[Bug 1578712] Re: Periodic failure of client authorisation
[Expired for openvpn (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openvpn (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578712 Title: Periodic failure of client authorisation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1578712/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1578712] Re: Periodic failure of client authorisation
Hi, trying to clear (revive or kill) bugs dormant for too long. On this one in particular we didn't get any other response. Of course one can try the "next" versions released with later Ubuntu 17.10 but that might still not provide a lot of extra insight. Given that we have Jordi analyzing "out of intereest" (thanks btw and see comment #2) this but no response from Simon yet for the questions since then I wonder if we should clear the bug as incomplete unless more data is available - there just is no clear action that can be taken from here on :-/ @Jordi - for the DNS leak you might take a look at bug 1634689 which then split this topic into 1652525 and also [1] as a potential workaround. Maybe that would help your case on [1]: https://aaronhorler.com/articles/openvpn-17.10-dns-leak.html ** Changed in: openvpn (Ubuntu) Status: Triaged => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578712 Title: Periodic failure of client authorisation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1578712/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1578712] Re: Periodic failure of client authorisation
Just curious, does this happen when you are using most of the memory of your system? I recall this was the case with me (tens of browser windows open, general computer slowness + hours connected to the VPN = this bug). The tests I did were on light load, and I'm a bit reluctant to stress test my system for hours just to try to reproduce this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578712 Title: Periodic failure of client authorisation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1578712/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1578712] Re: Periodic failure of client authorisation
Hi, After 24hours running uninterrupted on a 16.04 Ubuntu I didn't get this bug but I started experiencing DNS leaks which definitely were not happening before (I tested extensively for that at the beginning). This is even more strange considering that my firewall is blocking DNS traffic (port 53) on all interfaces but tun0. Attaching syslog without UFW messages: https://paste.ubuntu.com/24652583/ Complete syslog: https://paste.ubuntu.com/24652594/ openvpn stdout : https://paste.ubuntu.com/24652654/ On the last one you can see some TLS auth errors on/before the soft reset, but it recovers automatically just fine: Thu May 25 06:53:32 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Thu May 25 07:53:31 2017 TLS: tls_process: killed expiring key Thu May 25 07:53:32 2017 TLS: soft reset sec=0 bytes=20533656/0 pkts=50536/0 Thu May 25 07:53:32 2017 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #180 / time = (1495608806) Wed May 24 08:53:26 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Thu May 25 07:53:32 2017 TLS Error: incoming packet authentication failed from [AF_INET]159.8.125.23:2049 Thu May 25 07:53:32 2017 VERIFY OK: depth=1, C=MT, ST=Malta, L=Malta, O=IVPN.net, CN=IVPN.net CA, emailAddress=supp...@ivpn.net -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578712 Title: Periodic failure of client authorisation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1578712/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1578712] Re: Periodic failure of client authorisation
Hi, While I experienced this bug on 17.10, I went back to 16.04 for diverse reasons and have yet to see it there, while still using the same VPN and configuration. I will leave the VPN running for 24 hours and report back with the logs here to be sure, but I think it's not there on 16.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578712 Title: Periodic failure of client authorisation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1578712/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1578712] Re: Periodic failure of client authorisation
Thank you very much for filing this bug report! This does seem like a real issue, I wonder if it's possible to test if 16.04 (or ideally 17.04) have this issue as well. I know that's a big jump to make, so it's understandable if not possible. I will subscribe the server team and place it on our backlog. ** Changed in: openvpn (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvpn in Ubuntu. https://bugs.launchpad.net/bugs/1578712 Title: Periodic failure of client authorisation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1578712/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1578712] Re: Periodic failure of client authorisation
Thank you very much for filing this bug report! This does seem like a real issue, I wonder if it's possible to test if 16.04 (or ideally 17.04) have this issue as well. I know that's a big jump to make, so it's understandable if not possible. I will subscribe the server team and place it on our backlog. ** Changed in: openvpn (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578712 Title: Periodic failure of client authorisation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1578712/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1578712] Re: Periodic failure of client authorisation
Hi, I've been reading around the code just for interest and, while I can't fix this maybe this could help: (From openvpn-plugin.h comments) * New Client Connection: * * FUNC: openvpn_plugin_client_constructor_v1 * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ENABLE_PF * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert * in the server chain) * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_IPCHANGE * * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED, * we don't proceed until authentication is verified via auth_control_file] * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_CLIENT_CONNECT_V2 * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_LEARN_ADDRESS * * [Client session ensues] * * For each "TLS soft reset", according to reneg-sec option (or similar): * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ENABLE_PF * * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert * in the server chain) * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL * * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED, * we expect that authentication is verified via auth_control_file within * the number of seconds defined by the "hand-window" option. Data channel traffic * will continue to flow uninterrupted during this period.] So an issue in the implementation or else might cause this problem? The conection is established correctly at first but then it's DEFERRED (from the start or during runtime(?)) the tunnel might remain up until a TLS soft reset is received? I don't know if I'm making any sense or not actually with this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578712 Title: Periodic failure of client authorisation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1578712/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs