Fedora 21+ bug - OpenVPN not working. Use Debian template instead
157 views
Skip to first unread message
theman
Aug 20, 2015, 2:19:15 AM8/20/15
to qubes...@googlegroups.com
Hi All,
New to Qubes, I just spent 8 hours trying to set-up openvpn. Turns out
there is a bug in Fedora 21 & 22 with openvpn.
https://groups.google.com/d/forum/qubes-users/join/dFom7xQAAADunBZo-WIeJDXz3OlSTC5Z9PvELUkvdSoeYwUaJ-7UOA?hl=en
Anyway, I installed and used the Debian template instead. Had to change
the *.ovpn file to *.conf and not use the network-manager. Everything
seems to be working fine now.
New to Qubes, I just spent 8 hours trying to set-up openvpn. Turns out
there is a bug in Fedora 21 & 22 with openvpn.
https://groups.google.com/d/forum/qubes-users/join/dFom7xQAAADunBZo-WIeJDXz3OlSTC5Z9PvELUkvdSoeYwUaJ-7UOA?hl=en
Anyway, I installed and used the Debian template instead. Had to change
the *.ovpn file to *.conf and not use the network-manager. Everything
seems to be working fine now.
Connor Page
Aug 20, 2015, 10:25:08 AM8/20/15
to qubes-users, the...@infrasonic.com.au
On Thursday, 20 August 2015 07:19:15 UTC+1, theman wrote:
> Hi All,
>
> New to Qubes, I just spent 8 hours trying to set-up openvpn. Turns out
> there is a bug in Fedora 21 & 22 with openvpn.
>
> https://groups.google.com/d/forum/qubes-users/join/dFom7xQAAADunBZo-WIeJDXz3OlSTC5Z9PvELUkvdSoeYwUaJ-7UOA?hl=en
>
> Hi All,
>
> New to Qubes, I just spent 8 hours trying to set-up openvpn. Turns out
> there is a bug in Fedora 21 & 22 with openvpn.
>
> https://groups.google.com/d/forum/qubes-users/join/dFom7xQAAADunBZo-WIeJDXz3OlSTC5Z9PvELUkvdSoeYwUaJ-7UOA?hl=en
>
And what's the point of linking a message to itself?
>
> Anyway, I installed and used the Debian template instead. Had to change
> the *.ovpn file to *.conf and not use the network-manager. Everything
> seems to be working fine now.
And what did prevent you from using openvpn in Fedora?
cprise
Aug 20, 2015, 1:57:45 PM8/20/15
to theman, qubes...@googlegroups.com
instructions with fedora 21, but maybe they will work.
theman
Aug 21, 2015, 7:29:35 AM8/21/15
to cprise, qubes...@googlegroups.com
Sorry for the dud link - haven't quite got my Qubes copying and pasting
foo happening.
This was the link I intended:
http://software-engineer.gatsbylee.com/centos7openvpn-verify-error-depth0-errorcertificate-signature-failure/
https://www.reddit.com/r/Fedora/comments/2wiqk8/trouble_with_openvpn_in_fedora_21/
http://forums.untangle.com/openvpn/35217-fedora-21-fails-verify-md5-certs.html
This is the error I was getting using fedora template:
VERIFY ERROR: depth=0, error=certificate signature failure
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Anyway - just wanted to let people know that it works in Debian. I'm not
sure if it will in Fedora 21
foo happening.
This was the link I intended:
http://software-engineer.gatsbylee.com/centos7openvpn-verify-error-depth0-errorcertificate-signature-failure/
https://www.reddit.com/r/Fedora/comments/2wiqk8/trouble_with_openvpn_in_fedora_21/
http://forums.untangle.com/openvpn/35217-fedora-21-fails-verify-md5-certs.html
This is the error I was getting using fedora template:
VERIFY ERROR: depth=0, error=certificate signature failure
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Anyway - just wanted to let people know that it works in Debian. I'm not
sure if it will in Fedora 21
Connor Page
Aug 21, 2015, 9:15:17 AM8/21/15
to qubes-users
Well, switching to debian just because it would let you use insecure protocols and certificates doesn't really make a good advice on Qubes mailing list.
I'd suggest you actually track down the problem and actually improve security of your VPN.
I'd suggest you actually track down the problem and actually improve security of your VPN.
Alex
Aug 21, 2015, 10:06:42 AM8/21/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 08/21/2015 01:29 PM, theman wrote:
> This is the error I was getting using fedora template:
>
> VERIFY ERROR: depth=0, error=certificate signature failure
> TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> TLS Error: TLS object -> incoming plaintext read error TLS Error:
> TLS handshake failed
>
> Anyway - just wanted to let people know that it works in Debian.
