-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Algo VPN stops connecting after a day - An unexpected error occurred. #1178
Comments
Update: phone profile stops working, too. Let me know if there's any other data to provide. I'd just go back to DigitalOcean and try there but I just topped up my balance on Vultr and hoping it won't go to waste. |
Check to see that all of the block lists in your config are formatted like the two examples they give you. I had this exact issue happen and it ended up being because one of the block lists I added in the config used a different formatting. |
Which config and block lists are you referring to, could you clarify for me pls? |
Any custom ad_blocklists you may have added to config.cfg (https://github.com/trailofbits/algo/blob/master/config.cfg) |
I didn't add any custom ad blocklists, the only change I did to config.cfg was add the username edit: so it only contains the default blocklists..
which seem to follow to same format, but the spaces between destination IP and host seem to differ. One list seems to use two spaces instead of just one, and another list seems to use a tab as separation instead of space. This could possibly be causing the issue (although I never had to change anything here before and it has worked fine until now). I'm going to test using only one list that follows the basic format for one space as a separator. Will report back in a few days to see if it fixes the issue. |
Same issue here. Deployed on DigitalOcean. iphone will go out first. Other devices may work a bit longer. A reboot (or even forced power cycle) of the server will temporarily fix. Nothing other than usernames changed in config.cfg. |
@fourtotheside Are you also seeing a dialog box that says "An unexpected error occurred", and is it on both macOS and iOS? The next time this happens try running |
@davidemyers Thank you for the quick reply. The answers are:
A thousand thanks for your help. |
I've never seen that iOS error message before but I pretty much always use Connect On Demand, so maybe that's why. The message in the log is an error that's been reported before but no one has figured out what causes it or how to avoid it (see #963). My thought is that it's a bug in strongSwan. |
@davidemyers I was just reading that with interest. I'll stick with |
This seems to have everyone, including the strongSwan maintainers, mystified. Any reason not to prophylactically restart strongSwan (i.e. via `cron`) until we know what the hell is going on?
… On Nov 1, 2018, at 9:50 PM, TC1977 ***@***.***> wrote:
@xmijo I had that error twice, ever, on iOS. It would happen in the middle of the "Connecting.../Disconnecting..." loops that are well described in #963. Further comments on those loops are there.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
@fourtotheside I think that's not a crazy idea at all. |
@xmijo @davidemyers I just had "VPN Connection: An unexpected error occurred" show up as a pop-up dialog on my iPhone this evening. As @fourtotheside describes, it was while I was attempting to connect manually, after disabling the "Connect on demand" option. Interestingly, although I was unable to connect to the VPN, either on-demand or manually, it cleared on its own a few minutes later (after leaving McDonald's), and I could connect just fine. And reviewing the logs on the server, I don't see any "unable to install policy, reqid xxx already exists". This was in the setting of going to McDonald's and trying to check in so my mobile order could go through. Just in case anyone wants to keep track. 😀 |
I'm having a similar issue, receiving the same screenshot as @xmijo posted. This started happening to me immediately after the Mac booted after the upgrade. The on-demand connection attempted to take place, but there seems to be kind of loop. I had to stop that, and tried to connect manually but this error occurred: "VPN Connection: An unexpected error occurred". This is on Mojave Version 10.14. I have an Android phone configured with WireGuard and there were no issues there. I've looked at some relevant issues such as: #963 but this appears to be a sporadic problem, although apparently more common from when the original issue was made (May 23), which was just re-opened 22 hours ago I've tried So we'll see how things go I guess 😄 probably will try to play around with it tomorrow |
I've come up with a "bandage" for this issue that some of you might want to try. It doesn't solve the problem, it just restarts strongSwan immediately whenever the suspect error message is seen in the log. This needs more testing (and more documentation) but I thought it might relieve some of the frustration people are having. Perform the following steps on your VPN server as Create the file:
Run: Create the file:
Run: Create the file:
Run: Test with: EDIT: Changed |
I will test this as soon as my much cruder hourly cron restart fails. One way or another, this kind of logic would seem to make sense at least until this mysterious bug in strongSwan is resolved. If this tests out, think about a pull request. |
Dunno if there's a way to merge this discussion with that in #963, and no way to tell if it's even the same problem behind both, but the solution @davidemyers posted should work for that as well. |
In my case, |
@SmoothJelly456 Have you rebooted your Mac since the upgrade? I find that sometimes things aren't quite right after a big upgrade and that a reboot can help. |
After upgrading to Mojave, my Mac failed to connect with the same "an unexpected error occurred" dialog box. After rebooting, it connected to the VPN just fine. I don't find anything interesting in the logs, just looks like a typical login. I guess the problem is on the Mojave side?
