Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

[Exits] England Node Not Passing Any Traffic

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)
User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

[Exits] England Node Not Passing Any Traffic

Postby parityboy » Mon Oct 15, 2018 3:35 pm

Has anyone else noticed this? I have the NL node configured identically and it works fine, but the England node (5.101.149.7) refuses to pass any traffic.


blurb
Posts: 21
Joined: Fri Dec 29, 2017 4:42 pm

Re: [Exits] England Node Not Passing Any Traffic

Postby blurb » Tue Oct 16, 2018 10:14 pm

I was struggling with that, Denmark was fine but England nothing.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: [Exits] England Node Not Passing Any Traffic

Postby parityboy » Wed Oct 17, 2018 2:17 am

@blurb

Yeah, I confirmed it directly from the desktop with Network Manager. My OP concerned pfSense, but the effect (unfortunately) is the same.


blurb
Posts: 21
Joined: Fri Dec 29, 2017 4:42 pm

Re: [Exits] England Node Not Passing Any Traffic

Postby blurb » Wed Oct 17, 2018 2:39 pm

@parityboy

There's been some 'movement'. Works now, but seems to take a while to settle in.

From my perspective, browser traffic comes in quickly but using my preferred of ip checking takes a good minute before it stops doing this -

Code: Select all

$ whois $(curl ipinfo.io/ip)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    12  100    12    0     0     77      0 --:--:-- --:--:-- --:--:--    77
connect: Network is unreachable


Slowly, slowly catchy monkey...I suppose.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: [Exits] England Node Not Passing Any Traffic

Postby parityboy » Wed Oct 17, 2018 7:23 pm

@blurb

This is what I'm getting in my pfSense log:

Code: Select all

Oct 17 14:18:27   openvpn   22625   Bad LZO decompression header byte: 0
Oct 17 14:18:47   openvpn   22625   Bad LZO decompression header byte: 0
Oct 17 14:19:07   openvpn   22625   Bad LZO decompression header byte: 0
Oct 17 14:19:07   openvpn   22625   [cryptostorm server] Inactivity timeout (--ping-restart), restarting
Oct 17 14:19:07   openvpn   22625   SIGUSR1[soft,ping-restart] received, process restarting
Oct 17 14:19:07   openvpn   22625   Restart pause, 2 second(s)
Oct 17 14:19:09   openvpn   22625   WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 17 14:19:09   openvpn   22625   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 17 14:19:09   openvpn   22625   Socket Buffers: R=[42080->42080] S=[57344->57344]
Oct 17 14:19:09   openvpn   22625   UDPv4 link local (bound): [AF_INET]192.168.1.33
Oct 17 14:19:09   openvpn   22625   UDPv4 link remote: [AF_INET]5.101.149.7:443


even though I have compression disabled in the configuration for the OpenVPN client. The RSA NL node (213.163.64.209) works fine, no issues.


blurb
Posts: 21
Joined: Fri Dec 29, 2017 4:42 pm

Re: [Exits] England Node Not Passing Any Traffic

Postby blurb » Wed Oct 17, 2018 8:45 pm

@parityboy.



Hmmm. That's reminiscent of what I was experiencing before df held my hand yesterday, well, a stage of the recovery anyway. As we're on different OS's, I'll have to leave it to your interpretation, and I may be off; consider this brain storming, nothing as solid as direction.

I was in that same place when my config was a mix of old and new. Clearing out my old assumptions was key!

Even with compression turned off in the GUI, I needed compress in the extended options. Also, although I needed to set it to negotiate the connection within the gui, the directive cipher AES-256-GCM also needed to be in extended config. And using the GUI for that static key was a no go, it needed also to be in the extended config.

I *think* those were the steps that finally got things moving. I'm not familiar with PFS though (it's on a vm I've only poked at briefly), sorry mate.

ETA
Oh, and SHA512 as the Auth Digest. Which strikes me as a weird contradiction based upon reading about the new ways.

OpenVPN is too complicated.


blurb
Posts: 21
Joined: Fri Dec 29, 2017 4:42 pm

Re: [Exits] England Node Not Passing Any Traffic

Postby blurb » Wed Oct 17, 2018 9:10 pm

...that works-on-some-but-not-others confused me, y'know. Still does. I thought all the nodes were instances - identical in all ways.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: [Exits] England Node Not Passing Any Traffic

Postby parityboy » Thu Oct 18, 2018 3:05 am

@blurb

Well if I remember rightly, you've got it running on a Tomato-based router (which is based on Linux). I've experienced this issue on both Linux Mint 18.3 and pfSense 2.3.4 (which is based on FreeBSD).

Also yes, all of the nodes are physical machines running multiple instances of OpenVPN, each with a different configuration (RSA, ECC, ed448 and ed25519) and set of IPs.

My issue(s) lie with the legacy England RSA node - I haven't tested the other node types yet. I'm intrigued as to why the RSA ENG node fails yet the RSA NL node succeeds. Since the configs on my end are identical (and have been for some time) I can only assume that the England node has a slightly different configuration to the legacy NL node (and possibly others).

I'm going to go ahead and test all of the other RSA nodes and see how they fare. I'll report back shortly. :)

 ! Message from: parityboy
Edited to clarify that the nodes in question are the legacy RSA nodes.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: [Exits] England Node Not Passing Any Traffic

Postby parityboy » Thu Oct 18, 2018 5:47 am

@blurb,@df

OK, I've tested all of the legacy EU nodes (linux-<location>.cryptostorm.net). The following nodes connect and successfully pass traffic:

Code: Select all

Denmark
Dusseldorf
Frankfurt
Finland
Latvia
Netherlands
Paris
Poland
Romania
Rome
Sweden
Switzerland


The following nodes are broken and refuse to pass traffic:

Code: Select all

England
Portugal


blurb
Posts: 21
Joined: Fri Dec 29, 2017 4:42 pm

Re: [Exits] England Node Not Passing Any Traffic

Postby blurb » Thu Oct 18, 2018 2:21 pm

Ah, yeah, I misunderstood. Get ya now.

All I know is the lack of being able to connect to the England node (a goto for me) promted my upgrading to ecc. The config in my router that had worked for years became a pain in the arse. What you say rings true from my experience, but as we're the only two bitching about it...*shrug*

Also, I didn't even know the upgrade was coming - I thought my token had run out at first. That new blog is a good thing in countering ignorance of wtfs going on to my mind, gives a chance to catch on things (it's easy to miss tweets if, like me, you're not a big user of it).

Tangential moaning:

...I keep going to this, but fuck openvpn. I've been playing with wireguard for a couple of years now, and shadowsocks more recently (and I use mosh instead of ssh a lot of the time), and they're really making it look like an over-complex headfuck that breaks too easily. They just work, ovpn needs it's hand holding too much. All that bullshit in the user config, oh please. It feels so old fasioned now.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: [Exits] England Node Not Passing Any Traffic

Postby parityboy » Thu Oct 18, 2018 4:46 pm

@blurb

Yeah, Wireguard looks really nice. Needs more router support and therefore greater adoption, but it needs auditing before anything else.

OpenVPN is complex and annoying, but on the other hand it was the first decent VPN that wasn't closed code (i.e. enterprise and therefore expensive and/or unavailable to the masses), so I wouldn't moan too hard tbh. It laid the path for others. :)

I'm currently running pfSense 2.3.4 which in turn uses OpenVPN 2.3.17. At some point I'll test out one of the newer RSA nodes, or maybe do a wholesale upgrade to pfSense 2.4.x (probably when I get a better hardware router and maybe a faster Internet connection).

I'm not a great Twitter user either; it doesn't help that all of the desktop clients are broken due to Twitter's API changes. :(


blurb
Posts: 21
Joined: Fri Dec 29, 2017 4:42 pm

Re: [Exits] England Node Not Passing Any Traffic

Postby blurb » Thu Oct 18, 2018 7:40 pm

Well, my man, if my experience (once I got the fucker to work) is any encouragement to go through the hassle - on the same device it's feeling nice in terms of usage. As I showed on the speedtest thread, it's not lost any performance. Infact - but this might be my imagination - it feels slightly snappier.

...and from my deeply average nix user non-sysadmin view, wireguard is bloody lovely. Dead easy to set up, and being able to change ip and it just come back up all by itself without hickup is How It Should Be. I'm told doing it commercially and properly separating users could be a toughie, but where there's a will there's a way.

As for auditing...how complex is openvpn + openssl? I pity the fool who tried to go through their code.

All I want from my vpn provider is my ISP not logging our deeply boring ~300gigs worth of family traffic a month, and I like the fact that they block most marketing shit - on principal rather than need, we're not exactly challenging the status quo here, y'know? Having to deal with Ole Fathful, with it's 90's ways...oh man.

Soz for the waffle. I'm off work! Still, I'll stfu now :D

User avatar

df
Site Admin
Posts: 409
Joined: Thu Jan 01, 1970 5:00 am

Re: [Exits] England Node Not Passing Any Traffic

Postby df » Fri Oct 26, 2018 1:34 am

Ah, I see where I fucked up. Server-side, 5.101.149.6 is the legacy *nix instance and 5.101.149.7 is the legacy win/ecc instance, but in the DNS windows-england.* resolves to 5.101.149.6 and linux-england.* resolve to 5.101.149.7.
So I accidentally switched the two. Just fixed that, so should be good now.

As for Portugal, that one's DNS is setup correctly. Server-side win/ecc instance is 109.71.42.164 and nix is 109.71.42.163, same thing the DNS points to. I do see one mistake in the iptables rules, for the nix IP it was doing 1-5059 -> 443, 5060 -> 5060, 5061-29999 -> 443, when it shouldn't be doing the 5060 -> 5060 part.
But that wouldn't cause routing problems unless you connected to port 5060 of the legacy nix instance.
Just tested the old lisbon win config from ubuntu, that one works fine.
The old nix config connects, but is extremely slow (I had to bump --hand-window 17 up to 60).
Oh right, I noticed this issue when I was doing the upgrade on lisbon.
I thought it was something wrong with the (new) legacy configs, but it's exactly the same as the legacy config on the .nl node, everything but the IPs is the same. Never could figure out wtf is going on. Packet loss randomly occurs between 10-80%. Any bandwidth tests I do on the IP from the server shows that routing is fine.
For whatever reason, strace shows OpenVPN's syscalls are being processed very slowly, but only for that one legacy *nix UDP RSA instance. Legacy *nix TCP RSA seems to be working fine.
*shrugs*
Guess now is a good time to upgrade to the new configs :P

User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: [Exits] England Node Not Passing Any Traffic

Postby parityboy » Sat Oct 27, 2018 8:15 am

@df

Sounds like something might be broken in the kernel running on that machine, or maybe sysctl needs a tweak? No reason why UDP should have issues when TCP works fine and the Windows-optimised instances also work fine.

User avatar

df
Site Admin
Posts: 409
Joined: Thu Jan 01, 1970 5:00 am

Re: [Exits] England Node Not Passing Any Traffic

Postby df » Sat Oct 27, 2018 8:47 am

@parityboy
Could be kernel related, Portugal does still have one built in 2017. It's just odd that the new UDP RSA and legacy TCP RSA works fine, it's only legacy UDP RSA that's showing this behavior.
It'also odd that everything's using the same OpenVPN/OpenSSL version and same sysctl params, and that there are other nodes with the exact same kernel/configs with legacy instances that don't show this behavior.

My guess is it's something very specific at the hardware level that the Portugal machine has that the other ones don't. Either way, I'll go ahead and upgrade the kernel there and see if that fixes things.

If not, I'll unplug it and plug it back in, that fixes everything :-P

User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

Re: [Exits] England Node Not Passing Any Traffic

Postby parityboy » Sat Oct 27, 2018 3:31 pm

@df

I agree. :P On that note, what happened to the Spain node? I see the legacy one has been consolidated onto the Portugal node and the newer configs (including RSA) have no Spain node at all.

User avatar

df
Site Admin
Posts: 409
Joined: Thu Jan 01, 1970 5:00 am

Re: [Exits] England Node Not Passing Any Traffic

Postby df » Sat Nov 10, 2018 9:21 pm

@parityboy
The Spain node was removed a while back, but I wasn't sure if the removal was going to be permanent or temporary, so temporarily I pointed the Spain DNS to Portugal.
Turns out the removal was permanent, but for a few months I forgot that the Spain DNS & configs still existed.
When I realized the configs were still there, I deleted them but left the DNS. Then when I did that network upgrade I finally deleted the DNS.

IIRC, the reason for the removal was that the data center's connectivity was crap. Constant disconnects, random packet loss, etc. plus a price tag that wasn't worth all the problems that network had.


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 19 guests

Login