public inbox for govpn-devel@lists.cypherpunks.ru
Atom feed
* [Govpn-devel] Invalid server's random number
@ 2016-10-19 16:05 Bruno Clermont
  2016-10-19 16:57 ` Bruno Clermont
                   ` (2 more replies)
  0 siblings, 3 replies; 11+ messages in thread
From: Bruno Clermont @ 2016-10-19 16:05 UTC (permalink / raw)
  To: govpn-devel

Hello,

I’m using GoVPN between 2 Linux hosts, it worked once and then I can’t bring a connection up anymore, I get the following error:

handshake.go:290: Invalid server's random number with $PEER

I did my homework, even spent some time trying to figure why looking at the code. But that function is quite cryptic to me. So, what this error mean? What cause this? How to fix?

Bonus question: could it be very hard to add support for tun interface instead of tap?

Thanks for GoVPN!

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [Govpn-devel] Invalid server's random number
  2016-10-19 16:05 [Govpn-devel] Invalid server's random number Bruno Clermont
@ 2016-10-19 16:57 ` Bruno Clermont
  2016-10-19 19:45   ` Sergey Matveev
  2016-10-19 19:45 ` Sergey Matveev
  2016-10-29 18:05 ` [Govpn-devel] TUN interfaces (was: Invalid server's random number) Sergey Matveev
  2 siblings, 1 reply; 11+ messages in thread
From: Bruno Clermont @ 2016-10-19 16:57 UTC (permalink / raw)
  To: govpn-devel

I’m sorry for the duplicated message, but I resent it after subscribed. Because http://lists.cypherpunks.ru/mailman/listinfo/govpn-devel

> Messages are accepted only from subscribed maillist members. 

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [Govpn-devel] Invalid server's random number
  2016-10-19 16:05 [Govpn-devel] Invalid server's random number Bruno Clermont
  2016-10-19 16:57 ` Bruno Clermont
@ 2016-10-19 19:45 ` Sergey Matveev
  2016-10-20 13:27   ` Bruno Clermont
  2016-10-29 18:05 ` [Govpn-devel] TUN interfaces (was: Invalid server's random number) Sergey Matveev
  2 siblings, 1 reply; 11+ messages in thread
From: Sergey Matveev @ 2016-10-19 19:45 UTC (permalink / raw)
  To: govpn-devel

[-- Attachment #1: Type: text/plain, Size: 2492 bytes --]

Greetings!

*** Bruno Clermont <bruno@robotinfra•com> [2016-10-19 19:25]:
>handshake.go:290: Invalid server's random number with $PEER
>I did my homework, even spent some time trying to figure why looking at the code. But that function is quite cryptic to me. So, what this error mean? What cause this? How to fix?

http://www.govpn.info/Handshake.html
Second message, that is sent from server to client, contains randomly
generated RS (Random number of Server), that is sent enciphered to the
client. Client have to decrypt it and send back to the server in third
encrypted message -- confirming that second message was deciphered
successfully and that he really received it from the server exactly
during that session. Server checks that received RS equals to the saved
in Handshake.rServer one.

Actually I have never seen this part failing. In theory that means that
your handshake packet was tampered, man-in-the-middle changed their
contents. But in practice I can not assume what is going wrong (if no
traffic is really tampered).

Do you have equal GoVPN versions (6.0 on both sides)?
Are you using amd64, 64-bit platform?
If you run tcpdump and listen for the traffic on GoVPN's port, is there
really only three packets are passed between (C->S, S->C, C->S)?

Be sure that all your configuration on the client and server side is
equal! For example if you enable "-encless" mode just on one side --
nothing will works, if you enable -noise/-cpr/etc options -- nothing
will works too. You have to use symmetrically equal configuration
options on both sides. GoVPN has very simple protocol without any
options and configuration agreement/coordination (this is an additional
possible attack vector).

If everything is ok there (try to setup all configuration from the
ground, from very beginning), then personally I will add debugging
print-s in the code to see are encryption keys, nonces and deciphered
information is the same on both sides and when it becomes different.

>Bonus question: could it be very hard to add support for tun interface instead of tap?

"instead of" -- no, "in addition to" -- seems to be yes :-)
I have never worked with TUN interfaces, but seems that working with
them is the same as with TAP ones. Just slightly another structures.
So should be relatively easy. I added TUN support to the TODO list, but
currently can give no time expectations when it will be done (to much
work now :-().

-- 
Happy hacking

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [Govpn-devel] Invalid server's random number
  2016-10-19 16:57 ` Bruno Clermont
@ 2016-10-19 19:45   ` Sergey Matveev
  0 siblings, 0 replies; 11+ messages in thread
From: Sergey Matveev @ 2016-10-19 19:45 UTC (permalink / raw)
  To: govpn-devel

[-- Attachment #1: Type: text/plain, Size: 365 bytes --]

*** Bruno Clermont <bruno@robotinfra•com> [2016-10-19 21:39]:
>I’m sorry for the duplicated message, but I resent it after subscribed. Because http://lists.cypherpunks.ru/mailman/listinfo/govpn-devel
>> Messages are accepted only from subscribed maillist members. 

No problem. Due to the high spam rate this restriction was turned on.

-- 
Happy hacking

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [Govpn-devel] Invalid server's random number
  2016-10-19 19:45 ` Sergey Matveev
@ 2016-10-20 13:27   ` Bruno Clermont
  2016-10-20 19:36     ` Sergey Matveev
  0 siblings, 1 reply; 11+ messages in thread
From: Bruno Clermont @ 2016-10-20 13:27 UTC (permalink / raw)
  To: Sergey Matveev; +Cc: govpn-devel

[-- Attachment #1: Type: text/plain, Size: 1311 bytes --]


> On 20 Oct 2016, at 03:45, Sergey Matveev <stargrave@stargrave•org> wrote:
> 
> If everything is ok there (try to setup all configuration from the
> ground, from very beginning), then personally I will add debugging
> print-s in the code to see are encryption keys, nonces and deciphered
> information is the same on both sides and when it becomes different.

I tested and it works perfectly over TCP.

For UDP, It’s worst than yesterday: GoVPN server never receive any packets.
I see traffic coming on the wire with `tshark`, firewall rules are valid. I added plenty of debug code myself and it don’t even reach `conn.ReadFromUDP(buf)` anymore.

I blame the VM with it's 2.5 years uptime. It probably need a reboot or something.

> Just slightly another structures.
> So should be relatively easy. I added TUN support to the TODO list, but
> currently can give no time expectations when it will be done

OSX used to need 3rd party drivers for tun, now it’s part built in.
only IPv4/IPv6 can goes in. no ethernet overhead. this can increase GoVPN throughput.

tap interfaces aren’t available on Android and iOS. Tun are available… which mean GoVPN client can be used on mobile OS (easy with Go, just need to move out into a separate package some of govpn/govpn-client logic).

[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [Govpn-devel] Invalid server's random number
  2016-10-20 13:27   ` Bruno Clermont
@ 2016-10-20 19:36     ` Sergey Matveev
  0 siblings, 0 replies; 11+ messages in thread
From: Sergey Matveev @ 2016-10-20 19:36 UTC (permalink / raw)
  To: govpn-devel

[-- Attachment #1: Type: text/plain, Size: 1132 bytes --]

*** Bruno Clermont <bruno@robotinfra•com> [2016-10-20 16:55]:
>I tested and it works perfectly over TCP.

Great!

>For UDP, It’s worst than yesterday: GoVPN server never receive any packets.
>I see traffic coming on the wire with `tshark`, firewall rules are valid. I added plenty of debug code myself and it don’t even reach `conn.ReadFromUDP(buf)` anymore.

I see. Well, seems that something is on your OS side. I have not used
GNU/Linux for a long time, so do not know where better to look (sysctl
options?).

>OSX used to need 3rd party drivers for tun, now it’s part built in.
>only IPv4/IPv6 can goes in. no ethernet overhead. this can increase GoVPN throughput.
>
>tap interfaces aren’t available on Android and iOS. Tun are available… which mean GoVPN client can be used on mobile OS (easy with Go, just need to move out into a separate package some of govpn/govpn-client logic).

Sounds interesting. My personal needs exactly required Ethernet
tunnelling, so I wasn't thinking about TUN. Seems very useful thing,
so certainly needs to be done. Thanks for the suggestion!

-- 
Happy hacking

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [Govpn-devel] TUN interfaces (was: Invalid server's random number)
  2016-10-19 16:05 [Govpn-devel] Invalid server's random number Bruno Clermont
  2016-10-19 16:57 ` Bruno Clermont
  2016-10-19 19:45 ` Sergey Matveev
@ 2016-10-29 18:05 ` Sergey Matveev
  2016-10-29 18:12   ` Bruno Clermont
  2 siblings, 1 reply; 11+ messages in thread
From: Sergey Matveev @ 2016-10-29 18:05 UTC (permalink / raw)
  To: govpn-devel

[-- Attachment #1: Type: text/plain, Size: 508 bytes --]

*** Bruno Clermont <bruno@robotinfra•com> [2016-10-19 19:25]:
>Bonus question: could it be very hard to add support for tun interface instead of tap?

Added in https://git.cypherpunks.ru/cgit.cgi/govpn.git/commit/?id=a11b0bda178937e6891770f40f800d69b5640313
I have tested its workability under Trisquel GNU/Linux i386. Change is
trivial. FreeBSD works without any additional modifications.

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [Govpn-devel] TUN interfaces (was: Invalid server's random number)
  2016-10-29 18:05 ` [Govpn-devel] TUN interfaces (was: Invalid server's random number) Sergey Matveev
@ 2016-10-29 18:12   ` Bruno Clermont
  0 siblings, 0 replies; 11+ messages in thread
From: Bruno Clermont @ 2016-10-29 18:12 UTC (permalink / raw)
  To: govpn-devel


[-- Attachment #1.1: Type: text/plain, Size: 145 bytes --]

I just noticed that very interesting change in  7.0 release announcement.  I will investigate OSX, Android and Windows support soon.
Thank you! 

[-- Attachment #1.2: Type: text/html, Size: 149 bytes --]

[-- Attachment #2: Type: application/pgp-signature, Size: 854 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [govpn-devel] Invalid server's random number
  2017-03-01 15:54 [govpn-devel] Invalid server's random number Le Blanc
@ 2017-03-01 20:36 ` Sergey Matveev
  0 siblings, 0 replies; 11+ messages in thread
From: Sergey Matveev @ 2017-03-01 20:36 UTC (permalink / raw)
  To: govpn-devel

[-- Attachment #1: Type: text/plain, Size: 1441 bytes --]

Greetings!

*** Le Blanc <gleblanc@fdn•fr> [2017-03-01 19:30]:
>sometimes my client disconect from the govpn-server, when I try to
>reconnect the govpn-client with the same key I've used and same config, I
>have a "Invalid server's random number' on the server side, and if I
>restart the server it's work again.
>I don't known if the problem is on my side (configuration issue, I've
>checked a lot before posting here), or network related, or it's govpn.
>Before 7.0 this kind of stuff never happen (as far as I can remember).

Well, this is not the first time that issue is reported:
https://lists.cypherpunks.ru/pipermail/govpn-devel/2016-October/000098.html
But it happened even before 7.0 release. Bruno Clermont said that it
worked in TCP transport mode. He made some refactorings of the code and
possibly this bug does not appear anymore in his case. I could not
reproduce that issue and have never seen in my setups, but I use
FreeBSD (most other users GNU/Linux one).

Honestly I do not know what to suggest, just to use print-s to debug
what is happening. Unfortunately I have not met that kind of bug: but I
use all GoVPN versions between my computer every days, passing all
traffic through it and govpn-server is stayed alive without any restarts
(until reboot or GoVPN upgrade are required).

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [govpn-devel] Invalid server's random number
@ 2017-03-01 15:54 Le Blanc
  2017-03-01 20:36 ` Sergey Matveev
  0 siblings, 1 reply; 11+ messages in thread
From: Le Blanc @ 2017-03-01 15:54 UTC (permalink / raw)
  To: govpn-devel

I'm a little confused about an issue I encounter:

sometimes my client disconect from the govpn-server, when I try to
reconnect the govpn-client with the same key I've used and same config, I
have a "Invalid server's random number' on the server side, and if I
restart the server it's work again.
I don't known if the problem is on my side (configuration issue, I've
checked a lot before posting here), or network related, or it's govpn.
Before 7.0 this kind of stuff never happen (as far as I can remember).

I hope someone can help, thanks in advance.

-- 
G. Le Blanc


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [Govpn-devel] Invalid server's random number
@ 2016-10-19 16:00 Bruno Clermont
  0 siblings, 0 replies; 11+ messages in thread
From: Bruno Clermont @ 2016-10-19 16:00 UTC (permalink / raw)
  To: govpn-devel

Hello,

I’m using GoVPN between 2 Linux hosts, it worked once and then I can’t bring a connection up anymore, I get the following error:

handshake.go:290: Invalid server's random number with $PEER

I did my homework, even spent some time trying to figure why looking at the code. But that function is quite cryptic to me.

So, what this error mean? What cause this? How to fix?

Bonus question: could it be very hard to add support for tun interface instead of tap?

Thanks for GoVPN!

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2017-03-01 20:36 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-19 16:05 [Govpn-devel] Invalid server's random number Bruno Clermont
2016-10-19 16:57 ` Bruno Clermont
2016-10-19 19:45   ` Sergey Matveev
2016-10-19 19:45 ` Sergey Matveev
2016-10-20 13:27   ` Bruno Clermont
2016-10-20 19:36     ` Sergey Matveev
2016-10-29 18:05 ` [Govpn-devel] TUN interfaces (was: Invalid server's random number) Sergey Matveev
2016-10-29 18:12   ` Bruno Clermont
  -- strict thread matches above, loose matches on Subject: below --
2017-03-01 15:54 [govpn-devel] Invalid server's random number Le Blanc
2017-03-01 20:36 ` Sergey Matveev
2016-10-19 16:00 [Govpn-devel] " Bruno Clermont