> I'm not sure if it will in Fedora 21
I'm not sure it will work in Debian for a long time, instead. It seems
that a lot of software platforms (i.e. firefox and android at least,
since I've had recent trouble with them) are actively deprecating
SSLv3 certificates.
I've had a client using a remote app with a supposedly secure https
channel come to me lamenting it does not work anymore with Android 5;
after a little investigation it turns out that Android 5 does not
automatically accept an SSLv3 certificate anymore (Android 4 did). The
solution has been contacting the manufacturer, which provided a
firmware update for the embedded device the app was connecting to.
The same thing happened, recently, for Firefox.
Please listen to Connor Page's advice, and try to improve the setup
(i.e. don't use SSLv3 certificates)
- --
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV1zBsAAoJENNOJZnNP8uDLfQQAJpO1hZn4SiDT3QKRPxv6V7P
LswiDt5vSm2gh3gtKBDTLlbiwQRnY82hLViYf9LQWOn6o2aYhC4n5wcR4IW6Jgw6
niDV5osMWNMbpR/1lcqzug178ltrbT4vJ3+oa5dCf+eukXl0YW0JVexGkfZAOqdf
xglxGcXxdn0g4/2sn94JyNq0lnP+xbw/r7wUl6+0V0FBvc+fSibJ8IY3TOi/0f1p
83x/0jEEryNOhIAGRkpaMup5E6KA+wa40hLmr6zVr4d0WiLXXdXXAuCMbuCpASKl
hECsX2PrZ+4Qec6rfZftrri6mA10Vr2uIvQerql1MOO6UKOAOx4NIOhJBGOnYI9R
HyiQPFq+TG7s2k/xY+cWGBuvO1G+3/YIfvj0jVfr18VBSQ7cL8Z/hc2cv+4v2VBI
EQchGL6PfDXVWgePdbKrTMnieTSrXBtKmZp9z1S5X2lkRKyQBqkhpDco2RuCu25k
WSU8YCNWtTinQ1+4WRwsm5JYpl1sXiIaheAJikEFaxXaHOBeU9j+uoZm8HqJTifj
WGB5GL3QBKIkmNJSSynwUG4RPe8oANPqCHoTnI9rn+sOS9ODxCaBCSiW9jELWrpR
kPn+AE4xgXDDhFY3nxzkX0nsacdda4DD8TNxee0APiR2oEKaJ5oBd1aKQpnNuERl
he99z1TcLqicmDmEPA2q
=WtRK
-----END PGP SIGNATURE-----
Hash: SHA256
On 08/21/2015 01:29 PM, theman wrote:
> This is the error I was getting using fedora template:
>
> VERIFY ERROR: depth=0, error=certificate signature failure
> TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> TLS Error: TLS object -> incoming plaintext read error TLS Error:
> TLS handshake failed
>
> Anyway - just wanted to let people know that it works in Debian.
> I'm not sure if it will in Fedora 21
that a lot of software platforms (i.e. firefox and android at least,
since I've had recent trouble with them) are actively deprecating
SSLv3 certificates.
I've had a client using a remote app with a supposedly secure https
channel come to me lamenting it does not work anymore with Android 5;
after a little investigation it turns out that Android 5 does not
automatically accept an SSLv3 certificate anymore (Android 4 did). The
solution has been contacting the manufacturer, which provided a
firmware update for the embedded device the app was connecting to.
The same thing happened, recently, for Firefox.
