Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pasting PSK Missing newline OVPN P2P #6103

Closed
francio87 opened this issue Mar 31, 2020 · 4 comments
Closed

Pasting PSK Missing newline OVPN P2P #6103

francio87 opened this issue Mar 31, 2020 · 4 comments
Labels
bug A defect of the software verified All test cases were verified successfully

Comments

@francio87
Copy link
Member

Creating a new OVPN Server Tunnel (P2P) via Cockpit, pasting the PSK generated elsewhere, the configuration get applied but the tunnel won't start if you don't add a newline at the end of the key.

Nethserver: Static Public ip
Other Side rt: Dinamyc Public ip

Other Side rt generate the PSK, for easy connection NS will be the Server Side, since it has a Static Public IP

Steps to reproduce

  • Create a New OVPN Server Tunnel (P2P)
  • Fill in all relevant data
  • Paste PSK Key without adding a final newline

Expected behavior

OVPN Server Tunnel start

Actual behavior

The VPN get created on the GUI, but logs reports:

ERROR: Endtag </secret> missing

Checking the cfg file [root@fw ~]# cat /etc/openvpn/s2svpn.conf :

71eb912d45372bced1e126de16981583
8401bb7dac74278dda3ceef63fa2f679
-----END OpenVPN Static key V1-----</secret>

The </secret> ending tag it's on the same line of the psk, adding few newline
allow the tunnel to get up without issue.

Components

nethserver-vpn-ui-1.2.10-1.ns7.noarch
@francio87 francio87 added the bug A defect of the software label Mar 31, 2020
@gsanchietti gsanchietti mentioned this issue Apr 1, 2020
Merged
gsanchietti added a commit to NethServer/nethserver-vpn-ui that referenced this issue Apr 1, 2020
@gsanchietti
api: always add newline at end of files (#22)
c3c4aa0 
OpenVPN is a little bit picky about configuration file syntax.
If a psk, or a certificate, doesn't contain a new line, the generated
configuration file is invalid.

This commit backports a fix already in place inside NethGUI.

See NethGUI code: https://github.com/NethServer/nethserver-openvpn/blob/master/root/usr/share/nethesis/NethServer/Module/OpenVpnTunnels/Servers/Modify.php#L197

NethServer/dev#6103
@nethbot
Copy link
Member

nethbot commented Apr 1, 2020

in 7.7.1908/testing:

@gsanchietti
Copy link
Member

gsanchietti commented Apr 1, 2020
edited

Test case 1

  • Create a tunnel server and set P2P mode
  • Do not modify the PSK
  • Check the created tunnel starts correctly

Test case 2

  • Create a tunnel client using PSK
  • Paste the PSK
  • Check the created tunnel starts correctly

Test case 3

  • Create a tunnel client using certificates
  • Paste certificate and private key
  • Check the created tunnel starts correctly

Test case 4

  • Check the bug is not reproducible

@gsanchietti gsanchietti added the testing Packages are available from testing repositories label Apr 1, 2020
@francio87
Copy link
Member Author 

[root@rt01 ~]# rpm -qa |grep vpn
nethserver-vpn-ui-1.2.10-1.1.gc3c4aa0.ns7.noarch
nethserver-openvpn-1.9.2-1.ns7.noarch
openvpn-2.4.8-1.el7.x86_64

Test Case 1 : OK

Fri Apr  3 08:33:18 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Apr  3 08:33:18 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
Fri Apr  3 08:33:18 2020 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Fri Apr  3 08:33:18 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/n2n-test-case-1
Fri Apr  3 08:33:18 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:33:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:33:18 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:33:18 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:33:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:33:18 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:33:18 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:33:18 2020 TUN/TAP device tuntest-case-1 opened
Fri Apr  3 08:33:18 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:33:18 2020 /sbin/ip link set dev tuntest-case-1 up mtu 1500
Fri Apr  3 08:33:18 2020 /sbin/ip addr add dev tuntest-case-1 local 10.212.156.1 peer 10.212.156.2
Fri Apr  3 08:33:18 2020 /sbin/ip route add 192.168.44.0/24 via 10.212.156.2
Fri Apr  3 08:33:18 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Apr  3 08:33:18 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr  3 08:33:18 2020 UDPv4 link local (bound): [AF_INET][undef]:1204
Fri Apr  3 08:33:18 2020 UDPv4 link remote: [AF_UNSPEC]
Fri Apr  3 08:33:23 2020 MANAGEMENT: Client connected from /var/spool/openvpn/n2n-test-case-1
Fri Apr  3 08:33:23 2020 MANAGEMENT: CMD 'status 3'

