Giters

wknapik / vpnfailsafe

IP leak prevention for OpenVPN

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Error log - Fatal error up script - vpnfailsafe.sh:104

heroselohim opened this issue · comments

commented

Hi, this script seems what I was looking for, but have some issues on my Linux Mint - Open VPN.
At the end of the log you will find an error with the iptables command.

All dependencies refered in the PACKAGE where installed & updated.
If I could supply any other information, just ask.

Thanks in advance for your work !!

Log

Sun Oct 16 14:11:22 2016 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Sun Oct 16 14:11:22 2016 WARNING: file '/etc/openvpn/userauth.txt' is group or others accessible
Sun Oct 16 14:11:22 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Oct 16 14:11:22 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sun Oct 16 14:11:22 2016 UDPv4 link local: [undef]
Sun Oct 16 14:11:22 2016 UDPv4 link remote: [AF_INET]99.99.99.99:53
Sun Oct 16 14:11:22 2016 TLS: Initial packet from [AF_INET]99.99.99.99:53, sid=03dc4848 6d1e7f00
Sun Oct 16 14:11:22 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 16 14:11:22 2016 VERIFY OK: depth=1, C=SE, ST=QQ, L=FrootTown, O=FrootOrg, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Sun Oct 16 14:11:22 2016 VERIFY OK: nsCertType=SERVER
Sun Oct 16 14:11:22 2016 Validating certificate key usage
Sun Oct 16 14:11:22 2016 ++ Certificate has key usage 00a0, expects 00a0
Sun Oct 16 14:11:22 2016 VERIFY KU OK
Sun Oct 16 14:11:22 2016 Validating certificate extended key usage
Sun Oct 16 14:11:22 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Oct 16 14:11:22 2016 VERIFY EKU OK
Sun Oct 16 14:11:22 2016 VERIFY OK: depth=0, C=SE, ST=QQ, L=FrootTown, O=FrootOrg, OU=changeme, CN=server, name=changeme, emailAddress=mail@host.domain
Sun Oct 16 14:11:26 2016 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1586', remote='link-mtu 1585'
Sun Oct 16 14:11:26 2016 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sun Oct 16 14:11:26 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Oct 16 14:11:26 2016 Data Channel Encrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Sun Oct 16 14:11:26 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Oct 16 14:11:26 2016 Data Channel Decrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Sun Oct 16 14:11:26 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Oct 16 14:11:26 2016 [server] Peer Connection Initiated with [AF_INET]99.99.99.99:53
Sun Oct 16 14:11:28 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Oct 16 14:11:29 2016 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 111.22.33.1,redirect-gateway def1,block-outside-dns,route-gateway 111.22.33.1,topology subnet,ping 10,ping-restart 160,ifconfig 111.22.33.114 255.255.255.0'
Sun Oct 16 14:11:29 2016 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.3.2)
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: route options modified
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: route-related options modified
Sun Oct 16 14:11:29 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Oct 16 14:11:29 2016 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:c2:06:39
Sun Oct 16 14:11:29 2016 TUN/TAP device tun0 opened
Sun Oct 16 14:11:29 2016 TUN/TAP TX queue length set to 100
Sun Oct 16 14:11:29 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Oct 16 14:11:29 2016 /sbin/ip link set dev tun0 up mtu 1500
Sun Oct 16 14:11:29 2016 /sbin/ip addr add dev tun0 111.22.33.114/24 broadcast 111.22.33.255
Sun Oct 16 14:11:29 2016 /etc/openvpn/vpnfailsafe.sh tun0 1500 1586 111.22.33.114 255.255.255.0 init
iptables v1.4.21: unknown protocol "tcp-client" specified
Try iptables -h' or 'iptables --help' for more information. /etc/openvpn/vpnfailsafe.sh:104:iptables -A "VPNFAILSAFE_$*" -p "${!proto}" -"$sd" "$remote" --"$sd"port "${!port}" ` returned 2
Sun Oct 16 14:11:30 2016 WARNING: Failed running command (--up/--down): external program exited with error status: 2
Sun Oct 16 14:11:30 2016 Exiting due to fatal error

OpenVPN Config

# This is just an example client config. vpnfailsafe should work with most
# configurations using `dev tun'.
client
dev tun
proto udp
# Static IP of the VPN server
remote 111.22.333.44 1194
cipher AES-256-CBC
# Ommitting route-noxec, or even using `redirect-gateway def1' should make no
# practical difference, but this is cleaner.
route-noexec
nobind
persist-key
persist-tun
auth-user-pass /etc/openvpn/auth.txt
ns-cert-type server
cipher AES-256-CBC
auth SHA384
server-poll-timeout 3
comp-lzo
verb 3
remote-cert-tls server
ping-restart 60
script-security 2
up /etc/openvpn/vpnfailsafe.sh
down /etc/openvpn/vpnfailsafe.sh
<ca>
-----BEGIN CERTIFICATE-----
yyy
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
zzz
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----
</key>
<connection>
remote br.sss.com
port 53
proto udp
explicit-exit-notify 1
</connection>
<connection>
remote br.sss.com
port 443
proto tcp
</connection>
commented

Hi. Just pushed a fix. Please re-test.

I've never used tcp with OpenVPN and assumed they'd be calling it... "tcp" - my mistake. They're calling it "tcp-client", or "tcp-server", despite the existence of "--client" and "--server" options...

PS. OpenVPN documentation advises against using tcp (http://sites.inka.de/sites/bigred/devel/tcp-tcp.html) - something to consider.

commented

Thanks for the help. I'll be seeing different options soon and give a better feedback. Most of this about VPNs is new to me so I won't be of great assitance.

I just expected to connect as usual with the OpenVPN and if the conection drops down to avoid transfer leaks. Almost all scripts and solutions around internet fail at some point and some of them are really hard to implement for my current nix knowledge.

Just replaced the code and this is the log:

Sun Oct 16 20:01:54 2016 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Sun Oct 16 20:01:54 2016 WARNING: file '/etc/openvpn/userauth.txt' is group or others accessible
Sun Oct 16 20:01:54 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Oct 16 20:01:54 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sun Oct 16 20:01:54 2016 UDPv4 link local: [undef]
Sun Oct 16 20:01:54 2016 UDPv4 link remote: [AF_INET]123.22.33.44:53
Sun Oct 16 20:01:54 2016 TLS: Initial packet from [AF_INET]123.22.33.44:53, sid=631edd56 a043cf1e
Sun Oct 16 20:01:54 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 16 20:01:54 2016 VERIFY OK: depth=1, C=SE, ST=QQ, L=FrootTown, O=FrootOrg, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Sun Oct 16 20:01:54 2016 VERIFY OK: nsCertType=SERVER
Sun Oct 16 20:01:54 2016 Validating certificate key usage
Sun Oct 16 20:01:54 2016 ++ Certificate has key usage 00a0, expects 00a0
Sun Oct 16 20:01:54 2016 VERIFY KU OK
Sun Oct 16 20:01:54 2016 Validating certificate extended key usage
Sun Oct 16 20:01:54 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Oct 16 20:01:54 2016 VERIFY EKU OK
Sun Oct 16 20:01:54 2016 VERIFY OK: depth=0, C=SE, ST=QQ, L=FrootTown, O=FrootOrg, OU=changeme, CN=server, name=changeme, emailAddress=mail@host.domain
Sun Oct 16 20:01:58 2016 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1586', remote='link-mtu 1585'
Sun Oct 16 20:01:58 2016 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sun Oct 16 20:01:58 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Oct 16 20:01:58 2016 Data Channel Encrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Sun Oct 16 20:01:58 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Oct 16 20:01:58 2016 Data Channel Decrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Sun Oct 16 20:01:58 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Oct 16 20:01:58 2016 [server] Peer Connection Initiated with [AF_INET]123.22.33.44:53
Sun Oct 16 20:02:01 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Oct 16 20:02:02 2016 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 111.22.3.3,redirect-gateway def1,block-outside-dns,route-gateway 111.22.3.3,topology subnet,ping 10,ping-restart 160,ifconfig 111.22.3.316 255.255.255.0'
Sun Oct 16 20:02:02 2016 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.3.2)
Sun Oct 16 20:02:02 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 16 20:02:02 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 16 20:02:02 2016 OPTIONS IMPORT: route options modified
Sun Oct 16 20:02:02 2016 OPTIONS IMPORT: route-related options modified
Sun Oct 16 20:02:02 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Oct 16 20:02:02 2016 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:c2:06:39
Sun Oct 16 20:02:02 2016 TUN/TAP device tun0 opened
Sun Oct 16 20:02:02 2016 TUN/TAP TX queue length set to 100
Sun Oct 16 20:02:02 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Oct 16 20:02:02 2016 /sbin/ip link set dev tun0 up mtu 1500
Sun Oct 16 20:02:02 2016 /sbin/ip addr add dev tun0 111.22.3.316/24 broadcast 172.28.1.255
Sun Oct 16 20:02:02 2016 /etc/openvpn/vpnfailsafe.sh tun0 1500 1586 111.22.3.316 255.255.255.0 init
Sun Oct 16 20:02:02 2016 WARNING: Failed running command (--up/--down): could not execute external program
Sun Oct 16 20:02:02 2016 Exiting due to fatal error

commented

Is the script executable after the update ? Are all the dependencies installed ? Are you running openvpn as root ? Are the dependencies in your $PATH ?

