pivpn -a set proto to upd but it should be tcp
s-nt-s opened this issue · 2 comments
s-nt-s commented
In raising this issue I confirm that
- I have read the documentation
- I have read and understood the PiVPN General Guidelines
- I have read and understood the PiVPN Troubleshooting Guidelines
- The issue I am reporting isn't a duplicate, see closed issues and open issues.
- I have searched for similar issues and solutions
- I can replicate the issue even after a clean OS installation
Describe the issue
I am using tcp
:
$ grep proto /etc/openvpn/server.conf
proto tcp
$ grep PROTO /etc/pivpn/openvpn/setupVars.conf
pivpnPROTO=tcp
but pivpn -a
give me udp
:
$ pivpn -a nopass -n foo
How many days should the certificate last? 1080
* Notice:
Using Easy-RSA configuration from: /etc/openvpn/easy-rsa/pki/vars
* Notice:
Using SSL: openssl OpenSSL 1.1.1w 11 Sep 2023
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/ee5e6a61/temp.80c1600a'
-----
* Notice:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/foo.req
key: /etc/openvpn/easy-rsa/pki/private/foo.key
Using configuration from /etc/openvpn/easy-rsa/pki/ee5e6a61/temp.89821c97
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'foo'
Certificate is to be certified until Nov 10 01:52:45 2026 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
* Notice:
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/foo.crt
Client's cert found: foo.crt
Client's Private Key found: foo.key
CA public Key found: ca.crt
tls Private Key found: ta.key
========================================================
Done! foo.ovpn successfully created!
foo.ovpn was copied to:
/home/pi/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
========================================================
$ grep proto foo.ovpn
proto udp
Expected behavior
The expected behaviour is proto tcp
Please describe the steps to replicate the issue
Create a new cliente with pivpn -a
Have you taken any steps towards solving your issue?
Reinstall pivpn
Screenshots
No response
Where did you run pivpn?
Raspberry
Please provide your output from uname -a
Linux bot 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
Details about Operative System
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Installation
No response
Profile / Client creation
$ pivpn -a nopass -n foo
How many days should the certificate last? 1080
* Notice:
Using Easy-RSA configuration from: /etc/openvpn/easy-rsa/pki/vars
* Notice:
Using SSL: openssl OpenSSL 1.1.1w 11 Sep 2023
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/ee5e6a61/temp.80c1600a'
-----
* Notice:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/foo.req
key: /etc/openvpn/easy-rsa/pki/private/foo.key
Using configuration from /etc/openvpn/easy-rsa/pki/ee5e6a61/temp.89821c97
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'foo'
Certificate is to be certified until Nov 10 01:52:45 2026 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
* Notice:
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/foo.crt
Client's cert found: foo.crt
Client's Private Key found: foo.key
CA public Key found: ca.crt
tls Private Key found: ta.key
========================================================
Done! foo.ovpn successfully created!
foo.ovpn was copied to:
/home/pi/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
========================================================
Debug output
::: Generating Debug Output
:::: PiVPN debug ::::
=============================================
:::: Latest commit ::::
Branch: master
Commit: 701a817fed23e302b91b7677b81c5919fc4ec3f1
Author: kokomo123
Date: Tue Nov 7 14:46:43 2023 -0500
Summary: refactor(core): Change wording on the window (#1779)
=============================================
:::: Installation settings ::::
PLAT=Debian
OSCN=bullseye
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=wlan0
dhcpReserv=1
IPv4addr=192.168.1.69/24
IPv4gw=192.168.1.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=tcp
pivpnPORT=1194
pivpnDNS1=8.8.8.8
pivpnDNS2=8.8.4.4
pivpnSEARCHDOMAIN=
pivpnHOST=REDACTED
TWO_POINT_FOUR=1
pivpnENCRYPT=256
USE_PREDEFINED_DH_PARAM=
INPUT_CHAIN_EDITED=1
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnDEV=tun0
pivpnNET=10.17.231.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=""
UNATTUPG=1
INSTALLED_PACKAGES=(grepcidr bsdmainutils iptables-persistent openvpn unattended-upgrades)
HELP_SHOWN=1
=============================================
:::: Server configuration shown below ::::
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4.crt
key /etc/openvpn/easy-rsa/pki/private/bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.17.231.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
=============================================
:::: Client template file shown below ::::
client
dev tun
proto udp
remote REDACTED 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
=============================================
:::: Recursive list of files in ::::
::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
foo.ovpn
gitactionuser.ovpn
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
openssl-easyrsa.cnf
palm.ovpn
private
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key
vars
vars.example
x260.ovpn
/etc/openvpn/easy-rsa/pki/issued:
bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4.crt
bot_e6f6e9d9-817a-409c-83f5-87d2a0830e96.crt
foo.crt
gitactionuser.crt
palm.crt
x260.crt
/etc/openvpn/easy-rsa/pki/private:
bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4.key
bot_e6f6e9d9-817a-409c-83f5-87d2a0830e96.key
ca.key
foo.key
gitactionuser.key
palm.key
x260.key
/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:
51303A381796D8904442C7AA44924C91.key
8BA8F190DD87CB56DA4114E830814089.key
95F9F83FB38180C0F0F5CDCE18344791.key
AC9C5B90595BD4830C7281EFB9D7911A.key
F3BF81F9C31C224DF4ACA9E6F97D267D.key
/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
51303A381796D8904442C7AA44924C91.req
8BA8F190DD87CB56DA4114E830814089.req
95F9F83FB38180C0F0F5CDCE18344791.req
AC9C5B90595BD4830C7281EFB9D7911A.req
F3BF81F9C31C224DF4ACA9E6F97D267D.req
=============================================
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Iptables INPUT rule set
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled
(it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 1194/tcp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
:::: Snippet of the server log ::::
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 peer info: IV_NCP=2
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 peer info: IV_LZ4=1
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 peer info: IV_LZ4v2=1
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 peer info: IV_LZO=1
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 peer info: IV_COMP_STUB=1
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 peer info: IV_COMP_STUBv2=1
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 peer info: IV_TCPNL=1
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Nov 26 02:46:29 bot ovpn-server[1459]: REDACTED:39798 [x260] Peer Connection Initiated with [AF_INET]REDACTED:39798
Nov 26 02:46:29 bot ovpn-server[1459]: x260/REDACTED:39798 MULTI_sva: pool returned IPv4=10.17.231.2, IPv6=(Not enabled)
Nov 26 02:46:29 bot ovpn-server[1459]: x260/REDACTED:39798 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/x260
Nov 26 02:46:29 bot ovpn-server[1459]: x260/REDACTED:39798 MULTI: Learn: 10.17.231.2 -> x260/REDACTED:39798
Nov 26 02:46:29 bot ovpn-server[1459]: x260/REDACTED:39798 MULTI: primary virtual IP for x260/REDACTED:39798: 10.17.231.2
Nov 26 02:46:29 bot ovpn-server[1459]: x260/REDACTED:39798 Data Channel: using negotiated cipher 'AES-256-GCM'
Nov 26 02:46:29 bot ovpn-server[1459]: x260/REDACTED:39798 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 26 02:46:29 bot ovpn-server[1459]: x260/REDACTED:39798 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 26 02:46:29 bot ovpn-server[1459]: x260/REDACTED:39798 SENT CONTROL [x260]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 10.17.231.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.17.231.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Nov 26 02:46:32 bot ovpn-server[1459]: x260/REDACTED:39798 Connection reset, restarting [0]
Nov 26 02:46:32 bot ovpn-server[1459]: x260/REDACTED:39798 SIGUSR1[soft,connection-reset] received, client-instance restarting
=============================================
:::: Debug complete ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::
orazioedoardo commented
Looks like your /etc/openvpn/easy-rsa/pki/Default.txt
file contains proto udp
but it is supposed to be set by the installer here
Lines 3018 to 3023 in 701a817
s-nt-s commented
you are right
/etc/openvpn/easy-rsa/pki/Default.txt
contained proto udp
. I have edit it and now works.
Thanks