Test Case 2 : OK

Fri Apr  3 08:40:18 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
Fri Apr  3 08:40:18 2020 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Fri Apr  3 08:40:18 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/n2n-test-c-2
Fri Apr  3 08:40:18 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:18 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:18 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:18 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:18 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:18 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:18 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:40:18 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr  3 08:40:18 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:40:18 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr  3 08:40:18 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:18 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr  3 08:40:18 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:18 2020 Could not determine IPv4/IPv6 protocol
Fri Apr  3 08:40:18 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr  3 08:40:18 2020 Closing TUN/TAP interface
Fri Apr  3 08:40:18 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:18 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr  3 08:40:18 2020 Restart pause, 5 second(s)
Fri Apr  3 08:40:23 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:23 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:23 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:23 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:23 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:23 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:23 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:23 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:40:23 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr  3 08:40:23 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:40:23 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr  3 08:40:23 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:23 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr  3 08:40:23 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:23 2020 Could not determine IPv4/IPv6 protocol
Fri Apr  3 08:40:23 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr  3 08:40:23 2020 Closing TUN/TAP interface
Fri Apr  3 08:40:23 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:23 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr  3 08:40:23 2020 Restart pause, 5 second(s)
Fri Apr  3 08:40:23 2020 MANAGEMENT: Client connected from /var/spool/openvpn/n2n-test-c-2
Fri Apr  3 08:40:23 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:40:23 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:40:23 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:40:23 2020 MANAGEMENT: TCP recv error: Connection reset by peer
Fri Apr  3 08:40:23 2020 MANAGEMENT: Client disconnected
Fri Apr  3 08:40:28 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:28 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:28 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:28 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:28 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:28 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:28 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:28 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:40:28 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr  3 08:40:28 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:40:28 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr  3 08:40:28 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:28 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr  3 08:40:28 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:28 2020 Could not determine IPv4/IPv6 protocol
Fri Apr  3 08:40:28 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr  3 08:40:28 2020 Closing TUN/TAP interface
Fri Apr  3 08:40:28 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:28 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr  3 08:40:28 2020 Restart pause, 5 second(s)
Fri Apr  3 08:40:33 2020 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:33 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:33 2020 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:33 2020 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr  3 08:40:33 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Apr  3 08:40:33 2020 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr  3 08:40:33 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:33 2020 ROUTE_GATEWAY 192.168.179.1/255.255.255.0 IFACE=eth0 HWADDR=6a:01:b5:a0:6f:dd
Fri Apr  3 08:40:33 2020 TUN/TAP device tuntest-c-2 opened
Fri Apr  3 08:40:33 2020 TUN/TAP TX queue length set to 100
Fri Apr  3 08:40:33 2020 /sbin/ip link set dev tuntest-c-2 up mtu 1500
Fri Apr  3 08:40:33 2020 /sbin/ip addr add dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:33 2020 /sbin/ip route add 192.168.165.0/24 via 10.23.221.2
Fri Apr  3 08:40:33 2020 RESOLVE: Cannot resolve host address: vpn.fake.net:2313 (Name or service not known)
Fri Apr  3 08:40:33 2020 Could not determine IPv4/IPv6 protocol
Fri Apr  3 08:40:33 2020 /sbin/ip route del 192.168.165.0/24
Fri Apr  3 08:40:33 2020 Closing TUN/TAP interface
Fri Apr  3 08:40:33 2020 /sbin/ip addr del dev tuntest-c-2 local 10.23.221.1 peer 10.23.221.2
Fri Apr  3 08:40:33 2020 SIGUSR1[soft,init_instance] received, process restarting
Fri Apr  3 08:40:33 2020 Restart pause, 5 second(s)

Test Case 3: OK

Fri Apr  3 08:50:06 2020 WARNING: file '/var/lib/nethserver/certs/clients/test-c3-c.pem' is group or others accessible
Fri Apr  3 08:50:06 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
Fri Apr  3 08:50:06 2020 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Fri Apr  3 08:50:06 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/n2n-test-c3-c
Fri Apr  3 08:50:06 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Apr  3 08:50:06 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]8.8.8.8:12342
Fri Apr  3 08:50:06 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr  3 08:50:06 2020 UDP link local: (not bound)
Fri Apr  3 08:50:06 2020 UDP link remote: [AF_INET]8.8.8.8:12342
Fri Apr  3 08:50:12 2020 MANAGEMENT: Client connected from /var/spool/openvpn/n2n-test-c3-c
Fri Apr  3 08:50:12 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:50:12 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:50:12 2020 MANAGEMENT: CMD 'state'
Fri Apr  3 08:50:12 2020 MANAGEMENT: TCP recv error: Connection reset by peer
Fri Apr  3 08:50:12 2020 MANAGEMENT: Client disconnected

Test Case 4: OK
Can confirm, even pasting psk or cert without a newline at the end of it, NS add it by itself, if i edit the vpn tunnel/client the New Line at the end of the PSK / Cert it's auto added

@gsanchietti gsanchietti added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Apr 3, 2020
@nethbot
Copy link
Member

nethbot commented Apr 3, 2020

in 7.7.1908/updates:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A defect of the software verified All test cases were verified successfully
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gsanchietti @nethbot @francio87