Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

New auth error discovered

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
Guest

New auth error discovered

Postby Guest » Thu Jul 17, 2014 2:22 pm

Hello there!

Recently a new auth error bug popped up on all the mobile devices I own and provide support for. PCs on landline connections are not affected.

It is nothing special that mobile clients disconnect from the internet from time to but usally they just reconnect right away when they got reception or get awaken from sleep mode.
Lately this doesn't work anymore because the VPN exit nodes give my devices an "auth error" on that reconnect attempt thus stopping it from retrying and shutting the vpn down completely.

I guess there must be something changed with the auth infrastructure that it doesn't like fast reconnects anymore.

I hope you can look into that.

Thanks!

User avatar

Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: New auth error discovered

Postby Graze » Fri Jul 18, 2014 6:41 am

This is a new bug thanks to some reference-count checking code we have recently activated. Basically, as a workaround, know that it will time out, and it will allow a re-connect after a number of seconds. I suspect it's on the order of 10-30. However, that's not really acceptable, so we may tweak the code to be more forgiving of network drop-outs.

Thanks,
G
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: New auth error discovered

Postby marzametal » Fri Jul 18, 2014 9:57 am

I've seen this too, been about 2-3 weeks since it first started. I just put it down to a beta release of OpenVPN and a Custom ROM issue. If it's not the auth error on reconnect, it's a TLS handshake error not being received when trying to connect for the first time. But a reboot fixes that (might have something to do with strict conditions in AFWall (mostly or only seen if I swap (DNS via netd from enabled to disabled - can't be bothered with "Auto")).


Topic Author
Guest

Re: New auth error discovered

Postby Guest » Fri Jul 18, 2014 12:47 pm

This looks like as if it is related to PJs post here, right?

About Grazes "reconnection" idea: The problem is that OpenVPN defaults to dropping the connection and not doing reconnects on an auth_error. But no fear there is indeed a workaround for that!

Please add

Code: Select all

auth-retry nointeract

to your config files.

This will allow the client to retry connecting on auth_errors. Just like Graze said you will get around 20 seconds of crazy reconnecting and failing but eventually it will reestablish the connection automatically without user interaction. Combine that with AFWall + Persistent Tun (in Arnes VPN client) and you are safe and sound on your mobile device.

I also recommend to NOT use the Network Manager on Linux but connect to the VPN via console (or automatic process on startup). This will allow your client to use the auth-retry command and reconnect all by itself. Combine that with some clever iptables (basically AFWall for linux ;) ) and you are secure as well. If you have any disconnect problems on your PC at all. As I said for me only mobile devices with choppy connections had problems.

User avatar

vpnDarknet
Posts: 128
Joined: Thu Feb 27, 2014 2:42 pm
Contact:

Re: New auth error discovered

Postby vpnDarknet » Sat Jul 19, 2014 6:50 am

Excellent, thanks :)
Do I need to hard code the login/pass into the Linux .conf for it to auto re-connect?
Buy your tokens via vpnDark.net and cryptostorm cannot and does not know anything about users - no link between a token & purchase details
Unofficial Wiki cryptostorm access guide
Ways to talk to me

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: New auth error discovered

Postby marzametal » Sat Jul 19, 2014 6:54 am

Going to have to try this out, didn't know DNS Proxy (netd) can stay disabled!

User avatar

vpnDarknet
Posts: 128
Joined: Thu Feb 27, 2014 2:42 pm
Contact:

Re: New auth error discovered

Postby vpnDarknet » Sat Jul 19, 2014 8:09 am

Excellent, all working great, thanks for your guidance :D

Although when I log in via the terminal, with openvpn, my DNS stays as my ISP designates.
But when I use the Network Manager in Linux, I have anonymous DNS servers?
Buy your tokens via vpnDark.net and cryptostorm cannot and does not know anything about users - no link between a token & purchase details
Unofficial Wiki cryptostorm access guide
Ways to talk to me

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: New auth error discovered

Postby marzametal » Sat Jul 19, 2014 9:05 am

Heads up, it also happens on Windows...


Topic Author
Guest

Re: New auth error discovered

Postby Guest » Sat Jul 19, 2014 12:07 pm

@vpnDarknet:
Ok, that shouldn't happen. Usually routes and everything else important is pushed when connecting to the VPN and those information contain the DNS.
hmm....

If you are okay with always having anonymous DNS (you should have those anyways IMO) you can define your DNS in network manager for your normal connection. Go edit your connection and in the IPv4 TAB set it to "DHCP Adresses only" and enter your DNS servers seperated by commas and 1 space.

Alternatively do this:
sudo nano /etc/resolv.conf

Code: Select all

nameserver 198.100.146.51
nameserver 91.191.136.152
nameserver 213.73.91.35


Cheers!

User avatar

vpnDarknet
Posts: 128
Joined: Thu Feb 27, 2014 2:42 pm
Contact:

Re: New auth error discovered

Postby vpnDarknet » Sat Jul 19, 2014 1:18 pm

Great stuff thanks, making the changes of the network manager looks to have worked :)
I was reluctant to change resolv.conf as it reads:
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Think I'd read about changing the base files in the past though?

Do I need to hardcode login/pass into the conf files, for them to auto re-connect?

Thanks again for your help!
Buy your tokens via vpnDark.net and cryptostorm cannot and does not know anything about users - no link between a token & purchase details
Unofficial Wiki cryptostorm access guide
Ways to talk to me


Topic Author
Guest

Re: New auth error discovered

Postby Guest » Sat Jul 19, 2014 10:27 pm

To be honest that could actually happen. It depends on how much you've played with your system in the past.
Unfortunately I don't remember what config file is able to overwrite resolv.conf... Maybe there is a way to define DNS right inside the VPN config files?!

I don't know if openVPN remembers the user/pass but I would recommend to use the "auth-user-pass password" command, create a text-file named password with username and password (each in its own line) and put it in the same folder like the config file. This way openvpn can grab the user/pw every time. :)


gbj
Posts: 20
Joined: Thu Mar 27, 2014 8:22 am

Re: New auth error discovered

Postby gbj » Sun Jul 20, 2014 6:06 am

Here is a good breakdown of the resolv.conf file on a nix system https://wiki.archlinux.org/index.php/Resolv.conf
In my openvpn config file I have an option that points to a plaintext file that is in the same folder with my login information, like this "auth-user-pass /etc/openvpn/login.txt"

User avatar

vpnDarknet
Posts: 128
Joined: Thu Feb 27, 2014 2:42 pm
Contact:

Re: New auth error discovered

Postby vpnDarknet » Sun Jul 20, 2014 6:53 am

Thanks for your help guys, your knowledge is much appreciated.
I've messed with this setup heaps, so who knows what tweak could be effecting the resolv.conf setup???
The change via Network Manager looks to be working great though!

I'd tried creating a password.txt file with no luck, but I've just dropped it in the /etc/openvpn folder and it now works :D

Just IP Tables to sort out now :?
Buy your tokens via vpnDark.net and cryptostorm cannot and does not know anything about users - no link between a token & purchase details
Unofficial Wiki cryptostorm access guide
Ways to talk to me


gbj
Posts: 20
Joined: Thu Mar 27, 2014 8:22 am

Re: New auth error discovered

Postby gbj » Sun Jul 20, 2014 7:40 am

What flavour of unix are you using, are you comfortable with iptables? Some find it easier to use UFW. Let me know if I can help :)

User avatar

vpnDarknet
Posts: 128
Joined: Thu Feb 27, 2014 2:42 pm
Contact:

Re: New auth error discovered

Postby vpnDarknet » Sun Jul 20, 2014 8:37 am

Cheers man, I'm using a basterdised version of Ubunti 14.04, and trying to implement Desu's IPtable:
viewtopic.php?t=6247&p=9588#p9588

All works well, except it seems to be locking down my access... and as mentioned in the post, IP tables have always been a dark art to me, although I understand the context, I've never had a setup I'm totes happy with
Buy your tokens via vpnDark.net and cryptostorm cannot and does not know anything about users - no link between a token & purchase details
Unofficial Wiki cryptostorm access guide
Ways to talk to me


gbj
Posts: 20
Joined: Thu Mar 27, 2014 8:22 am

Re: New auth error discovered

Postby gbj » Sun Jul 20, 2014 6:41 pm

Interesting I had not seen Desu's Iptables, I will have to look into them. Here are a few simple rules that I use to "kill" any traffic that does not go trough the tun interface. Take it with a grain of salt as I am no expert :)

iptables -F OUTPUT # Empty the OUTPUT chain of any current rules
iptables -A OUTPUT -o lo -j ACCEPT # Allow loopback traffic
iptables -A OUTPUT -o tun+ -j ACCEPT # Allow all traffic out over the vpn
iptables -A OUTPUT -o eno1 -p udp -m udp --dport 443 -j ACCEPT # Allow traffic out on port 443 which the VPN uses
iptables -A OUTPUT -o eno1 -p udp -m udp --dport 1194 -j ACCEPT # Allow openvpn
iptables -A OUTPUT -o eno1 -d 192.168.x.x/24 -j ACCEPT # Allow local network traffic on your interface
iptables -P OUTPUT DROP # Default action if no other rules match
iptables-save > /etc/iptables/iptables.rules

User avatar

exempt
Posts: 31
Joined: Sun Dec 29, 2013 7:49 am

Re: New auth error discovered

Postby exempt » Wed Jul 23, 2014 5:39 pm

vpnDarknet wrote:Great stuff thanks, making the changes of the network manager looks to have worked :)
I was reluctant to change resolv.conf as it reads:
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Think I'd read about changing the base files in the past though?

Do I need to hardcode login/pass into the conf files, for them to auto re-connect?

Thanks again for your help!


Yeah Ubuntu is odd like that. When you see a message like this it is best to heed the warnings and investigate the proper way. It seems like you are already familiar with this, Ubuntu uses resolvconf (/sbin/resolvconf) to handle nameserver information. This means that you should not edit the /etc/resolv.conf file directly because it will simply be overwritten when resolvconf (/sbin/resolvconf) executes. Instead, make the necessary changes to /etc/resolvconf/resolv.conf.d/base or even to /etc/resolvconf/resolv.conf.d/head to prepend the dynamically generated resolver configuration file.

In order to apply the changes, after adding the necessary information to the base file, run:

Code: Select all

sudo resolvconf -u


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 57 guests

Login