Users Unable to Reconnect After Server Update from Version 454 to 500

[AmirHosseinCV]

There is an issue with one of my servers where, after updating it from version 454 to 500 (or 515), users with client version 506 can no longer reconnect to the server (client version 454 works fine). They are able to connect initially when they insert the token, but upon trying to reconnect, they fail. Clearing the app data (which provides a new client ID) allows them to connect again, but only for one session.

I have another server with a nearly identical setup that does not exhibit this problem after the update.

Server appsettings.json:

{
  "FileAccessManager": {
    "ServerTokenUrl": "https://example.com/server-token/xy.wokuzhenaexo.net",
    "IsValidHostName": false,
    "TcpEndPoints": [ "0.0.0.0:443", "[::]:443" ],
    "DnsServers": [ "1.1.1.1", "1.0.0.1"],
    "SslCertificatesPassword": null,
    "NetFilter": {
        "BlockIpV6": true
    }
  },
  "IsDiagnoseMode": false
}

Example Token File:

{
  "v":4,
  "name":"S07-Star",
  "sid":null,
  "tid":"de451a9f-c759-xxxx-xxxx-xxxxxxx",
  "iat":"2024-05-21T19:45:39.9533989Z",
  "sec":"G0s6O/xtK7NDWUMcoElmog==",
  "ad":false,
  "ser":{
    "ct":"2024-05-21T22:56:05Z",
    "hname":"xy.wokuzhenaexo.net",
    "hport":443,
    "isv":false,
    "sec":"w95t+8kyeCRN6477KWO4nA==",
    "ch":"sgDAim7WlClxn3UPRuBJIC/OGmk=",
    "url":"https://example.com/server-token/xy.wokuzhenaexo.net",
    "ep":["x.x.x.x:443"]
  }
}

Update

Every server that has a fake domain, has this issue. It doesn't show an error or something, shows an active connection, but nothing works.

[trudyhood]

This issue may occur if you have disabled auto-updates, as the server may miss the gradual migration. Some old tokens might be on your server because the server pushes the latest token to the client. The server pushes the recent token to the client since 462

What is your latest server version? Can you give me a token that does not work after first initializing the connection? trudy@vpnhood.com

[AmirHosseinCV]

I'm using docker. You are right, when I updated the server, it didn't update the tokens to the new version, so I wrote a custom script to do so. Here is what I used:

def convert_vpn_config(old_config):
    if old_config['v'] == 4:
        return old_config
    new_config = {
        "v": 4,
        "name": old_config.get("name"),
        "sid": None,
        "tid": old_config.get("tid"),
        "iat": datetime.utcnow().isoformat() + "Z",
        "sec": old_config.get("sec"),
        "ad": False,
        "ser": {
            "ct": datetime.utcnow().isoformat() + "Z",
            "hname": old_config.get("hname"),
            "hport": old_config.get("hport"),
            "isv": old_config.get("isv"),
            "sec": server_secs.get(old_config.get("hname")),
            "url": f"https://vh.api.amircv.ir/server-tokens/{old_config.get('hname')}",
            "ep": old_config.get("ep")
        }
    }
    if not old_config.get("isv"):
        new_config["ser"]["ch"] = old_config.get("ch")
    return new_config

And to convert files:

  def convert_vpn_config(old_config):
    if old_config['Token']['v'] == 4:
        return old_config
    new_config = {
        "ExpirationTime": old_config.get("ExpirationTime"),
        "MaxClientCount": old_config.get("MaxClientCount"),
        "MaxTraffic": old_config.get("MaxTraffic"),
        "Token": {
            "v": 4,
            "name": old_config["Token"].get("name"),
            "sid": None,
            "tid": old_config["Token"].get("tid"),
            "iat": datetime.utcnow().isoformat() + "Z",
            "sec": old_config["Token"].get("sec"),
            "ad": False,
            "ser": None
        }
    }
    return new_config

I'll send you an example token.

[AmirHosseinCV]

I should mention that using the same method, everything works fine on servers with valid domains. However, on servers with fake domains, even generating a completely new token results in the same issue. (server version: 500)

[trudyhood]

I can connect to your server using the token you provided multiple times. Please verify that it works with our most recent version. Also, ensure that your client is up to date. If the latest pre-release client doesn't work, please inform me. https://github.com/vpnhood/VpnHood/releases/tag/v4.5.518-prerelease

[AmirHosseinCV]

Thank you for your time. After gathering more information from my users, it appears that the issue occurs only when they are using client version 500 or above (e.g., 4.5.518) and "with certain internet providers".

[trudyhood]

ok. let me know if you find a token that doesn't work on the latest version.

Make sure to keep your servers and clients up to date to perform continue migration. Too old version of client or server may face compatibility issue after 3 month. we continuously develop VpnHood and do not support long term backward compatibility.

[AmirHosseinCV]

Thank you for the advice, I'll keep it in mind.

[AmirHosseinCV]

I discovered the issue: my server's public endpoint differs from the one shown when I run "VpnHoodServer print token-id". This is due to using a load balancer. Some users can only access the server through the load balancer and not the direct IP. As you mentioned, the server pushes new tokens to the clients with the direct IP, not the load balancer's IP. I had to either stop pushing tokens or set the load balancer's IP as the endpoint. So, I finally fixed the issue by setting up the value of PublicEndPoints in appsettings.json.

[trudyhood]

You can also set ReplyAccessKey to false in ServerConfiguration. I have updated the document:. https://github.com/vpnhood/VpnHood/wiki/VpnHood-Server-Configuration

[trudyhood]

Setting PublicEndPoints can be the better option

[AmirHosseinCV]

You can also set ReplyAccessKey to false in ServerConfiguration. I have updated the document:. https://github.com/vpnhood/VpnHood/wiki/VpnHood-Server-Configuration

That's great! I'll take a look. I appreciate how patiently you address issues in this open-source project. Best of luck!