Hello, I’m using GoVPN between 2 Linux hosts, it worked once and then I can’t bring a connection up anymore, I get the following error: handshake.go:290: Invalid server's random number with $PEER I did my homework, even spent some time trying to figure why looking at the code. But that function is quite cryptic to me. So, what this error mean? What cause this? How to fix? Bonus question: could it be very hard to add support for tun interface instead of tap? Thanks for GoVPN!
Hello, I’m using GoVPN between 2 Linux hosts, it worked once and then I can’t bring a connection up anymore, I get the following error: handshake.go:290: Invalid server's random number with $PEER I did my homework, even spent some time trying to figure why looking at the code. But that function is quite cryptic to me. So, what this error mean? What cause this? How to fix? Bonus question: could it be very hard to add support for tun interface instead of tap? Thanks for GoVPN!
I’m sorry for the duplicated message, but I resent it after subscribed. Because http://lists.cypherpunks.ru/mailman/listinfo/govpn-devel > Messages are accepted only from subscribed maillist members.
[-- Attachment #1: Type: text/plain, Size: 2492 bytes --] Greetings! *** Bruno Clermont <bruno@robotinfra•com> [2016-10-19 19:25]: >handshake.go:290: Invalid server's random number with $PEER >I did my homework, even spent some time trying to figure why looking at the code. But that function is quite cryptic to me. So, what this error mean? What cause this? How to fix? http://www.govpn.info/Handshake.html Second message, that is sent from server to client, contains randomly generated RS (Random number of Server), that is sent enciphered to the client. Client have to decrypt it and send back to the server in third encrypted message -- confirming that second message was deciphered successfully and that he really received it from the server exactly during that session. Server checks that received RS equals to the saved in Handshake.rServer one. Actually I have never seen this part failing. In theory that means that your handshake packet was tampered, man-in-the-middle changed their contents. But in practice I can not assume what is going wrong (if no traffic is really tampered). Do you have equal GoVPN versions (6.0 on both sides)? Are you using amd64, 64-bit platform? If you run tcpdump and listen for the traffic on GoVPN's port, is there really only three packets are passed between (C->S, S->C, C->S)? Be sure that all your configuration on the client and server side is equal! For example if you enable "-encless" mode just on one side -- nothing will works, if you enable -noise/-cpr/etc options -- nothing will works too. You have to use symmetrically equal configuration options on both sides. GoVPN has very simple protocol without any options and configuration agreement/coordination (this is an additional possible attack vector). If everything is ok there (try to setup all configuration from the ground, from very beginning), then personally I will add debugging print-s in the code to see are encryption keys, nonces and deciphered information is the same on both sides and when it becomes different. >Bonus question: could it be very hard to add support for tun interface instead of tap? "instead of" -- no, "in addition to" -- seems to be yes :-) I have never worked with TUN interfaces, but seems that working with them is the same as with TAP ones. Just slightly another structures. So should be relatively easy. I added TUN support to the TODO list, but currently can give no time expectations when it will be done (to much work now :-(). -- Happy hacking [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 801 bytes --]
[-- Attachment #1: Type: text/plain, Size: 365 bytes --] *** Bruno Clermont <bruno@robotinfra•com> [2016-10-19 21:39]: >I’m sorry for the duplicated message, but I resent it after subscribed. Because http://lists.cypherpunks.ru/mailman/listinfo/govpn-devel >> Messages are accepted only from subscribed maillist members. No problem. Due to the high spam rate this restriction was turned on. -- Happy hacking [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 801 bytes --]
[-- Attachment #1: Type: text/plain, Size: 1311 bytes --] > On 20 Oct 2016, at 03:45, Sergey Matveev <stargrave@stargrave•org> wrote: > > If everything is ok there (try to setup all configuration from the > ground, from very beginning), then personally I will add debugging > print-s in the code to see are encryption keys, nonces and deciphered > information is the same on both sides and when it becomes different. I tested and it works perfectly over TCP. For UDP, It’s worst than yesterday: GoVPN server never receive any packets. I see traffic coming on the wire with `tshark`, firewall rules are valid. I added plenty of debug code myself and it don’t even reach `conn.ReadFromUDP(buf)` anymore. I blame the VM with it's 2.5 years uptime. It probably need a reboot or something. > Just slightly another structures. > So should be relatively easy. I added TUN support to the TODO list, but > currently can give no time expectations when it will be done OSX used to need 3rd party drivers for tun, now it’s part built in. only IPv4/IPv6 can goes in. no ethernet overhead. this can increase GoVPN throughput. tap interfaces aren’t available on Android and iOS. Tun are available… which mean GoVPN client can be used on mobile OS (easy with Go, just need to move out into a separate package some of govpn/govpn-client logic). [-- Attachment #2: Message signed with OpenPGP using GPGMail --] [-- Type: application/pgp-signature, Size: 801 bytes --]
[-- Attachment #1: Type: text/plain, Size: 1132 bytes --] *** Bruno Clermont <bruno@robotinfra•com> [2016-10-20 16:55]: >I tested and it works perfectly over TCP. Great! >For UDP, It’s worst than yesterday: GoVPN server never receive any packets. >I see traffic coming on the wire with `tshark`, firewall rules are valid. I added plenty of debug code myself and it don’t even reach `conn.ReadFromUDP(buf)` anymore. I see. Well, seems that something is on your OS side. I have not used GNU/Linux for a long time, so do not know where better to look (sysctl options?). >OSX used to need 3rd party drivers for tun, now it’s part built in. >only IPv4/IPv6 can goes in. no ethernet overhead. this can increase GoVPN throughput. > >tap interfaces aren’t available on Android and iOS. Tun are available… which mean GoVPN client can be used on mobile OS (easy with Go, just need to move out into a separate package some of govpn/govpn-client logic). Sounds interesting. My personal needs exactly required Ethernet tunnelling, so I wasn't thinking about TUN. Seems very useful thing, so certainly needs to be done. Thanks for the suggestion! -- Happy hacking [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 801 bytes --]
I'm a little confused about an issue I encounter: sometimes my client disconect from the govpn-server, when I try to reconnect the govpn-client with the same key I've used and same config, I have a "Invalid server's random number' on the server side, and if I restart the server it's work again. I don't known if the problem is on my side (configuration issue, I've checked a lot before posting here), or network related, or it's govpn. Before 7.0 this kind of stuff never happen (as far as I can remember). I hope someone can help, thanks in advance. -- G. Le Blanc
[-- Attachment #1: Type: text/plain, Size: 1441 bytes --] Greetings! *** Le Blanc <gleblanc@fdn•fr> [2017-03-01 19:30]: >sometimes my client disconect from the govpn-server, when I try to >reconnect the govpn-client with the same key I've used and same config, I >have a "Invalid server's random number' on the server side, and if I >restart the server it's work again. >I don't known if the problem is on my side (configuration issue, I've >checked a lot before posting here), or network related, or it's govpn. >Before 7.0 this kind of stuff never happen (as far as I can remember). Well, this is not the first time that issue is reported: https://lists.cypherpunks.ru/pipermail/govpn-devel/2016-October/000098.html But it happened even before 7.0 release. Bruno Clermont said that it worked in TCP transport mode. He made some refactorings of the code and possibly this bug does not appear anymore in his case. I could not reproduce that issue and have never seen in my setups, but I use FreeBSD (most other users GNU/Linux one). Honestly I do not know what to suggest, just to use print-s to debug what is happening. Unfortunately I have not met that kind of bug: but I use all GoVPN versions between my computer every days, passing all traffic through it and govpn-server is stayed alive without any restarts (until reboot or GoVPN upgrade are required). -- Sergey Matveev (http://www.stargrave.org/) OpenPGP: CF60 E89A 5923 1E76 E263 6422 AE1A 8109 E498 57EF [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --]