connection problem to ovpn behind cloak

Question

connection problem to ovpn behind cloak

A2116 opened this issue 4 years ago · 19 comments

when I want to connect to ovpn behind of cloak it prompts me in client

time="2020-07-22T05:52:35+04:30" level=error msg="Failed to prepare connection to remote: EOF"

on server it prompt

INFO[0058] failed to read anything after connection is established: read tcp YYY.YYY.YYY.YYY:8443->XXX.XXX.XXX.XXX:65289: i/o timeout remoteAddr="XXX.XXX.XXX.XXX:65289"

Answer 1 · 2020-07-22T02:58:03.000Z

Hello

Is the openvpn using UDP?
Does shadowsocks work with cloak?

Answer 2 · 2020-07-22T03:02:17.000Z

OpenVPN uses TCP I want to test UDP after success with TCP
yes, is it have any incompatibility or conflict between these two?

Answer 3 · 2020-07-22T03:02:28.000Z

Also Make sure that you have correctly configured the server and client using this guide:
https://github.com/cbeuw/Cloak/wiki/Underlying-proxy-configuration-guides#openvpn

Answer 4 · 2020-07-22T03:03:29.000Z

yes I configure them from that doc

Answer 5 · 2020-07-22T03:04:58.000Z

No I think that there is no incompatibility.
TBH, I've never tested openvpn with cloak. I will try it out later to if the problem is with the script, or is it with the cloak itself.

Answer 6 · 2020-07-22T03:05:50.000Z

can it be because of cloak problem in iran?

Answer 7 · 2020-07-22T03:07:44.000Z

I'm not sure, because you said that the shadowsocks is working + your error messages are different from #24

Answer 8 · 2020-07-22T03:18:37.000Z

no, I did not say shadowsocks is working, I said shadowsocks is installed
as I am new to shadowsocks, i not know why it's not working
because of my wrong config or censorship
but openvpn work fine without cloak

Answer 9 · 2020-07-22T03:24:03.000Z

Oh!
My bad sorry. The config that the scripts gives you must work. If not it might be because of the Iran censorship.
If you want to check, you can use nc to setup a TCP server on your server and a TCP client on your own machine then use cloak to connect them. (I can explain the details later if you want to test this)
If you think this is because of censorship, please close this issue and refer to #24

Answer 10 · 2020-07-22T03:31:15.000Z

I test ovpn but this time with cloak and without shadowsocks
again it prompts like before
I should note that mtproto is working on my DSL connection so I think it's not because of fake-tls problem
but please explain me the process of testing cloak separately using nc

Answer 11 · 2020-07-22T03:39:44.000Z

how can I increase timeout? it seems all errors is because of i/o timeout

Answer 12 · 2020-07-22T07:52:31.000Z

I don't think it is the timeout problem because the timeout default is 5 minutes. You can change it in /etc/cloak/ckserver.json.
I think this behavior is somehow like whitelister. The client is received the End of File (That the connection must close) while the server timed out because no data is received. So I'm going to close this issue as the duplicate of #24 . If you think this is a problem with the script, please tell me to re-open the issue.
I will write the nc tutorial later after I fix the bug you have reported earlier.

Answer 13 · 2020-07-22T08:04:16.000Z

ok, I wait for nc tutorial

Answer 14 · 2020-07-22T11:04:29.000Z

Here is the small tutorial:
https://github.com/HirbodBehnam/Shadowsocks-Cloak-Installer/wiki/Test-The-Cloak-With-NetCat

Answer 15 · 2020-07-22T19:05:34.000Z

I build a test VM on my pc
and install OpenVPN and cloak on it
I test OpenVPN directly and it works fine
also, I test cloak using NC and it works fine too
but with the same setup for NC and different proxy rule for it not connect behind the cloak
in server-side, I add
local 127.0.0.1 to the server config file and restart OpenVPN service
in client-side, I change the target from 192.168.2.124 to 127.0.0.1
also, I stop ck-server service and run it manually to see it's log

#below is server-side log

INFO[0084] Terminating active user UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="no session left"
INFO[0084] Session closed UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="Failed to connect to proxy server" sessionID=1279337380
INFO[0084] Terminating active user UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="no session left"
INFO[0096] New session UID="arxn/uSbVkeg+eD6xgwI7Q==" sessionID=3716463871
INFO[0120] Session closed UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="a connection has dropped unexpectedly" sessionID=3716463871
INFO[0120] Terminating active user UID="arxn/uSbVkeg+eD6xgwI7Q==" reason="no session left"
WARN[0201] invalid proxy method UID="arxn/uSbVkeg+eD6xgwI7Q==" encryptionMethod=1 proxyMethod=cloakovpnloc remoteAddr="192.168.2.123:60022" sessionId=3936174049
WARN[0201] invalid proxy method UID="arxn/uSbVkeg+eD6xgwI7Q==" encryptionMethod=1 proxyMethod=cloakovpnloc remoteAddr="192.168.2.123:60023" sessionId=3936174049
WARN[0201] invalid proxy method UID="arxn/uSbVkeg+eD6xgwI7Q==" encryptionMethod=1 proxyMethod=cloakovpnloc remoteAddr="192.168.2.123:60025" sessionId=3936174049
WARN[0201] invalid proxy method UID="arxn/uSbVkeg+eD6xgwI7Q==" encryptionMethod=1 proxyMethod=cloakovpnloc remoteAddr="192.168.2.123:60024" sessionId=3936174049

#and this is client-side log

time="2020-07-22T23:27:11+04:30" level=info msg="Starting standalone mode"
time="2020-07-22T23:27:11+04:30" level=info msg="Listening on TCP 127.0.0.1:48443 for cloakovpnlocal client"
time="2020-07-22T23:27:15+04:30" level=info msg="Attempting to start a new session"

#below server config file

local 127.0.0.1
port 48443
proto tcp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.2.110"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_rdQZnfuKyj3kmvUB.crt
key server_rdQZnfuKyj3kmvUB.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

#below is the client config file

client
proto tcp-client
remote 127.0.0.1 48443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_rdQZnfuKyj3kmvUB name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

#below is ckserver.json file

{
"ProxyBook": {
"cloakovpnlocal":["tcp","127.0.0.1:48443"] , "panel":["tcp","127.0.0.1:0"] , "nclocal":["tcp","127.0.0.1:12345"]
},
"BypassUID": [
"ZU3pfZUc6OQ+vvZ0gEmA4A==",
"arxn/uSbVkeg+eD6xgwI7Q=="
],
"BindAddr":[":8443"],
"RedirAddr": "204.79.197.200",
"PrivateKey": "+GooAh1+lfmjTz4ppuCFmPDkdI8xSeS/skwwh7hr3lQ=",
"AdminUID": "8mSgMtBc6hKuyuoIgcJrVg==",
"DatabasePath": "userinfo.db",
"StreamTimeout": 300
}

#below is cloakovpnlocal.json file

{
"ProxyMethod":"cloakovpnlocal",
"EncryptionMethod":"aes-gcm",
"UID":"arxn/uSbVkeg+eD6xgwI7Q==",
"PublicKey":"ZSprHBRoo6RlkTKQ7UxswLF5yxrHUU4SF78vTTppiFY=",
"ServerName":"204.79.197.200",
"NumConn":4,
"BrowserSig":"chrome",
"StreamTimeout": 300
}

what is the problem and what should I do?

Answer 16 · 2020-07-22T20:53:30.000Z

beside of Iran censorship, there is an incompatibility between cloak and OpenVPN
I installed cloak and it enables firewalld
then I add TCP and UDP port for OpenVPN to firewalld
OpenVPN can connect but web browsing is impossible
I think it's a problem about nameservers
when cloak run on the server even if the client connect to OpenVPN directly there is a problem on DNS service that doesn't let websurfing
I think the system can't resolve web addresses to IP so web surfing becomes impossible
and I don't know why and what should I do

Answer 17 · 2020-07-22T23:42:19.000Z

Ok now something catch my eye.
If you read here you will see that the proxy method is 12 bytes. However your proxy method is 14 bytes. I suggest that you change your proxy name and try again. Also later I will add a limiter to the script to limit the proxy name to 12 characters.
Also I tested my script to see if the new rules are added to server config and I haven't actually tested to see if you are able to connect through them or not! I will test that too.
I don't know if your openvpn config is correct or not because 1. I'm a noob and 2. I haven't worked with openvpn alot. To ask more about openvpn, it is a good idea to continue this thread here

Update: I have tested the nc myself and it is working. However, I realized that I cannot use uppercase characters in my proxyMethod. I will add a warning about this in my script.

Answer 18 · 2020-07-23T20:59:29.000Z

by decreasing the proxy method length the problem in local server solved
but in ovh it has the problem that perhaps is because of datacenter network limitations because it works fine on another server

Answer 19 · 2020-07-24T00:00:28.000Z

the problem between OpenVPN and cloak is the firewall method, angristan script for OpenVPN use iptables, and your script for cloak use firewalld
by restarting OpenVPN-iptables.service that adds VPN forwarding and routing rules the problem solved, and the funny thing is I should restart it twice because every time at first restart it exits with an error
but if we want a fully automated server that does its job after boot without any manual command we should add service restart to the startup script