I am just starting to explore using openvpn and using a commercial vpn service (ipVanish). Before messing up my newly installed TW workstation which is using NM I thought I would check the vpn log on a small device I have used as a media renderer for audio and video files from my lan and also the wan.
I am troubled by what I see in the log which does not look secure to me. Here is the extract from the log:-
2023-10-17 20:13:32.730 T:32583 info <general>: VPN Mgr : (vpnplatform.py) No VPN configuration exists to write
2023-10-17 20:13:32.786 T:32583 info <general>: VPN Mgr : (vpnplatform.py) VPN log file start >>>
2023-10-17 20:13:32.786 T:32583 info <general>: 2023-10-16 22:41:35 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-10-17 20:13:32.786 T:32583 info <general>: 2023-10-16 22:41:35 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-10-17 20:13:32.786 T:32583 info <general>: 2023-10-16 22:41:35 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
2023-10-17 20:13:32.786 T:32583 info <general>: 2023-10-16 22:41:35 WARNING: file '/home/osmc/.kodi/addons/service.vpn.manager/IPVanish/pass.txt' is group or others accessible
2023-10-17 20:13:32.786 T:32583 info <general>: 2023-10-16 22:41:35 OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2023-10-17 20:13:32.787 T:32583 info <general>: 2023-10-16 22:41:35 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
2023-10-17 20:13:32.787 T:32583 info <general>: 2023-10-16 22:41:50 RESOLVE: Cannot resolve host address: par-a20.ipvanish.com:443 (Name or service not known)
2023-10-17 20:13:32.787 T:32583 info <general>: 2023-10-16 22:42:10 RESOLVE: Cannot resolve host address: par-a20.ipvanish.com:443 (Name or service not known)
2023-10-17 20:13:32.787 T:32583 info <general>: 2023-10-16 22:42:30 RESOLVE: Cannot resolve host address: par-a20.ipvanish.com:443 (Name or service not known)
2023-10-17 20:13:32.787 T:32583 info <general>: 2023-10-16 22:42:50 RESOLVE: Cannot resolve host address: par-a20.ipvanish.com:443 (Name or service not known)
2023-10-17 20:13:32.787 T:32583 info <general>: VPN Mgr : (vpnplatform.py) <<< VPN log file end
2023-10-17 20:13:32.832 T:32583 info <general>: VPN Mgr : (managefiles.py) Copying log file to /media/11_USB_16G/kodi_23-10-17_20-13-32.log. Using version 7.0.3
This may be well OT but I am concerned because the device using vpn, far from offering some security, seems to leave access to my lan vulnerable.
Does anybody have any obvious issues I have missed and how should I set up my vpm conection on TW system.
Yes, things are less secure then without these message but unless you are a person of interest I would not worry.
WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
So unless you did set “allow-compression yes” no problem and even then I doubt what is the risk.
DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
Just read the message and do one of the suggested things.
WARNING: file ‘/home/osmc/.kodi/addons/service.vpn.manager/IPVanish/pass.txt’ is group or others accessible
Hi marel,
Many thanks for the comments. I have sorted out all but the --cipher as I have no idea where the cipher scripts are on the Kodi device and am still reading on that.
Please could I continue now working with my TW workstation. NM seems to be straight forward and I have the IPVanish .ovpn files in my system and have been able to create an openvpn connection but when I try and connect I get an error telling me the connection failed to activate.
I have tried again because the password has not been saved and I now get a message Needs authorisation.
Used your suggested command and this is the result:-
alastair@HP-Z640-1:~> sudo openvpn --config ~/Documents/IPVanish_configs/ipvanish-DE-Frankfurt-fra-a15.ovpn
2023-10-22 17:07:33 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Options error: Unrecognized option or missing or extra parameter(s) in /home/alastair/Documents/IPVanish_configs/ipvanish-DE-Frankfurt-fra-a15.ovpn:16: keysize (2.6.6)
Use --help for more information.
alastair@HP-Z640-1:~>
Out of my depth here with help but it looks like the ipvanish settings re compression are what should be avoided and could it be there are version issues between my TW version of openvpn and what is used by IPVanish? Clutching at straws here but before I rebuilt my system with TW I did have this working but have forgotten how I achieved it.
Further to this I checked my laptop which also has TW installed and has IPVanish working. When I look at a working vpn connection I note that the CA certificates are saved in /home/alastair/.local/share/networkmanagement/certificates/ipvanish…ca.ipvanish.com.crt.
In the above TW Workstation the certificate is at /home/alastair/.cert/nm-openvpn/ipvanish…ca.pem.
I shall try and find out how I set up the laptop but it was done years ago and if anybody can help meanwhile it would be much appreciated.
Options error: Unrecognized option or missing or extra parameter(s) in /home/alastair/Documents/IPVanish_configs/ipvanish-DE-Frankfurt-fra-a15.ovpn:16: keysize (2.6.6)
So it look like there is on line 16 a keysize option that openvpn does not support.
Hello @Budgie2, our team can help with your diagnostics file. Please reach out to our customer service team at support@ipvanish.com with the entire diagnostics file. They are available 24x7x365 to assist.
Interesting but I have no clue how to obtain the entire diagnostics file because the website does not have a link to access the diagnostics pages.
I also have no idea why ipVanish have written to this forum but glad to get openSUSE on their horizon at last.
Believe me I am trying and thanks but their support is not what it was. Sadly all this cropped up about two weeks after my sub had renewed for a year. Bother!!!
At the rate the support site is working I think I might risk a one month or shorter trial with another vpn provider but one which has stronger support for linux and also WireGuard. Any suggestions?
Given the published issue with IPVanish and editing out the offending line in the config still failed to enable a vpn connection I have purchased a one month subscription for Mullvad which has been interesting as another option.
With almost no effort I was able to set up (I believe) a openvpn connection using Network Manager. I say believe because I have only used the Mullvad site to test but here is what I have:-
IPv4 Address 185.213.155.138 (OpenVPN)
IPv6 Address 2a03:1b20:6:f011::1e (OpenVPN)
Server Name de-fra-ovpn-001
Provider 31173
Location Frankfurt, Germany
No DNS leaks
Your DNS requests originate from:
IP Address 185.213.155.66
Server Name de-fra-ovpn-001
Provider 31173
Location Frankfurt, Germany
No WebRTC leaks
No WebRTC leaks detected
This seems promising but I had tried to disable ipv6 but clearly not. I had set the openvpn connection ipv6 tab on NM as disabled. How can I stop the ipv6 connection?
I failed to get the Mullvad app to run on TW. I have the app .rpm file downloaded but is does not run I assume because it was intended for Fedora not openSUSE. When I run the command to install I get an error:-
alastair@HP-Z640-1:~> sudo rpm -i ./MullvadVPN-2023.5_x86_64.rpm
[sudo] password for root:
warning: ./MullvadVPN-2023.5_x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 19c8314c: NOKEY
error: Failed dependencies:
dbus-libs is needed by mullvad-vpn-2023.5-1.x86_64
libnotify is needed by mullvad-vpn-2023.5-1.x86_64
alastair@HP-Z640-1:~>
TW does have libdbus-1-3 installed and also libnotify4. Would it be possible for me to get the rpm to run?
Meanwhile I have extracted the files from the rpm using Ark and manually put them into their respective directories and ran the command:-
alastair@HP-Z640-1:~> sudo /usr/bin/mullvad-daemon -v
[sudo] password for root:
[2023-10-24 18:25:16.613][mullvad_daemon::version][INFO] Starting mullvad-daemon - 2023.5 2023-10-10
[2023-10-24 18:25:16.613][mullvad_daemon][INFO] Logging to /var/log/mullvad-vpn
[2023-10-24 18:25:16.614][mullvad_daemon][ERROR] Another instance of the daemon is already running
[2023-10-24 18:25:16.614][mullvad_daemon][DEBUG] Process exiting with code 1
alastair@HP-Z640-1:~>
Something is working but I cannot see it. My only reason for spending any time on the app is the ease of use as I understand making changes or creating new connections is likely to be slower.
The other facility I wanted to try is WireGuard but will concentrate on what I have on openvpn first. If anybody has time I would appreciate advice/help please.
The app has tools for managing the vpn connection including using wireguard if required. It also makes it easy to change country and set other parameters and also enables split tunneling if required. So far so good and excellent and prompt support to my requests for help at the outset.
The Mullvad downloads do give .ovpn files too so I tried these using NM to install a vpn connection and this went well. I did have some issues with trying to disable ipv6 when using NM but the problem with using NM and .ovpn files is the time and lack of convenience. The NM connections work fine.
I have also been able to use NM to set up a wireguard vpn but still learning and had to reboot my system when I had closed my vpn connection before I could restore my base network connection.
Hope this is of interest to other forum subscribers.
Thanks again,
Budge.
As usual I wrote too soon. What had worked flawlessly failed now I have returned to try the Mullvad VPN connection.
The Mullvad app is supposed to work in the background and once started this works with my one trial vpn connection I had set up when I first started the app with the command:-
/opt/Mullvad\ VPN/mullvad-vpn
After a reboot the auto start did not start because I had not asked for it so when I ran the above command the app started but the app gui failed badly. The start of the cli when I ran the app is here but the actual results run to many pages and will require a susepaste job.
alastair@HP-Z640-1:~> /opt/Mullvad\ VPN/mullvad-vpn
[2023-10-28 18:42:19.281][verbose] Chromium sandbox is enabled
[2023-10-28 18:42:19.283][info] Running version 2023.5
[2023-10-28 18:42:19.398][info] Detected locale: en-GB
[2023-10-28 18:42:19.448][info] Connected to the daemon
[2023-10-28 18:42:19.593][info] Skip autoconnect because GUI setting is disabled
[2023-10-28 18:42:19.971][error] Failed to check autostart file: ENOENT: no such file or directory, access '/home/alastair/.config/autostart/mullvad-vpn.desktop'
[3720:1028/184220.501331:ERROR:shared_context_state.cc(81)] Skia shader compilation error
------------------------
// Vertex SKSL
#extension GL_NV_shader_noperspective_interpolation: require
uniform float4 sk_RTAdjust;in float2 inPosition;in half4 inColor;in float4 inCircleEdge;noperspective out float4 vinCircleEdge_S0;noperspective out half4 vinColor_S0;void main() {// Primitive Processor CircleGeometryProcessor
vinCircleEdge_S0 = inCircleEdge;vinColor_S0 = inColor;float2 _tmp_0_inPosition = inPosition;float2 _tmp_2_inPosition = inPosition;sk_Position = _tmp_0_inPosition.xy01;}
// Fragment SKSL
#extension GL_NV_shader_noperspective_interpolation: require
noperspective in float4 vinCircleEdge_S0;noperspective in half4 vinColor_S0;void main() {// Stage 0, CircleGeometryProcessor
float4 circleEdge;circleEdge = vinCircleEdge_S0;half4 outputColor_S0;outputColor_S0 = vinColor_S0;float d = length(circleEdge.xy);half distanceToOuterEdge = half(circleEdge.z * (1.0 - d));half edgeAlpha = saturate(distanceToOuterEdge);half4 outputCoverage_S0 = half4(edgeAlpha);{ // Xfer Processor: Porter Duff
sk_FragColor = outputColor_S0 * outputCoverage_S0;}}
// Vertex GLSL
#version 300 es
#extension GL_NV_shader_noperspective_interpolation : require
precision mediump float;
precision mediump sampler2D;
uniform highp vec4 sk_RTAdjust;
in highp vec2 inPosition;
in mediump vec4 inColor;
in highp vec4 inCircleEdge;
noperspective out highp vec4 vinCircleEdge_S0;
noperspective out mediump vec4 vinColor_S0;
void main() {
vinCircleEdge_S0 = inCircleEdge;
vinColor_S0 = inColor;
highp vec2 _tmp_0_inPosition = inPosition;
gl_Position = vec4(_tmp_0_inPosition, 0.0, 1.0);
gl_Position = vec4(gl_Position.xy * sk_RTAdjust.xz + gl_Position.ww * sk_RTAdjust.yw, 0.0, gl_Position.w);
}
// Fragment GLSL
#version 300 es
#extension GL_NV_shader_noperspective_interpolation : require
precision mediump float;
precision mediump sampler2D;
out mediump vec4 sk_FragColor;
noperspective in highp vec4 vinCircleEdge_S0;
noperspective in mediump vec4 vinColor_S0;
void main() {
highp vec4 circleEdge;
circleEdge = vinCircleEdge_S0;
mediump vec4 outputColor_S0;
outputColor_S0 = vinColor_S0;
highp float d = length(circleEdge.xy);
mediump float distanceToOuterEdge = circleEdge.z * (1.0 - d);
mediump float edgeAlpha = clamp(distanceToOuterEdge, 0.0, 1.0);
mediump vec4 outputCoverage_S0 = vec4(edgeAlpha);
{
sk_FragColor = outputColor_S0 * outputCoverage_S0;
}
}
Errors:
link failed but did not provide an info log
[3720:1028/184220.502479:ERROR:shared_context_state.cc(81)] Skia shader compilation error
------------------------
// Vertex SKSL
#extension GL_NV_shader_noperspective_interpolation: require
uniform float4 sk_RTAdjust;uniform float2 uAtlasSizeInv_S0;in float2 inPosition;in half4 inColor;in ushort2 inTextureCoords;noperspective out float2 vTextureCoords_S0;flat out float vTexIndex_S0;noperspective out half4 vinColor_S0;void main() {// Primitive Processor BitmapText
int texIdx = 0;float2 unormTexCoords = float2(inTextureCoords.x, inTextureCoords.y);vTextureCoords_S0 = unormTexCoords * uAtlasSizeInv_S0;vTexIndex_S0 = float(texIdx);vinColor_S0 = inColor;float2 _tmp_1_inPosition = inPosition;sk_Position = inPosition.xy01;}
// Fragment SKSL
#extension GL_NV_shader_noperspective_interpolation: require
uniform sampler2D uTextureSampler_0_S0;
noperspective in float2 vTextureCoords_S0;flat in float vTexIndex_S0;noperspective in half4 vinColor_S0;void main() {// Stage 0, BitmapText
half4 outputColor_S0;outputColor_S0 = vinColor_S0;half4 texColor;{ texColor = sample(uTextureSampler_0_S0, vTextureCoords_S0).rrrr; }half4 outputCoverage_S0 = texColor;{ // Xfer Processor: Porter Duff
sk_FragColor = outputColor_S0 * outputCoverage_S0;}}
// Vertex GLSL
#version 300 es
#extension GL_NV_shader_noperspective_interpolation : require
precision mediump float;
precision mediump sampler2D;
uniform highp vec4 sk_RTAdjust;
uniform highp vec2 uAtlasSizeInv_S0;
in highp vec2 inPosition;
in mediump vec4 inColor;
in mediump uvec2 inTextureCoords;
noperspective out highp vec2 vTextureCoords_S0;
flat out highp float vTexIndex_S0;
noperspective out mediump vec4 vinColor_S0;
void main() {
highp int texIdx = 0;
highp vec2 unormTexCoords = vec2(float(inTextureCoords.x), float(inTextureCoords.y));
vTextureCoords_S0 = unormTexCoords * uAtlasSizeInv_S0;
vTexIndex_S0 = float(texIdx);
vinColor_S0 = inColor;
gl_Position = vec4(inPosition, 0.0, 1.0);
gl_Position = vec4(gl_Position.xy * sk_RTAdjust.xz + gl_Position.ww * sk_RTAdjust.yw, 0.0, gl_Position.w);
}
// Fragment GLSL
#version 300 es
#extension GL_NV_shader_noperspective_interpolation : require
precision mediump float;
precision mediump sampler2D;
out mediump vec4 sk_FragColor;
uniform sampler2D uTextureSampler_0_S0;
noperspective in highp vec2 vTextureCoords_S0;
flat in highp float vTexIndex_S0;
noperspective in mediump vec4 vinColor_S0;
void main() {
mediump vec4 outputColor_S0;
outputColor_S0 = vinColor_S0;
mediump vec4 texColor;
{
texColor = texture(uTextureSampler_0_S0, vTextureCoords_S0, -0.5).xxxx;
}
mediump vec4 outputCoverage_S0 = texColor;
{
sk_FragColor = outputColor_S0 * outputCoverage_S0;
}
}
Errors:
link failed but did not provide an info log
[3720:1028/184220.503755:ERROR:shared_context_state.cc(81)] Skia shader compilation error
------------------------
Are there any obvious clues a coder would recognise that might help me sort my problem?
Today I spent some time trying to find out why I had a problem. It seems Skia is used by Google Chrome and hence the chromium sandbox. I use un-googled chromium so that might have cause the issue.
I checked out the dependencies but the ones that are shown as missing are not included in chromium so that may not be relevant.
Ran the installation again using the above rpm command and the app works just fine again today so will shut up now. I shall try and find some logs.
