Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Probs with new configs in Ubuntu

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Probs with new configs in Ubuntu

Postby MOQ888 » Sat Oct 20, 2018 4:14 pm

Hi guys, I've been trying to set up the new configs as per the instructions but having no luck. Ubuntu 1604, OpenVPN 2.4.6

Tried the import into Network Manager and all RSA configs imported OK but can't connect (times out).

Tried the Terminal method to launch ECC and can't connect.

Tried using the script to bulk import the configs and get these terminal errors

Error: failed to import 'Balancer_UDP.ovpn': configuration error: unsupported blob/xml element (line 120).

I can still connect using my old configs in NM but would like to get updated.

Any clues would be greatly appreciated as always.

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Probs with new configs in Ubuntu

Postby parityboy » Sun Oct 21, 2018 11:05 pm

@OP

Can you collect and post some logs so we can see what Network Manager is doing? I suspect it's related to TLS handshaking, but I'd like to be sure. :)


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Mon Oct 22, 2018 3:47 pm

Tks PB, syslog attached
Attachments
syslog-20181022.txt
(7.87 KiB) Downloaded 59 times

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Probs with new configs in Ubuntu

Postby parityboy » Mon Oct 22, 2018 5:23 pm

@OP

Code: Select all

Oct 22 21:40:28 e8100i7 NetworkManager[1163]: nm-openvpn-Message: openvpn[7095]: send SIGTERM
Oct 22 21:40:28 e8100i7 nm-openvpn[7095]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 22 21:40:28 e8100i7 nm-openvpn[7095]: TLS Error: TLS handshake failed
Oct 22 21:40:28 e8100i7 nm-openvpn[7095]: SIGTERM[hard,tls-error] received, process exiting


Yep, TLS handshake error. If you open one of the configurations in a text editor, you'll see this at the bottom:

Code: Select all

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
5de9814eb021477ce3b58638031072c5
b20f34a9f3c417bc95df950ae37bdbf4
12aa255734184171a9c46f8251cf9207
6c1d352ddcd7c71a411d7872d8d50090
b06fd70801dda425cd4ee474a81d2367
a372a22db2baeee2ef7ac1c4a9dd4867
32bd978244db2ae2dbfcb5ab3b8669bc
9c35e0a48e298109e9acff687d5698db
7a864247b38e036187cfdf81feefc388
411767b66891056abef9ffc6a2464428
e0ccbf8130536473a71b10263c7dafdb
160da61d4402be6a10d47c9fe08e57dd
121c6b7d2e6d767c1a18dc0aa6567d56
26e020308ed197b5bfc7374b3d135085
31afcf87e1ae90ec20ee072100daf478
5aaa3bce8db5d6eabef2495752c849b6
-----END OpenVPN Static key V1-----
</tls-auth>


I believe this part is needed to connect to the new RSA instances, but Network Manager doesn't import this section. Try this:

- Cut this section out (not including the <tls-auth> tags)
- Save it into a text file
- Go to your VPN connection entry, then to Advanced-->TLS Settings. There should be a part which allows you to import a TLS key.
- Import the key file there, then try connecting. I think "key direction" should be zero.

Report back and let us know how you fare (and always watch the logs!). :D


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Tue Oct 23, 2018 2:02 pm

Thanks for your input PB. As suggested I created a TLS.txt file and pasted the key, pointed Additional TLS info to the file but still no joy.

Thought I'd try adding one from scratch (Seattle) with the same key but same.

Attachment 20181023-1 was for the existing Washington connection, 20181023-2 was for the Seattle connection.

Is this a problem with all Ubuntu NM versions, even 18.04?
Attachments
syslog-20181023-2.txt
(3.99 KiB) Downloaded 58 times
syslog-20181023-1.txt
(4.61 KiB) Downloaded 58 times

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Probs with new configs in Ubuntu

Postby parityboy » Wed Oct 24, 2018 6:04 pm

@OP

I'm going to have to dig into this. I'm running KDE Neon (now based on 18.04 LTS but mine is still running a 16.04 LTS base) and I suspect it has a newer Network Manager that accommodates this. Mine looks like this.

Image

User avatar

df
Site Admin
Posts: 407
Joined: Thu Jan 01, 1970 5:00 am

Re: Probs with new configs in Ubuntu

Postby df » Fri Oct 26, 2018 1:01 am

MOQ888 wrote:Error: failed to import 'Balancer_UDP.ovpn': configuration error: unsupported blob/xml element (line 120).


That usually means you downloaded the HTML version of the config from Github and not the raw version.
I.e., don't save the config from https://github.com/cryptostorm/cryptost ... r_UDP.ovpn
the file you want is:
https://raw.githubusercontent.com/crypt ... r_UDP.ovpn
or you could just grab them from our website @ https://cryptostorm.is/configs/ since the configs there don't have an HTML version.

Oh I just checked, for the ECC configs <tls-crypt> starts on line 120.
Network Manager doesn't support this feature yet, you would need to use Terminal.

Another problem is that 208.91.112.55 IP you're connecting to. That's not in the Washington DC list of IPs:
dc.cstorm.is has address 162.210.192.195
dc.cstorm.is has address 162.210.192.203
dc.cstorm.is has address 162.210.192.217
dc.cstorm.is has address 162.210.192.214
dc.cstorm.is has address 162.210.192.219
dc.cstorm.is has address 162.210.192.204
dc.cstorm.is has address 162.210.192.202
dc.cstorm.is has address 162.210.192.207
dc.cstorm.is has address 207.244.108.37
dc.cstorm.is has address 162.210.192.196
dc.cstorm.is has address 162.210.192.212
dc.cstorm.is has address 162.210.192.215
dc.cstorm.is has address 162.210.192.218
dc.cstorm.is has address 162.210.192.211
dc.cstorm.is has address 207.244.108.39
dc.cstorm.is has address 162.210.192.208
dc.cstorm.is has address 162.210.192.205
dc.cstorm.is has address 162.210.192.213
dc.cstorm.is has address 162.210.192.216
dc.cstorm.is has address 162.210.192.209
dc.cstorm.is has address 207.244.108.40
dc.cstorm.is has address 162.210.192.201
dc.cstorm.is has address 207.244.108.38
dc.cstorm.is has address 162.210.192.206
dc.cstorm.is has address 162.210.192.193
dc.cstorm.is has address 162.210.192.194
plus the old instance IPs 198.7.58.245 & 198.7.58.246

I'm not sure when that "Preserving recently used remote address" code kicks in, but maybe a reboot will make it stop?


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Fri Oct 26, 2018 4:56 am

df wrote:That usually means you downloaded the HTML version of the config from Github and not the raw version.

or you could just grab them from our website @ https://cryptostorm.is/configs/ since the configs there don't have an HTML version.


That's the weird thing, I had originally downloaded both config.zip from https://cryptostorm.is/configs/ and unpacked them into separate folders.

I'll delete the RSA ones, download the RSA config.zip again and have another go.


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Fri Oct 26, 2018 4:01 pm

Ok, I deleted all the previous config folders, downloaded the config.zip from the RSA folder above.

I updated openssl to 1.1.1

Created US-WashingtonDC_UDP in NM and fails again, syslog attached.

Curiously, in the syslog nm-openvpn[4374] reports library version as OpenSSL 1.0.2g despite me confirming at the terminal that openssl version reports 1.1.1

Luckily my old NM connections are still working, but it'd nice to work out what's going wrong with this install.
Attachments
syslog-20181026-1.txt
(4.04 KiB) Downloaded 29 times


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Fri Oct 26, 2018 4:24 pm

tried using ECC configs from Terminal, no joy either

Same openssl library version 1.0.2g.

Should I try installing OpenVPN 2.4.6 again, maybe it'll pull in the correct openssl library now that it's 1.1.1 ... ?
Attachments
syslog-20181026-2.txt
(6.67 KiB) Downloaded 31 times


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Sat Oct 27, 2018 7:07 am

went from bad to worse ...

I uninstalled OpenVPN and reinstalled, then any attempt to connect to the old CS servers clobbered NM. Rebooting was fine, default network still allowed me to access through my LAN, but couldn't use CS at all.

Removed/Purged OpenVPN 2.4.6 and got the system back to OpenVPN 2.3.10 & OpenSSL 1.0.2g, what comes with 16.04, but same despite several reboots. Once I reinstalled network-manager-openvpn-gnome the system seems (mostly) OK and I can still connect to CS using the old connections.

Going to leave this install as is and run up another machine with 18.04 or CentOS and start testing them with the new configs.

Tks to both PB & df for their input.


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

SOLVED (kind of)

Postby MOQ888 » Sat Oct 27, 2018 12:34 pm

Ran up a fresh install of Unbuntu 18.04 on a spare disk, after following the NM instructions for RSA configs, and CS WORKS!

Now just have to reinstate the old drive, backup files and upgrade from 16.04, but this fresh install works perfectly.

Ubuntu repository default versions OpenVPN 2.4.4, OpenSSL 1.1.0g.


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Sat Oct 27, 2018 1:55 pm

df wrote:Another problem is that 208.91.112.55 IP you're connecting to. That's not in the Washington DC list of IPs:


That confused me for a while, I had no idea why it was doing that. Then I was having problems with CS on the temp 18.04 install after a reboot and an nslookup on one of my domain hosts (that has no IP) threw up this same IP address.

Turns out it's my Fortigate web-filtering, that IP is Fortinet's redirect page. For whatever reason the Fortigate was filtering out traffic on the new CS connections but not on the old ones, and redirecting to that IP.

Solved this by adding a new rule for the IP address of this machine so it has no filtering, and now it connects.

Happy days approaching, much faster than I had expected ...


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Sun Oct 28, 2018 6:34 am

grumble ...

Took ages to upgrade from 16.04 to 18.04, of course as soon as I left the machine overnight prompts appeared.

There seems to be some weirdness left over from 16.04 install, despite re-importing all the RSA configs just like I did on the test install, they still fail due to wanting to look at that Fortigate IP, yet the old configs still work.

Oct 28 12:28:41 e8100i7 nm-openvpn[26737]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.91.112.55:443

I might blow this install away and start fresh, see what happens - I'll reinstall the test disk and make sure first.


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Sun Oct 28, 2018 2:36 pm

Ubuntu 18.04 reinstalled fresh, all working as it should.

Suspect the problem was something lingering in the 16.04 install.

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Probs with new configs in Ubuntu

Postby parityboy » Sun Oct 28, 2018 7:21 pm

@MOQ888

Glad you got working. :D Now we just need Network Manager to support the ECC instances. :)


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Tue Oct 30, 2018 12:25 pm

"working" ... sort of. Started having the same issues with the fresh 18.04 install, SO frustrating!

Turns out the problem all along is that the domain hosts for the new CS servers are all classified by Fortinet as "newly observed domains". By removing this rule in the DNS filter finally allowed me to connect.

Of course this has nothing to do CS. I'll put through a request to Fortinet to remove those domains/hosts from that category, or find out how long they retain them before auto-removal so I can reinstate that rule in the router.

Now I have to get my head around GNOME3 and the mess that network manager seems to be. I can connect to CS through Settings but if I use VPN under NM and choose "ON" for a connection the slider doesn't move so one would assume nothing has happened. In fact the CS connection has been established (ON in Settings), NM fails to show it.

And because NM doesn't think the VPN connected the VPN icon fails to show.

Worse still, the LAN icon doesn't show unless I manually go to Settings and click the LAN. Could be that NM is confused because I have two LAN profiles, my primary LAN which is set to connect automatically, and a secondary 4G Hotspot which I use when I need stuff faster.

I would have thought 6mths after release 18.04 might be less buggy. More fool me ...


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Tue Oct 30, 2018 12:40 pm

Seem to have repaired the weirdness of NM by removing the LAN profile for the 4G hotspot. Despite me setting explicitly the primary LAN as auto-connect, seems that 18.04 or NM didn't really understand that.

I did set up this install using the 4G hotspot as my primary LAN is so slow. Could be that it was expecting to see the 4G profile despite the auto-connect setting for the primary LAN.

Anyway, NM seems to be happier now. LAN icon and VPN icon both appear and I'm able to connect to CS using the RSA profiles in NM ... AT LAST!

Hopefully this is the end of this mess for me.

User avatar

parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: Probs with new configs in Ubuntu

Postby parityboy » Tue Oct 30, 2018 12:41 pm

@MOQ888

Hmmm...I have KDE Neon badgering me to update it to its new 18.04 LTS base, but I'm now wondering whether it's worth it. Having said that, my VPN is handled by a router so I wouldn't need Network Manager for VPN duty. :)


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Tue Oct 30, 2018 1:57 pm

If your VPN connections originate in the router I doubt if you'll experience the problems I've been having.

I've downloaded Kubuntu 18.04 ISO just now. I think I'll prefer KDE as I was used to using it way back in Solaris days (if my memory serves me correctly).

I got used to Unity but I don't think I would get used to Gnome. I did try it on CentOS and a few other *nix flavours and always gravitated back to Ubuntu/Unity.


Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Tue Oct 30, 2018 4:53 pm

kubuntu up and running, CS working well - HOORAY!



Topic Author
MOQ888
Posts: 34
Joined: Sun Apr 02, 2017 6:31 pm

Re: Probs with new configs in Ubuntu

Postby MOQ888 » Fri Nov 02, 2018 2:08 pm

Quite enjoying KDE in Kubuntu, its network manager is so much better - it remembers recent connections and moves them to the top of the very long CS list, just brilliant since my preferred connection is Washington DC, which is always at the very bottom of Ubuntu's Gnome NM.

I know, it's just a scroll down ... but still, how clever to put recently used connections up the top? DOH!

And many thanks to both PB and DF for their input in helping me track down the problem, as well as the CS team for delivering both a fantastic service and superb support.


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 32 guests

Login