Please listen to Connor Page's advice, and try to improve the setup
(i.e. don't use SSLv3 certificates)
- --
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV1zBsAAoJENNOJZnNP8uDLfQQAJpO1hZn4SiDT3QKRPxv6V7P
LswiDt5vSm2gh3gtKBDTLlbiwQRnY82hLViYf9LQWOn6o2aYhC4n5wcR4IW6Jgw6
niDV5osMWNMbpR/1lcqzug178ltrbT4vJ3+oa5dCf+eukXl0YW0JVexGkfZAOqdf
xglxGcXxdn0g4/2sn94JyNq0lnP+xbw/r7wUl6+0V0FBvc+fSibJ8IY3TOi/0f1p
83x/0jEEryNOhIAGRkpaMup5E6KA+wa40hLmr6zVr4d0WiLXXdXXAuCMbuCpASKl
hECsX2PrZ+4Qec6rfZftrri6mA10Vr2uIvQerql1MOO6UKOAOx4NIOhJBGOnYI9R
HyiQPFq+TG7s2k/xY+cWGBuvO1G+3/YIfvj0jVfr18VBSQ7cL8Z/hc2cv+4v2VBI
EQchGL6PfDXVWgePdbKrTMnieTSrXBtKmZp9z1S5X2lkRKyQBqkhpDco2RuCu25k
WSU8YCNWtTinQ1+4WRwsm5JYpl1sXiIaheAJikEFaxXaHOBeU9j+uoZm8HqJTifj
WGB5GL3QBKIkmNJSSynwUG4RPe8oANPqCHoTnI9rn+sOS9ODxCaBCSiW9jELWrpR
kPn+AE4xgXDDhFY3nxzkX0nsacdda4DD8TNxee0APiR2oEKaJ5oBd1aKQpnNuERl
he99z1TcLqicmDmEPA2q
=WtRK
-----END PGP SIGNATURE-----
theman
Aug 22, 2015, 12:44:34 AM8/22/15
to qubes...@googlegroups.com
Thanks both for your advice. As you've probably realised I'm quite out
of my depth, so point taken Conner about not offering bad advice. Apologies.
How should I go about improving my set-up? So far I've advised the vpn
provider of the problem (providing them with the links I posted) and
they suggested I ditch Fedora (assuming it was a bug in Fedora). :O(
Also, I did not set things up following the "OpenVPN setup, revisited"
post. I've also noticed dnsleaks so my setup's useless really, lol.
Would you recommend trying to set things following the "OpenVPN setup,
revisited" post, using the files provided from my openvpn provider? And
how do I not use the SSLv3 certificate? Do I need to contact my vpn
provider for different files? Note, my openvpn provider supplied 4 files:
client.key
ta.key
ca.crt
client.crt
of my depth, so point taken Conner about not offering bad advice. Apologies.
How should I go about improving my set-up? So far I've advised the vpn
provider of the problem (providing them with the links I posted) and
they suggested I ditch Fedora (assuming it was a bug in Fedora). :O(
Also, I did not set things up following the "OpenVPN setup, revisited"
post. I've also noticed dnsleaks so my setup's useless really, lol.
Would you recommend trying to set things following the "OpenVPN setup,
revisited" post, using the files provided from my openvpn provider? And
how do I not use the SSLv3 certificate? Do I need to contact my vpn
provider for different files? Note, my openvpn provider supplied 4 files:
client.key
ta.key
ca.crt
client.crt
theman
Aug 22, 2015, 1:10:31 AM8/22/15
to Alex, qubes...@googlegroups.com
Plus the vpn provider supplies me with an *.ovpn file
On 22/08/15 00:06, Alex wrote:
On 22/08/15 00:06, Alex wrote:
Alex
Aug 22, 2015, 5:19:10 AM8/22/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On 08/22/2015 07:10 AM, theman wrote:
> Plus the vpn provider supplies me with an *.ovpn file
>
If you are using a VPN provider, then you don't have much choice: the
> Plus the vpn provider supplies me with an *.ovpn file
>
configuration (and certificates) are created by them, and you don't
have much control over that.
I took a little bit of time to investigate the proper error message,
and it seems OpenVPN is not ditching SSLv3 certificates (yet...) and
the error message you get is related to a problem (feature?) in
validating certificates on x64 2.3.2 version.
This 3-post thread may help you
(https://forums.openvpn.net/topic13116.html); the user's solution was
to re-install 2.2.2, set it up and have it running, add the
openvpn.net repository to its yum configuration and then upgrade to
2.3.2 (thus skipping the original CentOS build). Fedora is very
similar to CentOS on many things, the OpenVPN project may or may not
have a specific repository for Fedora; if there is none, try using the
CentOS one.
