AirVPN over TOR: real IP still shows at AirVPN

[cyberninja 2]

My real IP still shows in the Details at AirVPN's Member Area, even after first starting TOR Bundle browser, then conencting to AirVPN with the 9050 socks-proxy, then using the non-proxy FireFox browser. I read the forums on this issue. I'm using Linux OS with NetworkManager.

I followed the instructions at airvpn/org/tor and use the downloaded OVPN file. Both the Tor Bundle browser and the Firefox (non-Tor) btrowser are working ok. The non-Tor Firefox browser shows the AirVPN IP address when using the geolocator website, while the Tor Bundle browser shows its Tor IP address of its exit node. When using the non-Tor FireFox browser I go to the AirVPN website and log in to check to see how AirVPN sees me and they indiacte my real IP address. Thus this AirVPN over TOR is not working like the instructions suggest. Am I missing something?

[Staff 9972]

My real IP still shows in the Details at AirVPN's Member Area, even after first starting TOR Bundle browser, then conencting to AirVPN with the 9050 socks-proxy, then using the non-proxy FireFox browser. I read the forums on this issue. I'm using Linux OS with NetworkManager.

Hello!

Please make sure that you have enabled the "proxy" type in your client configuration.

I followed the instructions at airvpn/org/tor and use the downloaded OVPN file. Both the Tor Bundle browser and the Firefox (non-Tor) btrowser are working ok. The non-Tor Firefox browser shows the AirVPN IP address when using the geolocator website, while the Tor Bundle browser shows its Tor IP address of its exit node. When using the non-Tor FireFox browser I go to the AirVPN website and log in to check to see how AirVPN sees me and they indiacte my real IP address. Thus this AirVPN over TOR is not working like the instructions suggest. Am I missing something?

To sum up, the IP you're "visible" on the Internet must be:

- the Air server you're connected to exit-IP address in case you tunnel over OpenVPN;

- the Air server you're connected to exit-IP address in case you tunnel over OpenVPN over TOR;

- the TOR exit-node IP address in case you tunnel over TOR over OpenVPN;

- the TOR exit-node IP address in case you tunnel over TOR over OpenVPN over TOR (this setup may result in very severe performance decrease)

In the control panel, our server must NOT be able to see your real IP address in case you tunnel over OpenVPN over TOR. On the contrary, it can see your real-IP address if you tunnel over TOR over OpenVPN.

Please send us your client connection logs at your convenience when you tunnel over OpenVPN over TOR, which seems the problematic case according to your report.

Kind regards

[cyberninja 2]

When you say "Please make sure that you have enabled the "proxy" type in your client configuration.", I use Network Manager applet in GNOME desktop and I don't see where that can be enabled. What do you mean by enabling this type in my client configuration. I use OpenVPN plugin within Network Manager.

Also, I don't see how I'm using any of the three-way setups you listed. I'm only trying to do AirVPN over TOR the way the instructions state: I leave the TBB running, then activate AirVPN with the NetworkManager applet, then open the non-TOR Firefox browser. From within te Firefox browser I go to the AirVPN website and login and see in "Your details" of the Members area that AirVPN sees my real IP.

I will get my connection logs and more details of my OVPN file that I'm using in another reply.

[Staff 9972]

When you say "Please make sure that you have enabled the "proxy" type in your client configuration.", I use Network Manager applet in GNOME desktop and I don't see where that can be enabled. What do you mean by enabling this type in my client configuration. I use OpenVPN plugin within Network Manager.

Hello!

You need to instruct OpenVPN to connect over a proxy. Our configuration generator will generate the appropriate OpenVPN configuration file according to your instructions. For detailed instructions, please see:

https://airvpn.org/tor

Kind regards

[cyberninja 2]

You reponded with "You need to instruct OpenVPN to connect over a proxy. Our configuration generator will generate the appropriate OpenVPN configuration file according to your instructions. For detailed instructions, please see:

airvpn.org/tor"

I followed the instructions on airvpn.org/tor, used the configuration generator and downloaded the OpenVPN configuration file (I provided a copy of it in a previous post. But, it doesn't work for me. OpenVPN acts as though that socks-proxy line doesn't exist in the configuration file. The line is "socks-proxy 127.0.0.1 9050" as instructed by the airvpn.org/tor. Am I doing soemthing wrong?

Here again is the configuration file:

##############################################

## Air VPN | https://airvpn.org | OpenVPN Client Configuration

## Generated: Thursday 27th of September 2012 02:22:48 AM

##############################################

client

dev tun

proto tcp

remote 178.248.30.131 443

resolv-retry infinite

nobind

ca /etc/openvpn/keys/airvpnca.crt

cert /etc/openvpn/keys/airvpnuser.crt

key /etc/openvpn/keys/airvpnuser.key

ns-cert-type server

cipher AES-256-CBC

comp-lzo

verb 3

socks-proxy 127.0.0.1 9050

THIS FILE WAS MADE BY THE CONFIGURATION GENERATOR. WHAT ELSE NEEDS TO BE DONE???

[Staff 9972]

You reponded with "You need to instruct OpenVPN to connect over a proxy. Our configuration generator will generate the appropriate OpenVPN configuration file according to your instructions. For detailed instructions, please see:

airvpn.org/tor"

I followed the instructions on airvpn.org/tor, used the configuration generator and downloaded the OpenVPN configuration file (I provided a copy of it in a previous post. But, it doesn't work for me. OpenVPN acts as though that socks-proxy line doesn't exist in the configuration file. The line is "socks-proxy 127.0.0.1 9050" as instructed by the airvpn.org/tor. Am I doing soemthing wrong?

Hello!

The configuration file is fine. Chances are that OpenVPN is reading a different configuration file. Please make sure to launch OpenVPN with the configuration file which has the line "socks-proxy". You can consider to bypass entirely the network-manager and establish a connection by invoking directly openvpn with the correct configuration file.

Kind regards

[cyberninja 2]

Your response is "The configuration file is fine. Chances are that OpenVPN is reading a different configuration file. Please make sure to launch OpenVPN with the configuration file which has the line "socks-proxy". You can consider to bypass entirely the network-manager and establish a connection by invoking directly openvpn with the correct configuration file."

I am sure the NetworkManager is using the correct configuration file. I went over this many times, rechecking. I'll try the direct invocation as you suggest and see what happens. Did anybody look at my connection logs I sent within this thread? Maybe something is in there you can tell me about?

[cyberninja 2]

I tried all suggestions you have but none work for me. I'm not sure you are able go to the depth of problem solving I need and I am unable to attch pictures showing all config setups regarding connection setting in TOR and FireFox - so one problem with being able to load any png images (all less than 150kb) is making it impossible for you to see where the problem may be. This thread is way too long now and I'm not getting anywhere. Thank you for trying to help me.

[Staff 9972]

I tried all suggestions you have but none work for me. I'm not sure you are able go to the depth of problem solving I need and I am unable to attch pictures showing all config setups regarding connection setting in TOR and FireFox - so one problem with being able to load any png images (all less than 150kb) is making it impossible for you to see where the problem may be. This thread is way too long now and I'm not getting anywhere. Thank you for trying to help me.

Hello!

File attachments and image attachments work fine for every user, maybe it is just a problem on your side. Anyway, the OpenVPN logs are text files, so even if you can't manage to upload pictures, please just copy the logs and paste them here. They may be very useful for troubleshooting.

Kind regards

[cyberninja 2]

I sent this before but it seems to have gotten lost in the communication, but here it is again (maybe all these issues are at my end only???):

Sep 27 11:05:25 ihome NetworkManager[4009]: <info> Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...

Sep 27 11:05:25 ihome NetworkManager[4009]: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 9170

Sep 27 11:05:25 ihome NetworkManager[4009]: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' appeared, activating connections

Sep 27 11:05:25 ihome NetworkManager[4009]: <info> VPN plugin state changed: 3

Sep 27 11:05:25 ihome NetworkManager[4009]: <info> VPN connection 'AirVPN9050 SE Serpentis - TCP 443' (Connect) reply received.

Sep 27 11:05:25 ihome nm-openvpn[9174]: OpenVPN 2.2.2 x86_64-unknown-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr 5 2012

Sep 27 11:05:26 ihome nm-openvpn[9174]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Sep 27 11:05:26 ihome nm-openvpn[9174]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Sep 27 11:05:26 ihome nm-openvpn[9174]: WARNING: file '/etc/openvpn/keys/airvpnuser.key' is group or others accessible

Sep 27 11:05:26 ihome nm-openvpn[9174]: LZO compression initialized

Sep 27 11:05:26 ihome nm-openvpn[9174]: Attempting to establish TCP connection with 178.248.30.131:443 [nonblock]

Sep 27 11:05:27 ihome nm-openvpn[9174]: TCP connection established with 178.248.30.131:443

Sep 27 11:05:27 ihome nm-openvpn[9174]: TCPv4_CLIENT link local: [undef]

Sep 27 11:05:27 ihome nm-openvpn[9174]: TCPv4_CLIENT link remote: 178.248.30.131:443

Sep 27 11:05:34 ihome nm-openvpn[9174]: [server] Peer Connection Initiated with 178.248.30.131:443

Sep 27 11:05:36 ihome nm-openvpn[9174]: TUN/TAP device tun0 opened

Sep 27 11:05:36 ihome nm-openvpn[9174]: /sbin/ip link set dev tun0 up mtu 1500

Sep 27 11:05:36 ihome kernel: tun0: Disabled Privacy Extensions

Sep 27 11:05:37 ihome nm-openvpn[9174]: /sbin/ip addr add dev tun0 local 10.5.2.30 peer 10.5.2.29

Sep 27 11:05:37 ihome nm-openvpn[9174]: /usr/libexec/nm-openvpn-service-openvpn-helper tun0 1500 1560 10.5.2.30 10.5.2.29 init

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> VPN connection 'AirVPN9050 SE Serpentis - TCP 443' (IP Config Get) reply received.

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> VPN Gateway: 178.248.30.131

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> Internal Gateway: 10.5.2.29

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> Tunnel Device: tun0

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> Internal IP4 Address: 10.5.2.30

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> Internal IP4 Prefix: 32

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> Internal IP4 Point-to-Point Address: 10.5.2.29

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> Maximum Segment Size (MSS): 0

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> Static Route: 10.5.0.1/32 Next Hop: 10.5.0.1

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> Internal IP4 DNS: 10.5.0.1

Sep 27 11:05:37 ihome NetworkManager[4009]: <info> DNS Domain: '(none)'

Sep 27 11:05:37 ihome nm-openvpn[9174]: Initialization Sequence Completed

Sep 27 11:05:38 ihome NetworkManager[4009]: <info> VPN connection 'AirVPN9050 SE Serpentis - TCP 443' (IP Config Get) complete.

Sep 27 11:05:38 ihome NetworkManager[4009]: <info> Policy set 'AirVPN9050 SE Serpentis - TCP 443' (tun0) as default for IPv4 routing and DNS.

Sep 27 11:05:38 ihome NetworkManager[4009]: <info> VPN plugin state changed: 4

Sep 27 11:05:38 ihome ntpd[4258]: Listening on interface #10 tun0, 10.5.2.30#123 Enabled

Sep 27 11:07:47 ihome NetworkManager[4009]: <info> (wlan0): supplicant connection state: completed -> group handshake

Sep 27 11:07:47 ihome NetworkManager[4009]: <info> (wlan0): supplicant connection state: group handshake -> completed

Sep 27 11:13:53 ihome nm-openvpn[9174]: /sbin/ip addr del dev tun0 local 10.5.2.30 peer 10.5.2.29

[Staff 9972]

I sent this before but it seems to have gotten lost in the communication, but here it is again (maybe all these issues are at my end only???):

Hello!

It's highly likely. We don't detect any problem with the forum.

As you can see, network-manager is not using the configuration you mean:

Sep 27 11:05:27 ihome nm-openvpn[9174]: TCP connection established with 178.248.30.131:443

If configured properly to connect over your proxy, OpenVPN would connect to 127.0.0.1:9050.

The fact that network-manager is misconfigured is further confirmed by:

Sep 27 11:05:26 ihome nm-openvpn[9174]: WARNING: No server certificate verification method has been enabled. See openvpn.net/howto.html#mitm for more info.

Please note that all the configuration files generated by our system have the "ns-cert-type server" directive in it (this is important for additional authentication security).

First of all, please perform a connection directly with OpenVPN and send us the logs (just copy and paste the output or simply tell OpenVPN to log where you wish).

cd to the directory where the configuration file is stored and issue the command ("[sudo] openvpn "), using the configuration file prepared for connections over OpenVPN over TOR, in order to ascertain that your proxy is running properly and listening to the correct port.

We're looking forward to hearing from you.

Kind regards

[cyberninja 2]

Thanks for staying with me on this.

It's puzzling that there is a warning in network-manager about no certificate verification method because I am using the configuration files from AirVPN and they do indeed have the "ns-cert-type" server directive. I am alos using all the crt and key files by AirVPN. I sent you the OVPN file before so you can see that it's included, and you said the file was all correct. Here it is again:

##############################################

## Air VPN | https://airvpn.org | OpenVPN Client Configuration

## Generated: Thursday 27th of September 2012 02:22:48 AM

##############################################

client

dev tun

proto tcp

remote 178.248.30.131 443

resolv-retry infinite

nobind

ca /etc/openvpn/keys/airvpnca.crt

cert /etc/openvpn/keys/airvpnuser.crt

key /etc/openvpn/keys/airvpnuser.key

ns-cert-type server

cipher AES-256-CBC

comp-lzo

verb 3

socks-proxy 127.0.0.1 9050

I'll try the sudo cammand line activation of OpenVPN next and see if that works, and send you the logs too.

[cyberninja 2]

I ran openvpn with sudo and here is the log showing a failure to connect to 127.0.0.1:9050 and a warning about local and remote hashes being in conflict (none of this shows up in the log at /var/log/messages):

Thu Sep 27 13:09:29 2012 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr 5 2012

Thu Sep 27 13:09:29 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Thu Sep 27 13:09:29 2012 WARNING: file '/etc/openvpn/keys/airvpnuser.key' is group or others accessible

Thu Sep 27 13:09:29 2012 LZO compression initialized

Thu Sep 27 13:09:29 2012 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]

Thu Sep 27 13:09:29 2012 Socket Buffers: R=[87380->131072] S=[16384->131072]

Thu Sep 27 13:09:29 2012 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Sep 27 13:09:29 2012 Local Options hash (VER=V4): '958c5492'

Thu Sep 27 13:09:29 2012 Expected Remote Options hash (VER=V4): '79ef4284'

Thu Sep 27 13:09:29 2012 Attempting to establish TCP connection with 127.0.0.1:9050 [nonblock]

Thu Sep 27 13:09:29 2012 TCP: connect to 127.0.0.1:9050 failed, will try again in 5 seconds: Connection refused

Thu Sep 27 13:09:34 2012 TCP: connect to 127.0.0.1:9050 failed, will try again in 5 seconds: Connection refused

Thu Sep 27 13:09:39 2012 TCP: connect to 127.0.0.1:9050 failed, will try again in 5 seconds: Connection refused

Thu Sep 27 13:09:44 2012 TCP: connect to 127.0.0.1:9050 failed, will try again in 5 seconds: Connection refused

Thu Sep 27 13:09:49 2012 TCP: connect to 127.0.0.1:9050 failed, will try again in 5 seconds: Connection refused

Thu Sep 27 13:09:54 2012 TCP: connect to 127.0.0.1:9050 failed, will try again in 5 seconds: Connection refused

Thu Sep 27 13:09:59 2012 TCP: connect to 127.0.0.1:9050 failed, will try again in 5 seconds: Connection refused

Thu Sep 27 13:10:04 2012 TCP: connect to 127.0.0.1:9050 failed, will try again in 5 seconds: Connection refused

Thu Sep 27 13:10:09 2012 TCP: connect to 127.0.0.1:9050 failed, will try again in 5 seconds: Connection refused

^CThu Sep 27 13:10:11 2012 SIGINT[hard,init_instance] received, process exiting

[Staff 9972]

I ran openvpn with sudo and here is the log showing a failure to connect to 127.0.0.1:9050 and a warning about local and remote hashes being in conflict (none of this shows up in the log at /var/log/messages):

Hello!

Good, now OpenVPN is using the correct configuration file and tries to connect to the proxy as you wish. The problem now is that the proxy is not responding on that port.

Assuming that the proxy is running and it is a socks proxy, it does not appear to be listening to port 9050. Perhaps you're using a TBB with an experimental feature: "TBB on OSX and Linux has an experimental feature where Tor listens on random unused ports rather than a fixed port each time. The goal is to avoid conflicting with a "system" Tor install, so you can run a system Tor and TBB at the same time".

If it's the case, please check here to solve the problem and predict/set which port the proxy will be listening to:

https://www.torproject.org/docs/faq.html.en#TBBSocksPort

If it's not the case, please make sure that the proxy is running, its type matches the type specified in the OpenVPN configuration file (socks or http) and that no firewall is blocking packets to and from 127.0.0.1.

Kind regards

[cyberninja 2]

I get two ports from the Vidalia log, one is the socks listening port 38006, the other is control listening port 57922. In the TBB network connectios settings in Preferences the Socks host is 127.0.0.1 and the Port is 38006, so it looks like the port would be 38006 that I need to connect thrugh, right? Can you help me with this or do I need to go to the TOR website as you suggest?

Here is the log from TOR Vidalia:

Sep 27 12:48:11.141 [Notice] Tor v0.2.2.39 (git-bec76476efb71549). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)

Sep 27 12:48:11.141 [Notice] Initialized libevent version 2.0.20-stable using method epoll. Good.

Sep 27 12:48:11.141 [Notice] Opening Socks listener on 127.0.0.1:0

Sep 27 12:48:11.141 [Notice] Socks listener listening on port 38006.

Sep 27 12:48:11.141 [Notice] Opening Control listener on 127.0.0.1:0

Sep 27 12:48:11.141 [Notice] Control listener listening on port 57922.

Sep 27 12:48:11.141 [Notice] Parsing GEOIP file ./Data/Tor/geoip.

Sep 27 12:48:12.181 [Notice] OpenSSL OpenSSL 1.0.1c 10 May 2012 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation

Sep 27 12:48:12.181 [Notice] We now have enough directory information to build circuits.

Sep 27 12:48:12.181 [Notice] Bootstrapped 80%: Connecting to the Tor network.

Sep 27 12:48:12.182 [Notice] New control connection opened.

Sep 27 12:48:13.015 [Notice] Bootstrapped 85%: Finishing handshake with first hop.

Sep 27 12:48:13.524 [Notice] Bootstrapped 90%: Establishing a Tor circuit.

Sep 27 12:48:22.763 [Notice] Tor has successfully opened a circuit. Looks like client functionality is working.

Sep 27 12:48:22.763 [Notice] Bootstrapped 100%: Done.

Sep 27 12:58:36.710 [Notice] Our IP address has changed. Rotating keys...

Sep 27 13:29:06.130 [Notice] Our IP address has changed. Rotating keys...

Sep 27 13:50:13.735 [Notice] Our IP address has changed. Rotating keys...

[Staff 9972]

I get two ports from the Vidalia log, one is the socks listening port 38006, the other is control listening port 57922. In the TBB network connectios settings in Preferences the Socks host is 127.0.0.1 and the Port is 38006, so it looks like the port would be 38006 that I need to connect thrugh, right?

Hello!

Right, change the port in socks-proxy directive accordingly and then re-launch OpenVPN and check the connection (please send us the logs if there are still issues).

Can you help me with this or do I need to go to the TOR website as you suggest?

You should check anyway, because if your proxy changes port at each startup you are forced to discover the port and change accordingly the configuration file each time you wish to re-connect over OpenVPN over TOR, which is very uncomfortable. Once you have set one listening port once and for all, you won't need to change configuration at each TOR startup.

Kind regards

[cyberninja 2]

GETTING CLOSER TO THE SOLUTION: I changed the socks-proxy listening directive in the OVPN file to match the actual socks port used by the TOR and now get the following log when using sudo ovpn )notice all seems ok except for the hash conflicts and the soft auth failure):

Thu Sep 27 14:24:58 2012 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr 5 2012

Thu Sep 27 14:24:58 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Thu Sep 27 14:24:58 2012 WARNING: file '/etc/openvpn/keys/airvpntoruser.key' is group or others accessible

Thu Sep 27 14:24:58 2012 LZO compression initialized

Thu Sep 27 14:24:58 2012 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]

Thu Sep 27 14:24:58 2012 Socket Buffers: R=[87380->131072] S=[16384->131072]

Thu Sep 27 14:24:58 2012 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Sep 27 14:24:58 2012 Local Options hash (VER=V4): '958c5492'

Thu Sep 27 14:24:58 2012 Expected Remote Options hash (VER=V4): '79ef4284'

Thu Sep 27 14:24:58 2012 Attempting to establish TCP connection with 127.0.0.1:38160 [nonblock]

Thu Sep 27 14:24:58 2012 TCP connection established with 127.0.0.1:38160

Thu Sep 27 14:24:59 2012 TCPv4_CLIENT link local: [undef]

Thu Sep 27 14:24:59 2012 TCPv4_CLIENT link remote: 127.0.0.1:38160

Thu Sep 27 14:25:01 2012 TLS: Initial packet from 127.0.0.1:38160, sid=e3a53d4f a1234fe0

Thu Sep 27 14:25:10 2012 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Thu Sep 27 14:25:10 2012 VERIFY OK: nsCertType=SERVER

Thu Sep 27 14:25:10 2012 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

Thu Sep 27 14:25:33 2012 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Thu Sep 27 14:25:33 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Thu Sep 27 14:25:33 2012 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Thu Sep 27 14:25:33 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Thu Sep 27 14:25:33 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Thu Sep 27 14:25:33 2012 [server] Peer Connection Initiated with 127.0.0.1:38160

Thu Sep 27 14:25:35 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Thu Sep 27 14:25:37 2012 AUTH: Received AUTH_FAILED control message

Thu Sep 27 14:25:37 2012 TCP/UDP: Closing socket

Thu Sep 27 14:25:37 2012 SIGTERM[soft,auth-failure] received, process exiting

[Staff 9972]

GETTING CLOSER TO THE SOLUTION: I changed the socks-proxy listening directive in the OVPN file to match the actual socks port used by the TOR and now get the following log when using sudo ovpn )notice all seems ok except for the hash conflicts and the soft auth failure):

Hello!

Actually account "cyberninja" is currently (at the time this admin is writing) connected and exchanging data. This is the cause of the AUTH_FAILED. The first thing that comes to mind is that you have some other OpenVPN instance still running and connected (or maybe some other computer connected with the same account?). Please make sure that you stop any other openvpn connection and try again. In order to safely kill OpenVPN and restore the previous routing table, just press CTRL-C from the console you started it, or issue a kill command (a normal kill, not a kill -9 of course) to the OpenVPN PID, or even try "[sudo] killall openvpn".

Kind regards

[cyberninja 2]

I'll try as you suggest next. Although, is the reason for the auth failure because I don't have any means to enter username and password when using sudo ovpn on the configuration file? Recall that I got the folowing log message prior to openvpn quitting:

Thu Sep 27 14:25:37 2012 AUTH: Received AUTH_FAILED control message

Thu Sep 27 14:25:37 2012 TCP/UDP: Closing socket

Thu Sep 27 14:25:37 2012 SIGTERM[soft,auth-failure] received, process exiting

IS THERE A WAY I CAN ADD THE LOGIN CREDENTIALS TO THE OVPN FILE? THEN MAYBE IT FAIL ON AUTH?

[cyberninja 2]

I was able to use the TOR information on using Vidalia Settings Advanced tab to remove the check in the box for Configure Control Port Automatically, and it reset the Socks Port to a fixed 9050 (TBB Socks Network settings) and the listening Contraol port to 9051 (Vidalia settings). BUT, eventhough I did that and changed the directive in the OVPN file back to 9050, still same problem when using Network Manager.

[cyberninja 2]

I followed what you suggested about making sure all processed were ended with Ctrl-C and I reran the sudo openvpn command in terminal. I got the following log which suggests to me I need to have a way to include the means for login credentials in the OVPN configuration file, i.e., username and password. CAN YOU HELP WITH THIS? Here's a copy of the log file when running sudo (NetworkManager still doesn't work).

Thu Sep 27 15:21:19 2012 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr 5 2012

Thu Sep 27 15:21:19 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Thu Sep 27 15:21:19 2012 WARNING: file '/etc/openvpn/keys/airvpntoruser.key' is group or others accessible

Thu Sep 27 15:21:19 2012 LZO compression initialized

Thu Sep 27 15:21:19 2012 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]

Thu Sep 27 15:21:19 2012 Socket Buffers: R=[87380->131072] S=[16384->131072]

Thu Sep 27 15:21:19 2012 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Sep 27 15:21:19 2012 Local Options hash (VER=V4): '958c5492'

Thu Sep 27 15:21:19 2012 Expected Remote Options hash (VER=V4): '79ef4284'

Thu Sep 27 15:21:19 2012 Attempting to establish TCP connection with 127.0.0.1:9050 [nonblock]

Thu Sep 27 15:21:19 2012 TCP connection established with 127.0.0.1:9050

Thu Sep 27 15:21:20 2012 TCPv4_CLIENT link local: [undef]

Thu Sep 27 15:21:20 2012 TCPv4_CLIENT link remote: 127.0.0.1:9050

Thu Sep 27 15:21:22 2012 TLS: Initial packet from 127.0.0.1:9050, sid=9df0dd6a b1f55316

Thu Sep 27 15:21:27 2012 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Thu Sep 27 15:21:27 2012 VERIFY OK: nsCertType=SERVER

Thu Sep 27 15:21:27 2012 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

Thu Sep 27 15:21:45 2012 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Thu Sep 27 15:21:45 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Thu Sep 27 15:21:45 2012 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Thu Sep 27 15:21:45 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Thu Sep 27 15:21:45 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Thu Sep 27 15:21:45 2012 [server] Peer Connection Initiated with 127.0.0.1:9050

Thu Sep 27 15:21:47 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Thu Sep 27 15:21:49 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.5.0.1,comp-lzo no,route 10.5.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.5.2.30 10.5.2.29'

Thu Sep 27 15:21:49 2012 OPTIONS IMPORT: timers and/or timeouts modified

Thu Sep 27 15:21:49 2012 OPTIONS IMPORT: LZO parms modified

Thu Sep 27 15:21:49 2012 OPTIONS IMPORT: --ifconfig/up options modified

Thu Sep 27 15:21:49 2012 OPTIONS IMPORT: route options modified

Thu Sep 27 15:21:49 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Thu Sep 27 15:21:49 2012 ROUTE default_gateway=192.168.1.1

Thu Sep 27 15:21:49 2012 TUN/TAP device tun0 opened

Thu Sep 27 15:21:49 2012 TUN/TAP TX queue length set to 100

Thu Sep 27 15:21:49 2012 /sbin/ip link set dev tun0 up mtu 1500

Thu Sep 27 15:21:49 2012 /sbin/ip addr add dev tun0 local 10.5.2.30 peer 10.5.2.29

Thu Sep 27 15:21:49 2012 /sbin/ip route add 127.0.0.1/32 via 192.168.1.1

Thu Sep 27 15:21:49 2012 /sbin/ip route add 0.0.0.0/1 via 10.5.2.29

Thu Sep 27 15:21:49 2012 /sbin/ip route add 128.0.0.0/1 via 10.5.2.29

Thu Sep 27 15:21:49 2012 /sbin/ip route add 10.5.0.1/32 via 10.5.2.29

Thu Sep 27 15:21:49 2012 Initialization Sequence Completed

Thu Sep 27 15:23:49 2012 [server] Inactivity timeout (--ping-restart), restarting

Thu Sep 27 15:23:49 2012 TCP/UDP: Closing socket

Thu Sep 27 15:23:49 2012 /sbin/ip route del 10.5.0.1/32

Thu Sep 27 15:23:49 2012 /sbin/ip route del 127.0.0.1/32

Thu Sep 27 15:23:49 2012 /sbin/ip route del 0.0.0.0/1

Thu Sep 27 15:23:49 2012 /sbin/ip route del 128.0.0.0/1

Thu Sep 27 15:23:49 2012 Closing TUN/TAP interface

Thu Sep 27 15:23:49 2012 /sbin/ip addr del dev tun0 local 10.5.2.30 peer 10.5.2.29

Thu Sep 27 15:23:49 2012 SIGUSR1[soft,ping-restart] received, process restarting

Thu Sep 27 15:23:49 2012 Restart pause, 5 second(s)

Thu Sep 27 15:23:54 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Thu Sep 27 15:23:54 2012 WARNING: file '/etc/openvpn/keys/airvpntoruser.key' is group or others accessible

Thu Sep 27 15:23:54 2012 LZO compression initialized

Thu Sep 27 15:23:54 2012 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]

Thu Sep 27 15:23:54 2012 Socket Buffers: R=[87380->131072] S=[16384->131072]

Thu Sep 27 15:23:54 2012 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Sep 27 15:23:54 2012 Local Options hash (VER=V4): '958c5492'

Thu Sep 27 15:23:54 2012 Expected Remote Options hash (VER=V4): '79ef4284'

Thu Sep 27 15:23:54 2012 Attempting to establish TCP connection with 127.0.0.1:9050 [nonblock]

Thu Sep 27 15:23:54 2012 TCP connection established with 127.0.0.1:9050

Thu Sep 27 15:23:59 2012 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)

Thu Sep 27 15:23:59 2012 TCP/UDP: Closing socket

Thu Sep 27 15:23:59 2012 SIGTERM[soft,init_instance] received, process exiting

[Staff 9972]

I'll try as you suggest next. Although, is the reason for the auth failure because I don't have any means to enter username and password when using sudo ovpn on the configuration file? Recall that I got the folowing log message prior to openvpn quitting:

Thu Sep 27 14:25:37 2012 AUTH: Received AUTH_FAILED control message

Thu Sep 27 14:25:37 2012 TCP/UDP: Closing socket

Thu Sep 27 14:25:37 2012 SIGTERM[soft,auth-failure] received, process exiting

IS THERE A WAY I CAN ADD THE LOGIN CREDENTIALS TO THE OVPN FILE? THEN MAYBE IT FAIL ON AUTH?

Hello!

For security reasons our servers authenticate users through double-certificate and key. The credentials are all there, you don't need to enter any login or password. From the logs, the double certificates are fine, and also the user.key is accessible by openvpn. Just please make sure that you don't have any other openvpn instance running and connected.

Kind regards

[Staff 9972]

I was able to use the TOR information on using Vidalia Settings Advanced tab to remove the check in the box for Configure Control Port Automatically, and it reset the Socks Port to a fixed 9050 (TBB Socks Network settings) and the listening Contraol port to 9051 (Vidalia settings). BUT, eventhough I did that and changed the directive in the OVPN file back to 9050, still same problem when using Network Manager.

Hello!

You managed to establish a connection over OpenVPN over TOR. Unfortunately, in that case, the connection was reset after 2 minuts (inactivity timeout), probably due to latency problems between some TOR node and the VPN server. You can safely retry with the very same settings, you should be able to have a stable connection unless some unfortunate cases.

About NetworkManager, it is probably misconfigured, can we see the settings?

Kind regards

[cyberninja 2]

I don't have any other instances of OpenVPN running when I use sudo openvpn.

The log is not ok because as you can see at the end it shows timeout sometimes and other times auth failure. Here's a copy of the timeout failure ending (this comes from the log I previously gave you):

Thu Sep 27 15:23:59 2012 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)

Thu Sep 27 15:23:59 2012 TCP/UDP: Closing socket

Thu Sep 27 15:23:59 2012 SIGTERM[soft,init_instance] received, process exiting

YOU SAY USERNAME AND PASSWORD ARE NOT NEEDED WHEN USING KEY and CERTIFICATES?

[Staff 9972]

I don't have any other instances of OpenVPN running when I use sudo openvpn.

The log is not ok because as you can see at the end it shows timeout sometimes and other times auth failure. Here's a copy of the timeout failure ending (this comes from the log I previously gave you):

Thu Sep 27 15:23:59 2012 recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115)

Thu Sep 27 15:23:59 2012 TCP/UDP: Closing socket

Thu Sep 27 15:23:59 2012 SIGTERM[soft,init_instance] received, process exiting

Hello!

Please see previous message https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=4382&limit=6&limitstart=18&Itemid=142#4429

YOU SAY USERNAME AND PASSWORD ARE NOT NEEDED WHEN USING KEY and CERTIFICATES?

Of course. Actually, they are never required by OpenVPN (hardened security setup). You just can't login with any password, you need both certificates and your own key.

Kind regards