Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Can't Authenticate On Any Node

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)
User avatar

Topic Author
parityboy
Site Admin
Posts: 1104
Joined: Wed Feb 05, 2014 3:47 am

Can't Authenticate On Any Node

Postby parityboy » Sat Sep 03, 2016 6:11 am

Brand new token, 30 days left. Was working yesterday, now can't authenticate on:

Alors
Cantus
Jord
Onyx
Tagus
The England node

Tried with the token in both hashed and unhashed form, AUTH_FAILURE each time. This is on Mint 17.1 KDE, OpenVPN 2.3.2.


jeff442

Re: Can't Authenticate On Any Node

Postby jeff442 » Sat Sep 03, 2016 6:21 am

same here. same issue with different servers.

User avatar

privangle
Posts: 93
Joined: Thu Apr 25, 2013 5:57 am

Re: Can't Authenticate On Any Node

Postby privangle » Sat Sep 03, 2016 6:53 am

Hi parityboy,

same thing for me, I have lifetime token, look here

Now my impression is that it is a CS network problem.

5 minutes ago it worked again for some seconds, than it failed again, now it reworks...

Wait & see?

User avatar

df
Site Admin
Posts: 285
Joined: Thu Jan 01, 1970 5:00 am

Re: Can't Authenticate On Any Node

Postby df » Sat Sep 03, 2016 8:00 am

Is anyone still getting these auth failures?
The issue should be fixed as of about half an hour ago.

User avatar

privangle
Posts: 93
Joined: Thu Apr 25, 2013 5:57 am

Re: Can't Authenticate On Any Node

Postby privangle » Sat Sep 03, 2016 11:17 am

@df

it works, it doesn't work, it works, it doesn't work...

I assume you're working on it?

Best of luck and thank you for your work!

User avatar

df
Site Admin
Posts: 285
Joined: Thu Jan 01, 1970 5:00 am

Re: Can't Authenticate On Any Node

Postby df » Sat Sep 03, 2016 11:27 am

@privangle
the problem was fixed about 4 hours ago.
if you're still getting auth errors, double check the token you're using and make sure https://cryptostorm.nu/ confirms that it's valid.
email me at df@cryptostorm.is with your openvpn log and your token hash if you're still having problems connecting.

User avatar

privangle
Posts: 93
Joined: Thu Apr 25, 2013 5:57 am

Re: Can't Authenticate On Any Node

Postby privangle » Sat Sep 03, 2016 12:42 pm

Ok, thank you!

I did a reboot and tried again: all connections are working.

When trying I had one time "the same" problem, but my impression is that I was changing too fast from one connection to another.

So I waited 15 seconds and tried again and it works.
I did the next connection changes more slowly.

Do you think that changing to fast the connection could make some trouble?

My token and it's hash are valid for 21306 days.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1104
Joined: Wed Feb 05, 2014 3:47 am

Re: Can't Authenticate On Any Node

Postby parityboy » Sat Sep 03, 2016 9:56 pm

@df

It seems to be stable now, the connection's been up for a number of hours. On a related note, I wondered how long it would be before you moved away from MongoDB. :P

User avatar

df
Site Admin
Posts: 285
Joined: Thu Jan 01, 1970 5:00 am

Re: Can't Authenticate On Any Node

Postby df » Sat Sep 03, 2016 11:26 pm

@parityboy
Actually, I completed the Mongo -> MySQL migration about 3 months ago :-P
This particular auth mod that went horribly wrong was to address an unlikely scenario that involves confiscation of multiple CS servers (and/or a customer's computer).

Before the mod, the auth script was pretty much the same thing that's @ https://b.unni.es/auth.txt
All I was changing was the wget line to include -U"a user agent" so that any auth requests to that remote CGI would include a specific user agent that the db's webserver could detect so that logs could be disabled for any requests that have that user agent.

Problem was, I completely forgot that in the auth script I uploaded for the public ( https://b.unni.es/auth.txt ), I changed the line:
if [ "$result" == "good" ]; then

from what it originally was, because I didn't want people knowing the real "positive" response from that web server for over-paranoid security reasons.
Since I used the above auth.txt as the baseline, it caused auth failures all around until I noticed the problem and fixed it (which luckily happened fairly quickly).

The reason for this mod is because before, the db's webserver was logging requests, which means if someone were to confiscate that server, they would have the token hash and the exit node's IP and a time stamp, all of which could be used to determine at what time a token was authorized and on which node.
While that doesn't mean the client's IP was ever exposed, it still might be useful in an investigation against a customer if the investigators manage to get traffic logs from that customer's ISP (or if the investigator confiscate the customer's computers), and if those investigators also were able to confiscate the db's web server system (if they were somehow able to figure out where it is :D).

That scenario is probably never going to happen, but if it does, it'll now be a complete waste of time :lol:

User avatar

Topic Author
parityboy
Site Admin
Posts: 1104
Joined: Wed Feb 05, 2014 3:47 am

Re: Can't Authenticate On Any Node

Postby parityboy » Sun Sep 04, 2016 5:20 am

@df

Excellent! :D I remember you wanted to move away from MongoDB a while back (about a year after CS went live, actually). Just out of interest, are you using any slave MySQL nodes, or are they all multiple masters? How does it compare to MongoDB in terms of node replication?

Also, does the tokenizer still only talk to one node or more than one?

User avatar

df
Site Admin
Posts: 285
Joined: Thu Jan 01, 1970 5:00 am

Re: Can't Authenticate On Any Node

Postby df » Sun Sep 04, 2016 5:52 am

@parityboy

For now, I've decided to go with a simple/single master so the token database is only on one server.
It would be possible to setup replication (which never worked in our Mongo setup), but that would mean the token db is on every node.
Not a huge security risk, but if someone confiscated a node they could DoS some random customers by using their token hashes and increasing the session counter (would be very unlikely that they could DoS a specific customer though because of the number of tokens in the db, and because the db only contains hashes and session counts and when the token was first activated).
The MySQL db is encrypted and backed up daily in case something horrible happens to the server, and the auth script is set to just let everyone in if that db server goes down for whatever reason.
That'll give me time to replace/fix it and/or restore the backups without affecting clients.

The tokenizer accesses this same db, so it's always accurate (and session counters actually work now).


afmcronnie

Re: Can't Authenticate On Any Node

Postby afmcronnie » Sun Sep 11, 2016 1:59 am

I get "Authorization Failed for That Token". I 2x checked the token against the verification email, its the correct token, I think it worked a few days ago, now it fails.

User avatar

df
Site Admin
Posts: 285
Joined: Thu Jan 01, 1970 5:00 am

Re: Can't Authenticate On Any Node

Postby df » Sun Sep 11, 2016 7:42 am

@afmcronnie
Verify your token at https://cryptostorm.nu/
If you're still having problems, email support@cryptostorm.is


Winehouse
Posts: 8
Joined: Fri Apr 22, 2016 11:53 pm

Re: Can't Authenticate On Any Node

Postby Winehouse » Thu Sep 22, 2016 8:39 pm

Hello.

I'm also getting the "Authentication Failed" error for all my nodes today. I get the error on both my Mac and my phone. I verified token and it says: That 365 day token is VALID and will expire in 230 days.

Any ideas?

Thanks.


zongosaiba

Re: Can't Authenticate On Any Node

Postby zongosaiba » Thu Sep 22, 2016 11:08 pm

Same here.
Token is still valid for a whole year.


Fulanx
Posts: 1
Joined: Mon Apr 10, 2017 7:28 am

Re: Can't Authenticate On Any Node

Postby Fulanx » Wed Apr 12, 2017 11:10 pm

I came across the same problem today. No explanation. Hash is fine. Nothing different.

User avatar

Fermi
Site Admin
Posts: 218
Joined: Tue Jun 17, 2014 11:42 am

Re: Can't Authenticate On Any Node

Postby Fermi » Wed Apr 12, 2017 11:31 pm

Hi,

we've changed our policy regarding the allowed simultaneous connections/token:
https://twitter.com/cryptostorm_is/status/852223442279579648

It boils down to the following:

Code: Select all

simultaneous connections/token (sc/t) count:
1M (and less) tokens: 1 sc/t
3M & 6M tokens: 2 sc/t
1Y & 2Y tokens: 4 sc/t


best regards,

/fermi


Malor
Posts: 13
Joined: Sun Nov 17, 2013 12:33 am

Re: Can't Authenticate On Any Node

Postby Malor » Thu Apr 13, 2017 8:01 am

Hey, guys? This change is messing me up pretty fierce. There seems to be some issue with the linux-useast servers, and they don't seem to be correctly updating the database when a connection drops. I've been banging on the validity checker with my token for at least fifteen minutes, and it still insists I've exceeded my maximum number of connections, when in fact my machine appears to have lost its connection hours ago.

Even the 1 month tokens probably oughta have a limit of 2, for exactly this reason. It makes us very vulnerable to infrastructure problems on your end.


100557662
Posts: 1
Joined: Thu Jul 16, 2015 10:03 am

Re: Can't Authenticate On Any Node

Postby 100557662 » Thu Apr 13, 2017 9:04 am

Malor wrote:Hey, guys? This change is messing me up pretty fierce. There seems to be some issue with the linux-useast servers, and they don't seem to be correctly updating the database when a connection drops. I've been banging on the validity checker with my token for at least fifteen minutes, and it still insists I've exceeded my maximum number of connections, when in fact my machine appears to have lost its connection hours ago.

Even the 1 month tokens probably oughta have a limit of 2, for exactly this reason. It makes us very vulnerable to infrastructure problems on your end.


I'm dealing with the same issue right now, and I agree. Currently waiting on linux-canada-east-udp for the connection to drop even though its been hours as well, while I'm waiting I cannot use any connections.. not happy at all.

User avatar

df
Site Admin
Posts: 285
Joined: Thu Jan 01, 1970 5:00 am

Re: Can't Authenticate On Any Node

Postby df » Thu Apr 13, 2017 9:35 am

FYI, there's a new v3 widget build that includes a fix for Windows users having max session issues, it's up @ https://cryptostorm.is/cryptostorm_setup.exe and the hashes are @ viewtopic.php?f=37&t=8955&p=17274#p17274

For the last two people using Linux, make sure that the config you're using has in it:

explicit-exit-notify 3

So that the server gets notified by your client when you exit.
Also, when you close openvpn make sure you're doing a ctrl+c only once to send a SIGINT, which allows the client to do a 'clean' exit that includes the signal sent to the server that decreases your session count.
If you do an 'unclean' exit with `kill -9` (SIGKILL), openvpn will instantly exit before sending out this signal and you'll have to wait up to 2 minutes for the server to timeout the connection.

If you're still having issues, feel free to email support@cryptostorm.is

User avatar

exempt
Posts: 31
Joined: Sun Dec 29, 2013 7:49 am

Re: Can't Authenticate On Any Node

Postby exempt » Thu Apr 13, 2017 10:54 am

I'm having this same issue on all exit nodes. It has been over 4 hours now.

"explicit-exit-notify 3" is already in the ovpn configs for mac

I've emailed but haven't received a response yet.

User avatar

exempt
Posts: 31
Joined: Sun Dec 29, 2013 7:49 am

Re: Can't Authenticate On Any Node

Postby exempt » Thu Apr 13, 2017 12:22 pm

My Issue has been fixed! The number of active sessions for my token needed to be reset. I waited, but it did not reset on its own.

I was having authentication failures suddenly today after the changes to the # of sessions per token.

https://cryptostorm.nu should only tell you if you token is valid and for how long, it should not say anything about the number of sessions.

For example:

GOOD
Image
BAD
Image

Make sure you are disconnected from all of your devices before checking. If you still see the second photo from above when you check your token, then your number of active sessions may need to be reset by a member of the cryptostorm team.

please email your token to support@cryptostorm.is

or hop on Cryptostorm IRC https://cryptostorm.nu/kiwi/ and pm Fermi


Return to “member support & tech assistance”

Who is online

Users browsing this forum: Boorbun21, Google [Bot] and 22 guests

cron

Login