- --
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
xvl7fCoIbc5tWOO3bUiQJYzi2jSPSuhHnKUZe/T3r0Yr7rNbNEFLzZQ8AIRFslPg
2vEWiwPuuau4BtmFZcjG1qNf/cOfcbH8KW7Hsc3ouhKpOKffyBRp1LViLH755DX/
4rY1Jqk42eOooA6bsEvNnwiRYY0CH7EATr2KmilVEsXFZZgLsp5uZuv68WtD7zuu
jjlfUgyEvehPmQ/PIP/RezP988AtuKQtTc5JZR4S75/LGDds2rTCJ8M3d9nimimW
dWCNtaauKoth5eQGT0OL9V4RjeV5oCSZl0gU1m5TlQLYevo6o9NXy0ZF8P7tStVP
V3Zo/W4zOSUAyIiRV0G/NUYLgknIv1rtl6Obt5dVxBSdhuEQnDxaaHjiAm1g7Kip
NtNb5ZNcOrVXAMNXsIqYN4ms9dgupVfM4kzI9pJ45ppcLgPDLS2TOquwOMMXl5T8
tsF56tvs+j8tzRpbzoLrChvmuXqTZMLwy6+722uCHovfQCSWd6lsQj8+VbNErgyq
0iO2FtOn3aKpEzQmzGpr7ddMwg64WBTpze+12B1RilIsnxU8mLmXJ3CtNCmSzb6j
zlicFaV+bwtjs6iv6z1FsggSOlC7Rf7rrW72a0iilpipAzfwfM2pEUuSKlIivqR1
bu39fa/cXQ5Nec8JXVTr
=3Tv1
-----END PGP SIGNATURE-----
Connor Page
Aug 22, 2015, 4:20:03 PM8/22/15
to qubes-users, alex...@gmx.com
On Saturday, 22 August 2015 10:19:10 UTC+1, Alex wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 08/22/2015 07:10 AM, theman wrote:
> > Plus the vpn provider supplies me with an *.ovpn file
> >
> If you are using a VPN provider, then you don't have much choice: the
> configuration (and certificates) are created by them, and you don't
> have much control over that.
>
> I took a little bit of time to investigate the proper error message,
> and it seems OpenVPN is not ditching SSLv3 certificates (yet...) and
> the error message you get is related to a problem (feature?) in
> validating certificates on x64 2.3.2 version.
>
> This 3-post thread may help you
> (https://forums.openvpn.net/topic13116.html); the user's solution was
> to re-install 2.2.2, set it up and have it running, add the
> openvpn.net repository to its yum configuration and then upgrade to
> 2.3.2 (thus skipping the original CentOS build). Fedora is very
> similar to CentOS on many things, the OpenVPN project may or may not
> have a specific repository for Fedora; if there is none, try using the
> CentOS one.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 08/22/2015 07:10 AM, theman wrote:
> > Plus the vpn provider supplies me with an *.ovpn file
> >
> If you are using a VPN provider, then you don't have much choice: the
> configuration (and certificates) are created by them, and you don't
> have much control over that.
>
> I took a little bit of time to investigate the proper error message,
> and it seems OpenVPN is not ditching SSLv3 certificates (yet...) and
> the error message you get is related to a problem (feature?) in
> validating certificates on x64 2.3.2 version.
>
> This 3-post thread may help you
> (https://forums.openvpn.net/topic13116.html); the user's solution was
> to re-install 2.2.2, set it up and have it running, add the
> openvpn.net repository to its yum configuration and then upgrade to
> 2.3.2 (thus skipping the original CentOS build). Fedora is very
> similar to CentOS on many things, the OpenVPN project may or may not
> have a specific repository for Fedora; if there is none, try using the
> CentOS one.
Unfortunately that thread is about upgrading the server, not the client as in this case.
Perhaps, the best solution is to have a workin debian vm and a test fedora that can be tested after each openvpn update in a hope that this will be fixed one day.
theman
Aug 22, 2015, 7:22:18 PM8/22/15
to Connor Page, qubes-users, alex...@gmx.com
Okay. Thanks for your reply. I'll try to get things working properly
following the OpenVPN revisited thread using the Debian template and do
as you suggest with a Fedora test vm.
following the OpenVPN revisited thread using the Debian template and do
as you suggest with a Fedora test vm.
cprise
Aug 23, 2015, 2:27:42 PM8/23/15
to theman, qubes-users, alex...@gmx.com
On 08/22/2015 07:22 PM, theman wrote:
> Okay. Thanks for your reply. I'll try to get things working properly
> following the OpenVPN revisited thread using the Debian template and do
> as you suggest with a Fedora test vm.
>
I think the key to addressing the link security problem must be with the
> Okay. Thanks for your reply. I'll try to get things working properly
> following the OpenVPN revisited thread using the Debian template and do
> as you suggest with a Fedora test vm.
>
VPN provider itself. It wouldn't hurt to contact them... maybe they'll
change their setup.
My suggestion is to also keep using Debian templates in general: Debian
has a better focus on security and their repositories are correctly
secured whereas Fedora's are not. A MITM attacker can easily prevent
Fedora from receiving particular security updates without the user
knowing. If you want a Debian template that has the desktop features in
the Fedora template, use the 'tasksel' command and select 'Debian
desktop' and 'Gnome'.
Reply all
Reply to author
Forward
0 new messages