A trick to single ovpn in 1.12.0?

[rseiler]

Disclaimer: I'm just now testing OpenVPN in anything later than 1.10 (1.12 is a clean install though), so I'm 95% sure this is something I'm doing, but I couldn't find anything about it.

I setup 1.12 VPN as so:
https://i.imgur.com/mEJb4Pa.png

And the client config is standard (+vpn_gateway).

Testing from Win10 with the latest portable OpenVPN client using "Credentials & Config Files (Multiple)," it connects fine.

But Single ovpn (not that that's critical to have, but I'm curious) instead doesn't get very far at all:

Tue Dec 24 15:49:22 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Tue Dec 24 15:49:22 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Dec 24 15:49:22 2019 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Enter Management Password:
Tue Dec 24 15:49:22 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Dec 24 15:49:22 2019 Need hold release from management interface, waiting...
Tue Dec 24 15:49:22 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'state on'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'log all on'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'echo all on'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'bytecount 5'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'hold off'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'hold release'
Tue Dec 24 15:49:23 2019 MANAGEMENT: Client disconnected
Tue Dec 24 15:49:23 2019 File '[[INLINE]]' does not have OpenVPN Static Key format. Using free-form passphrase file is not supported anymore.: Unknown error (errno=-2146893799)
Tue Dec 24 15:49:23 2019 Exiting due to fatal error

For context, this is a snippet of how the log should pick up after "MANAGEMENT: CMD 'hold release'":

Tue Dec 24 15:43:56 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 24 15:43:56 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 24 15:43:56 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]myiphere:11940
Tue Dec 24 15:43:56 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 24 15:43:56 2019 UDP link local: (not bound)
Tue Dec 24 15:43:56 2019 UDP link remote: [AF_INET]myiphere:11940
Tue Dec 24 15:43:56 2019 MANAGEMENT: >STATE:1577220236,WAIT,,,,,,
Tue Dec 24 15:43:56 2019 MANAGEMENT: >STATE:1577220236,AUTH,,,,,,

Thanks

[Lantis]

Will investigate thanks. The format requirements may have changed.
It still works fine on Android.

[Lantis]

Working fine for me.

Can you inspect your .ovpn config file for completeness? Someone else complained that their router was cutting off the end of the config file but i've never seen it happen on my own device.

You should have something like

Code: Select all

client
remote          xxxxxxxxxx 1194
dev             tun
proto           udp
status          current_status
resolv-retry    infinite
remote-cert-tls server
topology        subnet
verb            3

cipher          AES-256-CBC


nobind
persist-key
persist-tun
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
CERT HERE
-----END CERTIFICATE-----
</ca>
<cert>
CERT DATA HERE
-----BEGIN CERTIFICATE-----
CERT HERE
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
PKEY HERE
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
HEX KEY HERE
-----END OpenVPN Static key V1-----
</tls-auth>

You might find that your tls-auth section at the end is not fully compiled if i had to guess...

[rseiler]

Based on what you posted, it looks to be all there. I downloaded it again (since it's not zipped, there might have been some kind of corruption, I guess), but it's exactly the same file.

Now here's where we enter the Twilight Zone. The error seems concerned about the static key (and then a passphrase, though I have no idea what a passphrase is in this context), so I compared the static key in the ovpn with ta.key.

One line is missing in the ovpn version (the 5th line of the key). If I paste in that line, it works. I tried creating a second user, and the line is still missing from the ovpn version.

This would make some kind of sense if at least you saw the same thing. It would be even weirder, given that it works for you, if you do have the missing line.

[Lantis]

I don't have the missing line. This is the same as another user reported, but I don't find this issue locally.
Let me think of a code change which might fix it and get back to you. I think the write buffers aren't getting flushed properly and I've seen code in other areas which handles this. It may apply here also.

If you're willing (understand if not), can you please PM me the last 2 lines of the full key? Just in case it is something specific about the makeup of the final lines which is causing a cutoff.

[rseiler]

Is it the same thing though? In my case, I'm talking about a line going missing about a third of the way through the static key block. That's very different than the last line or two being truncated, which I think is easier to explain than something going missing elsewhere.

I'll PM you.

[ispyisail]

With 1.12.0 using openVPN community download client version I get the same error

Tue Dec 24 15:49:23 2019 File '[[INLINE]]' does not have OpenVPN Static Key format. Using free-form passphrase file is not supported anymore

But it connects and works

From memory I didn't get the error on the end.

[Lantis]

Ok i've found the error, and thank you for sending me the snippets of your key. I wouldn't have found it without that.

You can modify line 41 in /www/utility/openvpn_download_credentials.sh from

Code: Select all

sed -i '/^ca\|^cert\|^key\|^tls-auth/d' /tmp/vpn.ac.tmp.ovpn

to

Code: Select all

sed -i '/^ca\s\|^cert\s\|^key\s\|^tls-auth\s/d' /tmp/vpn.ac.tmp.ovpn

[rseiler]

Thanks, that works.

sed has such brutal syntax that I'm not even sure it can be considered an "error."

[Lantis]

Ahh, I'm sure a less cowboy-ish coder than myself would have considered that keys could begin with any of those letter combinations and done a better job.

Alas, I am what we are all stuck with.