Cipher compatibility with PIA and OpenVPN

Question

Cipher compatibility with PIA and OpenVPN

harphere opened this issue 4 years ago · 8 comments

Hi,

I ran an update to mediabox.sh to use the Next Gen PIA network, but now I am seeing these errors in the delugevpn supervisord.log:

2020-11-02 11:46:20,797 DEBG 'start-script' stdout output:
2020-11-02 11:46:20 [madrid402] Peer Connection Initiated with [AF_INET]212.102.49.41:1198

2020-11-02 11:46:22,235 DEBG 'start-script' stdout output:
2020-11-02 11:46:22 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('BF-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:AES-128-CBC') if you want to connect to this server.
2020-11-02 11:46:22 ERROR: Failed to apply push options
2020-11-02 11:46:22 Failed to open tun/tap interface
2020-11-02 11:46:22 SIGHUP[soft,process-push-msg-failed] received, process restarting

2020-11-02 11:46:22,238 DEBG 'start-script' stdout output:
2020-11-02 11:46:22 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
2020-11-02 11:46:22 WARNING: file 'credentials.conf' is group or others accessible
2020-11-02 11:46:22 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 27 2020
2020-11-02 11:46:22 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10

Reading in other forums, it seems there is an incompatibly between PIA and OpenVPN, for which the suggested workaround is to downgrade OpenVPN to 2.4 until PIA issues a fix.

Is there any way to implement this in the mediabox script at all?

Sorry I am not very techy, just a happy user!

Answer 1 · 2020-11-02T19:11:32.000Z

Hmm -- I'll have to see what I can find out.

Can you tell me which server specifically you tried to connect to and does this error occur for any server you select?

Thanks
--Tom

Answer 2 · 2020-11-02T20:26:31.000Z

It occurred using Israel and Spain servers but I just now tried Toronto and Deluge connects.

Seems to be okay for me now.

Answer 3 · 2020-11-03T01:18:21.000Z

OK this is has been addressed in the DelugeVPN container FAQ
(I guess I should check the FAQ) :)

https://github.com/binhex/documentation/blob/master/docker/faq/vpn.md
Q22 and A22
The fix for this is to specify a fallback cipher on the client side to a cipher that PIA does support, this is done by editing the file /config/openvpn/<file with a ovpn extension> and adding the following line:

data-ciphers-fallback aes-256-gcm

I am going to test this and then if successful I will add a fix into place for Mediabox.
I'll post here when the fix has been pushed and you can update Mediabox.

Answer 4 · 2020-11-03T02:02:11.000Z

OK as of commit 58f596b there is a fix in place to add the data-ciphers-fallback aes-256-gcm line to the OVPN file in use for the DelugeVPN container.

You should be able to just re-run ./mediabox.sh and get the update/ fix.

Thanks
--Tom

Answer 5 · 2020-11-03T18:07:41.000Z

I ran ./mediabox.sh to update, but it still throwing the same error using Israel.ovpn.

I ran it again and chose Toronto, and Deluge is responding.

I did look at the FAQ, and manually changed the original Israel.ovpn in accordance with FAQ, restarted Deluge container, and Deluge responded fine.

The Toronto.ovpn works without following the FAQ changes.

I noticed though, in the FAQ, it says to remove
data-ciphers-fallback aes-256-gcm

and add

cipher aes-256-gcm
ncp-disable

But your commit adds the line data-ciphers-fallback aes-256-gcm

Answer 6 · 2020-11-03T21:32:11.000Z

@nickelnine -- Yeah hazards of acting to quickly
The info in the FAQ changed overnight

My comment above was literally a copy and paste from the FAQ last night.

The fix for this is to specify a fallback cipher on the client side to a cipher that PIA does support, this is done by editing the file /config/openvpn/<file with a ovpn extension>
and adding the following line:
data-ciphers-fallback aes-256-gcm

This morning I see the FAQ was then re-updated with the info you are seeing / posted.
Been at work all day and haven't had a minute to push an update for the "new info" in the FAQ.
Should hopefully have it pushed very quickly after work -- stay tuned.

Answer 7 · 2020-11-03T23:13:20.000Z

OK let's try this again -- as of commit 8ecb42d the correct fix for the PIA / OpenVPN ciphers should be fixed.

You should be able to just re-run ./mediabox.sh and get the update/ fix.

Thanks all for hanging in ..

Answer 8 · 2020-11-11T21:47:51.000Z

OK the info for the fix appears to have held solid for a while now.
And the logs in the delugevpn appear to looking good.
Calling this closed.