If none of the answers lead you to a fix, please add "set -x" in the second line of the script and post the output somewhere, along with the full config.

Also, you're using a 2013 version o OpenVPN. If updating is an option, that would be a good idea. And the warnings about MTU and LZO logged by OpenVPN may, or may not be relevant.

commented

Good news 👍

The VPN is working with the script. And I think your script is running as expected (no error output at least and routes added).

I don't know how to test a drop with OpenVPN for testing, but it should work while OpenVPN program is open I think.

To your questions:

  1. Yes, it's executable after the update.
  2. All dependencies referenced on PACKAGE were installed & updated from the start.
  3. Yes, it is run as root always.
  4. I'll be checking the $PATH on detail for every lib installed.
  5. I've fixed two issues, when I fixed some stuff on my VPN the script is running as expected right now.
  6. LZO disabled and working fine. Seems my VPN server is not using it.
  7. I'll be checking what is going on with MTU.
  8. OpenVPN Version: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014

Thanks for your help!!

VPN CONNECT LOG

Mon Oct 17 11:06:35 2016 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Mon Oct 17 11:06:35 2016 WARNING: file '/etc/openvpn/auth.txt' is group or others accessible
Mon Oct 17 11:06:35 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Oct 17 11:06:35 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Oct 17 11:06:35 2016 UDPv4 link local: [undef]
Mon Oct 17 11:06:35 2016 UDPv4 link remote: [AF_INET]111.22.3.3:53
Mon Oct 17 11:06:35 2016 TLS: Initial packet from [AF_INET]111.22.3.3:53, sid=16421282 bac6eac2
Mon Oct 17 11:06:35 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Oct 17 11:06:35 2016 VERIFY OK: depth=1, C=SE, ST=QQ, L=FrootTown, O=FrootOrg, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Oct 17 11:06:35 2016 VERIFY OK: nsCertType=SERVER
Mon Oct 17 11:06:35 2016 VERIFY OK: depth=0, C=SE, ST=QQ, L=FrootTown, O=FrootOrg, OU=changeme, CN=server, name=changeme, emailAddress=mail@host.domain
Mon Oct 17 11:06:39 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Oct 17 11:06:39 2016 Data Channel Encrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Mon Oct 17 11:06:39 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Oct 17 11:06:39 2016 Data Channel Decrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Mon Oct 17 11:06:39 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Oct 17 11:06:39 2016 [server] Peer Connection Initiated with [AF_INET]111.22.3.3:53
Mon Oct 17 11:06:41 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Oct 17 11:06:42 2016 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 66.66.6.1,redirect-gateway def1,block-outside-dns,route-gateway 66.66.6.1,topology subnet,ping 10,ping-restart 160,ifconfig 66.66.6.130 255.255.255.0'
Mon Oct 17 11:06:42 2016 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.3.2)
Mon Oct 17 11:06:42 2016 OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 17 11:06:42 2016 OPTIONS IMPORT: --ifconfig/up options modified
Mon Oct 17 11:06:42 2016 OPTIONS IMPORT: route options modified
Mon Oct 17 11:06:42 2016 OPTIONS IMPORT: route-related options modified
Mon Oct 17 11:06:42 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Oct 17 11:06:42 2016 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:c2:06:39
Mon Oct 17 11:06:42 2016 TUN/TAP device tun0 opened
Mon Oct 17 11:06:42 2016 TUN/TAP TX queue length set to 100
Mon Oct 17 11:06:42 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Oct 17 11:06:42 2016 /sbin/ip link set dev tun0 up mtu 1500
Mon Oct 17 11:06:42 2016 /sbin/ip addr add dev tun0 66.66.6.130/24 broadcast 66.66.6.255
Mon Oct 17 11:06:42 2016 /etc/openvpn/vpnfailsafe.sh tun0 1500 1585 66.66.6.130 255.255.255.0 init
Mon Oct 17 11:06:42 2016 /sbin/ip route add 111.22.3.3/32 via 10.0.2.2
Mon Oct 17 11:06:42 2016 /sbin/ip route add 0.0.0.0/1 via 66.66.6.1
Mon Oct 17 11:06:42 2016 /sbin/ip route add 128.0.0.0/1 via 66.66.6.1
Mon Oct 17 11:06:42 2016 Initialization Sequence Completed
commented

Great!

What did you change in your config to get it working ?

As for testing - you can test the effectiveness of the script while the vpn connection is up by visiting https://ipleak.net/ or some other similar service. As for when the vpn connection goes down - just kill OpenVPN (using your init script, or just using the kill command) and see if you can resolve any hostnames, or connect to anything on the internet by IP. If not - everything is working as expected.

Thanks for the report.