|
So I just found something weird. If I'm connected to the VPN with one account on the machine (my admin account), that VPN connection stays open, but if I switch accounts (without logging out) the other account isn't logged in. Then if I try to connect, I reliably get the "An unexpected error occurred" dialog box. However! When I check "dnsleaktest.com", or some other website that gives my IP address, it shows my VPN server's IP and not my local IP - indicating that I am in fact connected to the VPN, even though macOS doesn't seem to recognize this. I have |
I'd appreciate feedback on whether my suggested changes above help avoid reconnection loops. Restarting IPsec thus forcing all clients to reconnect is a little heavy handed, but reconnection loops are frustrating. If my instructions above are too tedious, I've created a fork of Algo that includes the changes for testing. Get a copy of Algo by running:
Then deploy a new Algo VPN in the usual way. EDIT: Due to lack of feedback I'm no longer maintaining this fork. |
I tried the solution with @davidemyers How long have you been running the branch? I am little tired of running |
Yes. This sounds stupid, because it isn't mentioned in the strongswan.org docs, but you shouldn't use
Or as @davidemyers wrote in his script above,
I just went on a trip with four devices, and using edit: As @davidemyers mentioned, it's a bug with systemd, not Upstart. Either way, doesn't sound like it's getting fixed anytime soon. |
@naveensrinivasan I've been running the log monitoring script on existing VPN servers since before my first post about it. My problem is I don't get reconnection problems very often so to test it I have to fake the log message. If anyone has been trying my suggested change you might not notice if it works correctly. Actually, that's that whole idea. To see if it has been triggered search your server logs for the @TC1977 Ubuntu no longer uses Upstart, but that bug you linked to says the problem occurs with systemd as well. Also I think Jack has been working towards adding a |
@davidemyers Changed the above. Also, I know Jack is working on a WG-only option, but what I'm waiting for are iOS/macOS clients, built-in like IKEv2, so users can just set "Connect on Demand" and have it work reliably. Or, someone figures out how to fix the strongSwan implementation. |
Wireguard "Connect on Demand" would indeed be fantastic |
I've rebooted at least a few times now since the upgrade but the issue is still prevalent, I've been (unfortunately) using a separate VPN on my Mac since the Mojave upgrade now. |
I'm getting this on Mojave OS X I've been running Algo on my server since this morning, then after about 12 hours or so. It started giving me this error. To be specific, It was fine at work on my wifi. I went home tried it out and it was working as well. A few hours later, tried to manually connect to VPN and it just couldn't. Just wondering, does manually disabling ON DEMAND cause problems? And what can I do to fix this? @davidemyers Can you please help! |
@ahmadelrouby Did you deploy your Algo server from my branch mentioned above which contains a potential mitigation for this issue? |
@davidemyers I'm doing it now. I also have another question. On DigitalOcean, algo doesn't seem to work unless i manually disable the firewall and flush all iptable rules. I'm pretty sure that this shouldn't be the case but I don't understand why doesn't it work. All I do is create a new droplet on DO, run the commands for the localhost installation, but it never works unless I disable the firewall. |
@davidemyers and just to elaborate, do you think that the absence of the firewall might be the reason the server fails to connect after some time? |
@davidemyers Alright, So I just did a fresh install of everything from the branch you mentioned above and I tried to connect now but with no luck. Check this out What provider would you like to use? Enter the number of your desired provider TASK [pause] ********************************************************************************************************************************* TASK [Set facts based on the input] ********************************************************************************************************** TASK [pause] ********************************************************************************************************************************* TASK [pause] ********************************************************************************************************************************* TASK [pause] ********************************************************************************************************************************* TASK [pause] ********************************************************************************************************************************* TASK [pause] ********************************************************************************************************************************* TASK [pause] ********************************************************************************************************************************* TASK [Set facts based on the input] ********************************************************************************************************** PLAY [Provision the server] ****************************************************************************************************************** TASK [Gathering Facts] *********************************************************************************************************************** --> Please include the following block of text when reporting issues: Algo running on: Ubuntu 18.04.1 LTS (Virtualized: kvm) |
Rather than a localhost install, try letting Algo set up the server for you. This is the best way to use Algo. Algo will install its own firewall rules that will not coexist properly with any rules that are present before it is run. And just to be clear, you cannot use Algo to configure a given system as a VPN server more than once. (Edited to further clarify the last point.) |
Also, based on some developments in another issue, perhaps avoid using the Ad Blocking option for the time being. |
@davidemyers Just did exactly what you said. I used the server install on DigitalOcean and after installing it, I used the mobileconfig file to add the profile on Mac OS X. It gave me the exact same error "The VPN server did not respond" .. also here's the log of what happened. TASK [Gathering Facts] **************************************************************************************************************************************************** Enter the number of your desired provider TASK [pause] ************************************************************************************************************************************************************** TASK [Set facts based on the input] *************************************************************************************************************************************** TASK [pause] ************************************************************************************************************************************************************** TASK [pause] ************************************************************************************************************************************************************** TASK [pause] ************************************************************************************************************************************************************** TASK [pause] ************************************************************************************************************************************************************** TASK [pause] ************************************************************************************************************************************************************** TASK [pause] ************************************************************************************************************************************************************** TASK [pause] ************************************************************************************************************************************************************** TASK [Set facts based on the input] *************************************************************************************************************************************** PLAY [Provision the server] *********************************************************************************************************************************************** TASK [Gathering Facts] **************************************************************************************************************************************************** --> Please include the following block of text when reporting issues: Algo running on: Mac OS X 10.14.1 TASK [Display the invocation environment] ********************************************************************************************************************************* TASK [Install the requirements] ******************************************************************************************************************************************* TASK [Generate the SSH private key] *************************************************************************************************************************************** TASK [Generate the SSH public key] **************************************************************************************************************************************** TASK [cloud-digitalocean : Install requirements] ************************************************************************************************************************** TASK [cloud-digitalocean : pause] ***************************************************************************************************************************************** TASK [cloud-digitalocean : Set the token as a fact] *********************************************************************************************************************** TASK [cloud-digitalocean : Get regions] *********************************************************************************************************************************** TASK [cloud-digitalocean : Set facts about thre regions] ****************************************************************************************************************** TASK [cloud-digitalocean : Set default region] **************************************************************************************************************************** Enter the number of your desired region TASK [cloud-digitalocean : pause] ***************************************************************************************************************************************** TASK [cloud-digitalocean : Set additional facts] ************************************************************************************************************************** TASK [cloud-digitalocean : Delete the existing Algo SSH keys] ************************************************************************************************************* TASK [cloud-digitalocean : Upload the SSH key] **************************************************************************************************************************** TASK [cloud-digitalocean : Creating a droplet...] ************************************************************************************************************************* TASK [cloud-digitalocean : set_fact] ************************************************************************************************************************************** TASK [cloud-digitalocean : Tag the droplet] ******************************************************************************************************************************* TASK [cloud-digitalocean : Delete the new Algo SSH key] ******************************************************************************************************************* TASK [Set subjectAltName as afact] **************************************************************************************************************************************** TASK [Add the server to an inventory group] ******************************************************************************************************************************* TASK [Additional variables for the server] ******************************************************************************************************************************** TASK [Wait until SSH becomes ready...] ************************************************************************************************************************************ TASK [debug] ************************************************************************************************************************************************************** TASK [A short pause, in order to be sure the instance is ready] *********************************************************************************************************** PLAY [Configure the server and install required software] ***************************************************************************************************************** TASK [common : Check the system] ****************************************************************************************************************************************** TASK [common : include_tasks] ********************************************************************************************************************************************* TASK [common : Ubuntu | Install prerequisites] **************************************************************************************************************************** TASK [common : Ubuntu | Configure defaults] ******************************************************************************************************************************* TASK [common : Gather facts] ********************************************************************************************************************************************** TASK [common : Install software updates] ********************************************************************************************************************************** TASK [common : Check if reboot is required] ******************************************************************************************************************************* TASK [common : Reboot] **************************************************************************************************************************************************** TASK [common : Wait until SSH becomes ready...] *************************************************************************************************************************** TASK [common : Install unattended-upgrades] ******************************************************************************************************************************* TASK [common : Configure unattended-upgrades] ***************************************************************************************************************************** TASK [common : Periodic upgrades configured] ****************************************************************************************************************************** TASK [common : Unattended reboots configured] ***************************************************************************************************************************** TASK [common : Disable MOTD on login and SSHD] **************************************************************************************************************************** TASK [common : Loopback for services configured] ************************************************************************************************************************** TASK [common : systemd services enabled and started] ********************************************************************************************************************** RUNNING HANDLER [common : restart systemd-networkd] *********************************************************************************************************************** TASK [common : Check apparmor support] ************************************************************************************************************************************ TASK [common : set_fact] ************************************************************************************************************************************************** TASK [common : set_fact] ************************************************************************************************************************************************** TASK [common : Install tools] ********************************************************************************************************************************************* TASK [common : Install headers] ******************************************************************************************************************************************* TASK [common : Generate password for the CA key] ************************************************************************************************************************** TASK [common : Generate p12 export password] ****************************************************************************************************************************** TASK [common : Define facts] ********************************************************************************************************************************************** TASK [common : set_fact] ************************************************************************************************************************************************** TASK [common : Set IPv6 support as a fact] ******************************************************************************************************************************** TASK [common : Sysctl tuning] ********************************************************************************************************************************************* TASK [dns_encryption : Include tasks for Ubuntu] ************************************************************************************************************************** TASK [dns_encryption : Add the repository] ******************************************************************************************************************************** TASK [dns_encryption : Install dnscrypt-proxy] **************************************************************************************************************************** TASK [dns_encryption : Configure unattended-upgrades] ********************************************************************************************************************* TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] ************************************************************************************************** TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] *********************************************************************************************** TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] *********************************************************************************** TASK [dns_encryption : Ubuntu | Add capabilities to bind ports] *********************************************************************************************************** TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] ************************************************************************************************************ TASK [dns_encryption : dnscrypt-proxy configured] ************************************************************************************************************************* TASK [dns_encryption : dnscrypt-proxy enabled and started] **************************************************************************************************************** RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] ***************************************************************************************************************** TASK [wireguard : Ensure the required directories exist] ****************************************************************************************************************** TASK [wireguard : Include tasks for Ubuntu] ******************************************************************************************************************************* TASK [wireguard : WireGuard repository configured] ************************************************************************************************************************ TASK [wireguard : WireGuard installed] ************************************************************************************************************************************ TASK [wireguard : WireGuard reload-module-on-update] ********************************************************************************************************************** TASK [wireguard : Configure unattended-upgrades] ************************************************************************************************************************** TASK [wireguard : set_fact] *********************************************************************************************************************************************** TASK [wireguard : Generate private keys] ********************************************************************************************************************************** TASK [wireguard : Save private keys] ************************************************************************************************************************************** TASK [wireguard : Touch the lock file] ************************************************************************************************************************************ TASK [wireguard : Generate public keys] *********************************************************************************************************************************** TASK [wireguard : Save public keys] *************************************************************************************************************************************** TASK [wireguard : WireGuard user list updated] **************************************************************************************************************************** TASK [wireguard : set_fact] *********************************************************************************************************************************************** TASK [wireguard : WireGuard users config generated] *********************************************************************************************************************** TASK [wireguard : Generate QR codes] ************************************************************************************************************************************** TASK [wireguard : WireGuard configured] *********************************************************************************************************************************** TASK [wireguard : WireGuard enabled and started] ************************************************************************************************************************** RUNNING HANDLER [wireguard : restart wireguard] *************************************************************************************************************************** TASK [vpn : Include WireGuard role] *************************************************************************************************************************************** TASK [wireguard : Ensure the required directories exist] ****************************************************************************************************************** TASK [wireguard : Include tasks for Ubuntu] ******************************************************************************************************************************* TASK [wireguard : WireGuard repository configured] ************************************************************************************************************************ TASK [wireguard : WireGuard installed] ************************************************************************************************************************************ TASK [wireguard : WireGuard reload-module-on-update] ********************************************************************************************************************** TASK [wireguard : Configure unattended-upgrades] ************************************************************************************************************************** TASK [wireguard : set_fact] *********************************************************************************************************************************************** TASK [wireguard : Generate private keys] ********************************************************************************************************************************** TASK [wireguard : Generate public keys] *********************************************************************************************************************************** TASK [wireguard : Save public keys] *************************************************************************************************************************************** TASK [wireguard : WireGuard user list updated] **************************************************************************************************************************** TASK [wireguard : set_fact] *********************************************************************************************************************************************** TASK [wireguard : WireGuard users config generated] *********************************************************************************************************************** TASK [wireguard : Generate QR codes] ************************************************************************************************************************************** TASK [wireguard : WireGuard configured] *********************************************************************************************************************************** TASK [wireguard : WireGuard enabled and started] ************************************************************************************************************************** TASK [vpn : include_tasks] ************************************************************************************************************************************************ TASK [vpn : set_fact] ***************************************************************************************************************************************************** TASK [vpn : Ubuntu | Install strongSwan] ********************************************************************************************************************************** TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] *********************************************************************************************************************** TASK [vpn : Ubuntu | Enable services] ************************************************************************************************************************************* TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] ************************************************************************************************** TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] *************************************************************************************************** TASK [vpn : Ubuntu | Install IPsec log watcher script] ******************************************************************************************************************** TASK [vpn : Ubuntu | Enable IPsec log watcher sudo permissions] *********************************************************************************************************** TASK [vpn : Ubuntu | Feed IPsec log watcher program the system logs] ****************************************************************************************************** TASK [vpn : include_tasks] ************************************************************************************************************************************************ TASK [vpn : Iptables configured] ****************************************************************************************************************************************** TASK [vpn : Iptables configured] ****************************************************************************************************************************************** TASK [vpn : Ensure that the strongswan user exist] ************************************************************************************************************************ TASK [vpn : Install strongSwan] ******************************************************************************************************************************************* TASK [vpn : Setup the config files from our templates] ******************************************************************************************************************** TASK [vpn : Get loaded plugins] ******************************************************************************************************************************************* TASK [vpn : Set subjectAltName as a fact] ********************************************************************************************************************************* TASK [vpn : Ensure the pki directories exist] ***************************************************************************************************************************** TASK [vpn : Ensure the files exist] *************************************************************************************************************************************** TASK [vpn : Generate the openssl server configs] ************************************************************************************************************************** TASK [vpn : Build the CA pair] ******************************************************************************************************************************************** TASK [vpn : Copy the CA certificate] ************************************************************************************************************************************** TASK [vpn : Generate the serial number] *********************************************************************************************************************************** TASK [vpn : Build the server pair] **************************************************************************************************************************************** TASK [vpn : Build the client's pair] ************************************************************************************************************************************** TASK [vpn : Create links for the private keys] **************************************************************************************************************************** TASK [vpn : Build openssh public keys] ************************************************************************************************************************************ TASK [vpn : Build the client's p12] *************************************************************************************************************************************** TASK [vpn : Copy the p12 certificates] ************************************************************************************************************************************ TASK [vpn : Get active users] ********************************************************************************************************************************************* TASK [vpn : Copy the keys to the strongswan directory] ******************************************************************************************************************** TASK [vpn : Register p12 PayloadContent] ********************************************************************************************************************************** TASK [vpn : Set facts for mobileconfigs] ********************************************************************************************************************************** TASK [vpn : Build the mobileconfigs] ************************************************************************************************************************************** TASK [vpn : Build the client ipsec config file] *************************************************************************************************************************** TASK [vpn : Build the client ipsec secret file] *************************************************************************************************************************** TASK [vpn : Restrict permissions for the local private directories] ******************************************************************************************************* TASK [vpn : strongSwan started] ******************************************************************************************************************************************* RUNNING HANDLER [dns_adblocking : restart apparmor] *********************************************************************************************************************** RUNNING HANDLER [vpn : restart strongswan] ******************************************************************************************************************************** RUNNING HANDLER [vpn : daemon-reload] ************************************************************************************************************************************* RUNNING HANDLER [vpn : restart iptables] ********************************************************************************************************************************** RUNNING HANDLER [vpn : restart rsyslogd] ********************************************************************************************************************************** TASK [Delete the CA key] ************************************************************************************************************************************************** TASK [Dump the configuration] ********************************************************************************************************************************************* |
@ahmadelrouby Thank you for redeploying per my suggestions, but I'm stumped as to why you can't connect. I just deployed a new server with settings similar to yours and could connect immediately from Mojave. Maybe reboot your Mac?
BTW, I think all Apple device users will want to use Connect On Demand for Wi-Fi or their devices will just disconnect themselves on their own after a while. |
@davidemyers Okay so I tried the VPN server again when I went to work and it works! Do you think something at home is causing the problem? At home I tried using my wifi and a hotspot from my mobile. Both at home don't work. At work both wifi and cellular hotspot work... I really can't figure out what's the problem and is there anyway I can figure out where the problem is? Whether it's with my computer, network or server? |
Just wanted to follow up on this; after re-installing a brand new version of the latest Algo main branch on a new VPS, I am no longer seeing the issues on MacOS Mojave that I had mentioned with regard to the "unexpected error" -- previously I could not even connect to the Algo VPN without getting this error. Will report back in a few days if I have encountered the error or not. |
Hey, I am having the same issues with the latest MAC OS and latest Algo. The only fix i've found is a hard reboot of my Digital Ocean droplet. |
I'm having the same issue once in a while on ALL my devices. Most frequently it happens on iOS. macOS is more resistant to that kind of stuff. For iOS reboot helps in most cases. |
With the WireGuard app for iOS working well and the WireGuard app for macOS on the way, we can soon put these annoying IPsec issues behind us. |
@here I'd dig on this matter for myself, but my experience lies beyond this area, unfortunately |
The WireGuard app for iOS listed above works flawlessly for me, and it looks like an official MAC OS app is coming soon as well. |
WireGuard for macOS is now available in the Mac App Store. Here's the announcement. It looks like it requires Mojave. |
Started to use WireGuard on all my devices and ended up with the MUCH worse overall result. I've got a feeling that every few seconds everything just hangs, e.g. no network communication happening. Impossible to browse or use any other application that sends or receives data. Tested on 2 macOS Mojave 10.14.2 and 4 iOS 12.1.4. That's a disaster. 😩 |
@zx2c4 , sorry for the long response, been travelling. Attached log: |
Algo VPN stops working after a day on macOS Mojave using Vultr as the VPS.
Everything works fine after installing the .mobileconfig and it will work for a day or so. But then later when trying to connect it will just disconnect and a pop-up box appears saying VPN Connection: An unexpected error occurred. This has happened twice now and running ./algo to set up the VPS again fixes it. Note that this behavior does not include my iPhone, where the VPN will still work fine.
Steps to reproduce the behavior:
Expected behavior
That it will connect to the Algo VPN.
I'd include the full log but I'm not sure how to retrieve it now. If it is needed I will run ./algo again and set up the VPS instance and then also paste the log here.
The text was updated successfully, but these errors were encountered: