Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VPN with TSL Cert with Private Key Password #57

Open
s-nt-s opened this issue Nov 26, 2023 · 8 comments
Open

VPN with TSL Cert with Private Key Password #57

s-nt-s opened this issue Nov 26, 2023 · 8 comments

Comments

@s-nt-s
Copy link

s-nt-s commented Nov 26, 2023

Hello

This is my config.ovpn:

client
dev tun
proto tcp
remote ********** **********
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4 name
cipher AES-256-CBC
data-ciphers-fallback 'AES-256-CBC'
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
**********
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
**********
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
**********
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
**********
-----END OpenVPN Static key V1-----
</tls-crypt>

And it is how I manually connect to it:

$ sudo openvpn --config ./config.ovpn --askpass --up-restart --persist-key --persist-tun

2023-11-26 12:34:22 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-11-26 12:34:22 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
🔐 Enter Private Key Password: ****************************************************************
2023-11-26 12:34:33 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-11-26 12:34:33 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-11-26 12:34:33 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-11-26 12:34:33 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-11-26 12:34:33 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.69:443
2023-11-26 12:34:33 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-11-26 12:34:33 Attempting to establish TCP connection with [AF_INET]192.168.1.69:443 [nonblock]
2023-11-26 12:34:34 TCP connection established with [AF_INET]192.168.1.69:443
2023-11-26 12:34:34 TCP_CLIENT link local: (not bound)
2023-11-26 12:34:34 TCP_CLIENT link remote: [AF_INET]192.168.1.69:443
2023-11-26 12:34:34 TLS: Initial packet from [AF_INET]192.168.1.69:443, sid=1ae92fa2 9b782996
2023-11-26 12:34:34 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-11-26 12:34:34 VERIFY KU OK
2023-11-26 12:34:34 Validating certificate extended key usage
2023-11-26 12:34:34 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-11-26 12:34:34 VERIFY EKU OK
2023-11-26 12:34:34 VERIFY X509NAME OK: CN=bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4
2023-11-26 12:34:34 VERIFY OK: depth=0, CN=bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4
2023-11-26 12:34:34 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
2023-11-26 12:34:34 [bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4] Peer Connection Initiated with [AF_INET]192.168.1.69:443
2023-11-26 12:34:34 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 10.17.231.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.17.231.4 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-11-26 12:34:34 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.5.5)
2023-11-26 12:34:34 OPTIONS IMPORT: timers and/or timeouts modified
2023-11-26 12:34:34 OPTIONS IMPORT: --ifconfig/up options modified
2023-11-26 12:34:34 OPTIONS IMPORT: route options modified
2023-11-26 12:34:34 OPTIONS IMPORT: route-related options modified
2023-11-26 12:34:34 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-11-26 12:34:34 OPTIONS IMPORT: peer-id set
2023-11-26 12:34:34 OPTIONS IMPORT: adjusting link_mtu to 1626
2023-11-26 12:34:34 OPTIONS IMPORT: data channel crypto options modified
2023-11-26 12:34:34 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-11-26 12:34:34 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-11-26 12:34:34 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-11-26 12:34:34 net_route_v4_best_gw query: dst 0.0.0.0
2023-11-26 12:34:34 net_route_v4_best_gw result: via 192.168.1.1 dev wlp4s0
2023-11-26 12:34:34 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp4s0 HWADDR=e4:b3:18:d2:f4:33
2023-11-26 12:34:34 TUN/TAP device tun0 opened
2023-11-26 12:34:34 net_iface_mtu_set: mtu 1500 for tun0
2023-11-26 12:34:34 net_iface_up: set tun0 up
2023-11-26 12:34:34 net_addr_v4_add: 10.17.231.4/24 dev tun0
2023-11-26 12:34:34 net_route_v4_add: 192.168.1.69/32 via 192.168.1.1 dev wlp4s0 table 0 metric -1
2023-11-26 12:34:34 net_route_v4_add: 0.0.0.0/1 via 10.17.231.1 dev [NULL] table 0 metric -1
2023-11-26 12:34:34 net_route_v4_add: 128.0.0.0/1 via 10.17.231.1 dev [NULL] table 0 metric -1
2023-11-26 12:34:34 Initialization Sequence Completed
2023-11-26 12:34:34 Connection reset, restarting [-1]
2023-11-26 12:34:34 SIGUSR1[soft,connection-reset] received, process restarting
2023-11-26 12:34:34 Restart pause, 5 second(s)
2023-11-26 12:34:39 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-11-26 12:34:39 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-11-26 12:34:39 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-11-26 12:34:39 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-11-26 12:34:39 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.69:443
2023-11-26 12:34:39 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-11-26 12:34:39 Attempting to establish TCP connection with [AF_INET]192.168.1.69:443 [nonblock]
2023-11-26 12:34:39 TCP connection established with [AF_INET]192.168.1.69:443
2023-11-26 12:34:39 TCP_CLIENT link local: (not bound)
2023-11-26 12:34:39 TCP_CLIENT link remote: [AF_INET]192.168.1.69:443
2023-11-26 12:34:39 TLS: Initial packet from [AF_INET]192.168.1.69:443, sid=e1ef43b9 e900a3da
2023-11-26 12:34:39 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-11-26 12:34:39 VERIFY KU OK
2023-11-26 12:34:39 Validating certificate extended key usage
2023-11-26 12:34:39 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-11-26 12:34:39 VERIFY EKU OK
2023-11-26 12:34:39 VERIFY X509NAME OK: CN=bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4
2023-11-26 12:34:39 VERIFY OK: depth=0, CN=bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4
2023-11-26 12:34:39 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
2023-11-26 12:34:39 [bot_82ead2c2-4ea1-45b8-bc3a-29aceb019ac4] Peer Connection Initiated with [AF_INET]192.168.1.69:443
2023-11-26 12:34:39 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 10.17.231.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.17.231.4 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-11-26 12:34:39 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.5.5)
2023-11-26 12:34:39 OPTIONS IMPORT: timers and/or timeouts modified
2023-11-26 12:34:39 OPTIONS IMPORT: --ifconfig/up options modified
2023-11-26 12:34:39 OPTIONS IMPORT: route options modified
2023-11-26 12:34:39 OPTIONS IMPORT: route-related options modified
2023-11-26 12:34:39 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-11-26 12:34:39 OPTIONS IMPORT: peer-id set
2023-11-26 12:34:39 OPTIONS IMPORT: adjusting link_mtu to 1626
2023-11-26 12:34:39 OPTIONS IMPORT: data channel crypto options modified
2023-11-26 12:34:39 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-11-26 12:34:39 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-11-26 12:34:39 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-11-26 12:34:39 Preserving previous TUN/TAP instance: tun0
2023-11-26 12:34:39 Initialization Sequence Completed

But when I use kota65535/github-openvpn-connect-action in order to connect from a github action it always fail:

running command: sudo openvpn --config ./client.ovpn --daemon --log openvpn.log --writepid openvpn.pid

2023-11-25 23:59:55 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-11-25 23:59:55 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Error: VPN connection failed.
@kota65535
Copy link
Owner

I've never used a private key with a passphrase, but I think we cannot use them because GitHub Action runner does not have TTY and we have no chance to type the passphrase.
cf. actions/runner#241

@s-nt-s
Copy link
Author

s-nt-s commented Nov 27, 2023

You can append in client.ovpn a line like askpass pass.txt where pass.txt is a file that contains the password.

@Morriz
Copy link

Morriz commented Mar 10, 2024

I see the action makes this modification:

auth-user-pass up.txt

does that mean it now is supported @kota65535 ?

@Morriz
Copy link

Morriz commented Mar 10, 2024

I still can't use it and I DO use a passphrase for my key. Let me try without...

@Morriz
Copy link

Morriz commented Mar 11, 2024

I created a new issue for this: #63
Feel free to mark it as dupe if you think it is...

@anxo-outeiral
Copy link

Same issue here such as @s-nt-s and same `client.ovpn" file.

You can append in client.ovpn a line like askpass pass.txt where pass.txt is a file that contains the password.

This works for me too, but it's not really security saving the password in text plain.

@Morriz
Copy link

Morriz commented Apr 4, 2024

@anxo-outeiral that is not an issue when it is injected in a container in a GitHub pipeline just for that run, where nobody can get to it...

Anyway, I forked this repo and made it accept all the configuration needed imo: https://github.com/Morriz/github-openvpn-connect-action

@anxo-outeiral
Copy link

@anxo-outeiral that is not an issue when it is injected in a container in a GitHub pipeline just for that run, where nobody can get to it...

Anyway, I forked this repo and made it accept all the configuration needed imo: https://github.com/Morriz/github-openvpn-connect-action

Thanks @Morriz . I'll check it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Morriz @s-nt-s @kota65535 @anxo-outeiral