Page 1 of 1
A trick to single ovpn in 1.12.0?
Posted: Tue Dec 24, 2019 5:05 pm
by rseiler
Disclaimer: I'm just now testing OpenVPN in anything later than 1.10 (1.12 is a clean install though), so I'm 95% sure this is something I'm doing, but I couldn't find anything about it.
I setup 1.12 VPN as so:
https://i.imgur.com/mEJb4Pa.png
And the client config is standard (+vpn_gateway).
Testing from Win10 with the latest portable OpenVPN client using "Credentials & Config Files (Multiple)," it connects fine.
But Single ovpn (not that that's critical to have, but I'm curious) instead doesn't get very far at all:
Tue Dec 24 15:49:22 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Tue Dec 24 15:49:22 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Dec 24 15:49:22 2019 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Enter Management Password:
Tue Dec 24 15:49:22 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Dec 24 15:49:22 2019 Need hold release from management interface, waiting...
Tue Dec 24 15:49:22 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'state on'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'log all on'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'echo all on'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'bytecount 5'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'hold off'
Tue Dec 24 15:49:23 2019 MANAGEMENT: CMD 'hold release'
Tue Dec 24 15:49:23 2019 MANAGEMENT: Client disconnected
Tue Dec 24 15:49:23 2019 File '[[INLINE]]' does not have OpenVPN Static Key format. Using free-form passphrase file is not supported anymore.: Unknown error (errno=-2146893799)
Tue Dec 24 15:49:23 2019 Exiting due to fatal error
For context, this is a snippet of how the log should pick up after "MANAGEMENT: CMD 'hold release'":
Tue Dec 24 15:43:56 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 24 15:43:56 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 24 15:43:56 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]myiphere:11940
Tue Dec 24 15:43:56 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 24 15:43:56 2019 UDP link local: (not bound)
Tue Dec 24 15:43:56 2019 UDP link remote: [AF_INET]myiphere:11940
Tue Dec 24 15:43:56 2019 MANAGEMENT: >STATE:1577220236,WAIT,,,,,,
Tue Dec 24 15:43:56 2019 MANAGEMENT: >STATE:1577220236,AUTH,,,,,,
Thanks
Re: A trick to single ovpn in 1.12.0?
Posted: Tue Dec 24, 2019 6:56 pm
by Lantis
Will investigate thanks. The format requirements may have changed.
It still works fine on Android.
Re: A trick to single ovpn in 1.12.0?
Posted: Wed Dec 25, 2019 9:02 pm
by Lantis
Working fine for me.
Can you inspect your .ovpn config file for completeness? Someone else complained that their router was cutting off the end of the config file but i've never seen it happen on my own device.
You should have something like
Code: Select all
client
remote xxxxxxxxxx 1194
dev tun
proto udp
status current_status
resolv-retry infinite
remote-cert-tls server
topology subnet
verb 3
cipher AES-256-CBC
nobind
persist-key
persist-tun
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
CERT HERE
-----END CERTIFICATE-----
</ca>
<cert>
CERT DATA HERE
-----BEGIN CERTIFICATE-----
CERT HERE
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
PKEY HERE
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
HEX KEY HERE
-----END OpenVPN Static key V1-----
</tls-auth>
You might find that your tls-auth section at the end is not fully compiled if i had to guess...
Re: A trick to single ovpn in 1.12.0?
Posted: Wed Dec 25, 2019 10:04 pm
by rseiler
Based on what you posted, it looks to be all there. I downloaded it again (since it's not zipped, there might have been some kind of corruption, I guess), but it's exactly the same file.
Now here's where we enter the Twilight Zone. The error seems concerned about the static key (and then a passphrase, though I have no idea what a passphrase is in this context), so I compared the static key in the ovpn with ta.key.
One line is missing in the ovpn version (the 5th line of the key). If I paste in that line, it works. I tried creating a second user, and the line is still missing from the ovpn version.
This would make some kind of sense if at least you saw the same thing. It would be even weirder, given that it works for you, if you do have the missing line.
Re: A trick to single ovpn in 1.12.0?
Posted: Wed Dec 25, 2019 11:02 pm
by Lantis
I don't have the missing line. This is the same as another user reported, but I don't find this issue locally.
Let me think of a code change which might fix it and get back to you. I think the write buffers aren't getting flushed properly and I've seen code in other areas which handles this. It may apply here also.
If you're willing (understand if not), can you please PM me the last 2 lines of the full key? Just in case it is something specific about the makeup of the final lines which is causing a cutoff.
Re: A trick to single ovpn in 1.12.0?
Posted: Wed Dec 25, 2019 11:09 pm
by rseiler
Is it the same thing though? In my case, I'm talking about a line going missing about a third of the way through the static key block. That's very different than the last line or two being truncated, which I think is easier to explain than something going missing elsewhere.
I'll PM you.
Re: A trick to single ovpn in 1.12.0?
Posted: Wed Dec 25, 2019 11:46 pm
by ispyisail
With 1.12.0 using openVPN community download client version I get the same error
Tue Dec 24 15:49:23 2019 File '[[INLINE]]' does not have OpenVPN Static Key format. Using free-form passphrase file is not supported anymore
But it connects and works
From memory I didn't get the error on the end.
Re: A trick to single ovpn in 1.12.0?
Posted: Fri Dec 27, 2019 1:22 am
by Lantis
Ok i've found the error, and thank you for sending me the snippets of your key. I wouldn't have found it without that.
You can modify line 41 in /www/utility/openvpn_download_credentials.sh from
Code: Select all
sed -i '/^ca\|^cert\|^key\|^tls-auth/d' /tmp/vpn.ac.tmp.ovpn
to
Code: Select all
sed -i '/^ca\s\|^cert\s\|^key\s\|^tls-auth\s/d' /tmp/vpn.ac.tmp.ovpn
Re: A trick to single ovpn in 1.12.0?
Posted: Fri Dec 27, 2019 1:46 am
by rseiler
Thanks, that works.
sed has such brutal syntax that I'm not even sure it can be considered an "error."
Re: A trick to single ovpn in 1.12.0?
Posted: Fri Dec 27, 2019 2:02 am
by Lantis
Ahh, I'm sure a less cowboy-ish coder than myself would have considered that keys could begin with any of those letter combinations and done a better job.
Alas, I am what we are all stuck with.
