiation with *.*.*.*                                     
Server certificate verify failed: signer not found

Certificate from VPN server "*.*.*.* failed verification.              
Reason: signer not found          
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:***********
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on *.*.*.*
XML POST enabled                                  
Please enter your username.                          
Username: ****                                                                                                                                                                                    [72/106]
POST https://*.*.*.*:4443/auth                                                                  
Please enter your password.                                         
Password:                                                              
POST https://*.*.*.*:4443/auth                   
Got CONNECT response: HTTP/1.1 200 CONNECTED                         
CSTP connected. DPD 90, Keepalive 32400                                                             
Connected as 10.20.30.14, using SSL + lz4                                                               
DTLS handshake failed: Error in the push function.                
(Is a firewall preventing you from sending UDP packets?)
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)         
DTLS handshake failed: Error in the push function.  
(Is a firewall preventing you from sending UDP packets?)
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)                        
SSL read error: The TLS connection was non-properly terminated.; reconnecting.
SSL negotiation with *.*.*.*                     
Server certificate verify failed: signer not found                       
Connected to HTTPS on *.*.*.*                                       
Got CONNECT response: HTTP/1.1 200 CONNECTED                                              
CSTP connected. DPD 90, Keepalive 32400                                                
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)

On vps, netstat check udp was not established. Testing udp port 4443 colud not be reached from public. Iptables accept all to anywhere with no doubt.

~$ netstat -uanp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -
udp6       0      0 :::4443                 :::*
ukaleq commented 4 years ago

BTW, it is a clean machine definitely, I just add one line "accept udp 4443".

~$ sudo iptables -L                   
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:4443

Chain FORWARD (policy DROP)                      
target     prot opt source               destination
Chain FORWARD (policy DROP)                                                                                                                                                                                 [0/639]
target     prot opt source               destination 
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere    
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)                                  
target     prot opt source               destination         

Chain DOCKER (1 references)                                                              
target     prot opt source               destination  
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:https
ACCEPT     udp  --  anywhere             172.17.0.2           udp dpt:443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)       
target     prot opt source               destination                      
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere