/ubuntu-touch

Adding VPN results in password loss #46

Open
NeoTheThird opened this Issue May 28, 2017 · 11 comments

Comments

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
4 participants
@NeoTheThird @ernesst @Flohack74 @weoieoeo
@NeoTheThird
Owner

NeoTheThird commented May 28, 2017

If you add an VPN (OpenVPN) account in the settings interface and try to connect with that account an error : "The VPN connection '176.126.237.217' failed because there were no valid VPN secrets." pops up, then if you enter the VPN settings the password field is empty.
No errors were seen in logcat.

Connecting with the same credentials and certificates packed in a ovpn file on the commandline a valid connection will be established.

root@ubuntu-phablet:/home/phablet/Documents# openvpn ./vpnbook-euro1-tcp80.ovpn
Wed Mar 1 14:39:10 2017 OpenVPN 2.3.2 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Apr 13 2015
Enter Auth Username:vpnbook
Enter Auth Password: xxxxxx
Wed Mar 1 14:39:19 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Mar 1 14:39:19 2017 NOTE: --fast-io is disabled since we are not using UDP
Wed Mar 1 14:39:19 2017 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Mar 1 14:39:19 2017 Attempting to establish TCP connection with [AF_INET]176.126.237.217:80 [nonblock]
Wed Mar 1 14:39:20 2017 TCP connection established with [AF_INET]176.126.237.217:80
Wed Mar 1 14:39:20 2017 TCPv4_CLIENT link local: [undef]
Wed Mar 1 14:39:20 2017 TCPv4_CLIENT link remote: [AF_INET]176.126.237.217:80
Wed Mar 1 14:39:20 2017 TLS: Initial packet from [AF_INET]176.126.237.217:80, sid=6cbd8f00 75a1c86e
Wed Mar 1 14:39:20 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Mar 1 14:39:22 2017 VERIFY OK: depth=1, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Wed Mar 1 14:39:22 2017 VERIFY OK: depth=0, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Wed Mar 1 14:39:28 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Mar 1 14:39:28 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 1 14:39:28 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Mar 1 14:39:28 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 1 14:39:28 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Mar 1 14:39:28 2017 [vpnbook.com] Peer Connection Initiated with [AF_INET]176.126.237.217:80
Wed Mar 1 14:39:30 2017 SENT CONTROL [vpnbook.com]: 'PUSH_REQUEST' (status=1)
Wed Mar 1 14:39:30 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 124.23.73.41,dhcp-option DNS 8.8.8.8,route 10.12.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.12.0.10 10.12.0.9'
Wed Mar 1 14:39:30 2017 OPTIONS IMPORT: timers and/or timeouts modified
Wed Mar 1 14:39:30 2017 OPTIONS IMPORT: --ifconfig/up options modified
Wed Mar 1 14:39:30 2017 OPTIONS IMPORT: route options modified
Wed Mar 1 14:39:30 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Mar 1 14:39:30 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=00:0a🇩🇪ad:be:ef
Wed Mar 1 14:39:30 2017 TUN/TAP device tun3 opened
Wed Mar 1 14:39:30 2017 TUN/TAP TX queue length set to 100
Wed Mar 1 14:39:30 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Mar 1 14:39:30 2017 /sbin/ip link set dev tun3 up mtu 1500
Wed Mar 1 14:39:30 2017 /sbin/ip addr add dev tun3 local 10.12.0.10 peer 10.12.0.9
Wed Mar 1 14:39:32 2017 /sbin/ip route add 176.126.237.217/32 via 192.168.1.1
Wed Mar 1 14:39:32 2017 /sbin/ip route add 0.0.0.0/1 via 10.12.0.9
Wed Mar 1 14:39:32 2017 /sbin/ip route add 128.0.0.0/1 via 10.12.0.9
Wed Mar 1 14:39:32 2017 /sbin/ip route add 10.12.0.1/32 via 10.12.0.9
Wed Mar 1 14:39:32 2017 Initialization Sequence Completed

in the /etc/NetworkManager/system-connections directory the vpn confige files are stored.
If i edit the vpn config like this:

password-flags=0
And add the following:
[vpn-secrets]
password=YourPassword
Now restart network manager by:
service network-manager restart

The connection could be established by shifting the key in the networking-manager gui.

@NeoTheThird NeoTheThird added bug device: FP2 labels May 28, 2017

@ernesst

ernesst commented May 31, 2017

It's not related to a device, it happens on mako and hammerhead also.

@NeoTheThird NeoTheThird removed the device: FP2 label May 31, 2017

@Flohack74
Owner

Flohack74 commented Jun 5, 2017

I just created a configuration with a client certificate with password for hammerhead and this works. Does it mean password for the certificate is not accepted? Can we get serverlogs? I have:

Jun  5 11:55:46 rooty ovpn-vpnserver[4427]: 80.110.115.214:26657 TLS: Initial packet from [AF_INET]80.110.115.214:26657, sid=5060ae98 dbba4960
Jun  5 11:55:46 rooty ovpn-vpnserver[4427]: 80.110.115.214:26657 VERIFY OK: depth=1, C=AT, L=Vienna, O=bin.org.in, CN=bin.org.in CA, name=vpnserver, emailAddress=flori@bin.org.in
Jun  5 11:55:46 rooty ovpn-vpnserver[4427]: 80.110.115.214:26657 VERIFY OK: depth=0, C=AT, L=Vienna, O=bin.org.in, CN=knecht, name=vpnserver, emailAddress=flori@bin.org.in
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: 80.110.115.214:26657 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: 80.110.115.214:26657 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: 80.110.115.214:26657 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: 80.110.115.214:26657 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: 80.110.115.214:26657 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: 80.110.115.214:26657 [knecht] Peer Connection Initiated with [AF_INET]80.110.115.214:26657
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: MULTI: new connection by client 'knecht' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: MULTI: Learn: 10.8.0.6 -> knecht/80.110.115.214:26657
Jun  5 11:55:47 rooty ovpn-vpnserver[4427]: MULTI: primary virtual IP for knecht/80.110.115.214:26657: 10.8.0.6
Jun  5 11:55:49 rooty ovpn-vpnserver[4427]: knecht/80.110.115.214:26657 PUSH: Received control message: 'PUSH_REQUEST'
Jun  5 11:55:49 rooty ovpn-vpnserver[4427]: knecht/80.110.115.214:26657 send_push_reply(): safe_cap=940
Jun  5 11:55:49 rooty ovpn-vpnserver[4427]: knecht/80.110.115.214:26657 SENT CONTROL [knecht]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
@Flohack74
Owner

Flohack74 commented Jun 5, 2017

Note that the phone assumes SHA1 signature, but maybe on the server there is SHA256 set. You cant choose this from the current GUI on the phone.
@ernesst

ernesst commented Jun 22, 2017

There is a app allowing more option.

com.ubuntu.developer.pete-woods.vpn-editor_0.3.1_all.zip

Once the file is edited correctly in the terminal, opening the GUI config. breaks it again.
@weoieoeo

weoieoeo commented Sep 13, 2017

Pete woods app used to work with earlier ubuntu touch releases: [https://askubuntu.com/questions/754878/how-to-setup-openvpn-provided-with-ota10-on-ubuntu-touch]

However, it has stopped working since Ubuntu Touch OTA-14. It has been documented elsewhere before [https://bugs.launchpad.net/canonical-devices-system-image/+bug/1651458]

Does anyone know if this problem has been resolved with UBports OTA-1? Would it be worth to get a Nexus 5 to get back VPN-functionality without having to use the terminal?
@ernesst

ernesst commented Sep 18, 2017

Can you confirm with the last devel the connection to VPN doesn't work anymore, even with the trick mentioned above ?

For my case, it was working fine up to mid august on the hammerhead devel.
@weoieoeo

weoieoeo commented Sep 29, 2017
Edited 1 time

Oh, it works! I did not follow the advice from NeoTheThird correctly. If I do and edit the vpn config file after creating it with pete woods VPN-app, everything works fine. Thank you!
@ernesst

ernesst commented Oct 3, 2017

I wipe all my configs, redo the setup and it works.
@Flohack74
Owner

Flohack74 commented Dec 25, 2017

So can I close this?
@NeoTheThird
Owner

NeoTheThird commented Dec 26, 2017

Have i been hit over the head? I can't for the love of me remember filing this report...

@ernesst Did you use the workaround from above or just set it up from the gui?

@Flohack74 I would keep this open until investigation is done and we can be sure that you can just easily set up a vpn using just the gui in the settings.
@ernesst

ernesst commented Dec 26, 2017

Depends the security setup of the vpn.
With my own vpn, set it up with pivpn i'm using a key + password. It works.

Using protonvpn for instance, requiring a login and password the problem is still present.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment