OpenVPN inside shapeshifter-distpatcher not connecting :-(

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
kcyborg
OpenVpn Newbie
Posts: 2
Joined: Thu Nov 18, 2021 7:20 am

OpenVPN inside shapeshifter-distpatcher not connecting :-(

Post by kcyborg » Thu Nov 18, 2021 8:05 am

Hi guys, I need a little help over here...

My goal is make a connection from the client to the server, but obfuscating the connection to the server first, and then use the openvpn client... I follow this (not so) updated guide, but obviously I used it as a guideline.

I have a network lab where 3 VMs live:
1- Ubuntu Server 20.04 (hostname: server), (IP: 192.168.43.100), wich is configured as OpenVPN server, the service is running the 2.4.7 version and in the TCP/443 (I need this exact port/proto in order to take the server to production). This server is also running a shapeshifter-dispatcher
2- Ubuntu Server 20.04 (hostname: client), (IP: 192.168.43.101) wich is configured as OpenVPN client, running the same version (2.4.7) as the server.
3- Windows10 (hostname: client2), (IP: 192.168.43.167), wich is configured as OpenVPN client, running OpenVPN GUI (version 11.25.0), altough this server isnt very important to the lab...

The server has this configuration:

Code: Select all

local 192.168.43.100 
port 443
proto tcp
dev tun30
tls-server
pkcs12 /etc/openvpn/server/ovpn30/auth/ovpn30.p12
askpass /etc/openvpn/server/ovpn30/pass.txt
dh /etc/openvpn/server/ovpn30/dh.pem
tls-crypt /etc/openvpn/server/ovpn30/auth/ta.key 0
topology subnet
server 192.168.168.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.168.0 255.255.255.0"
push "redirect-gateway local def1"
push "dhcp-option DNS 192.168.168.1"
push "dhcp-option DNS 8.8.8.8"
client-config-dir /etc/openvpn/server/ovpn30/ccd
keepalive 10 120
tls-version-min 1.2
tls-cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
cipher AES-256-GCM
auth SHA512
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login
reneg-sec 14400
;crl-verify /etc/openvpn/server/ovpn30/auth/crl.pem
remote-cert-eku "TLS Web Client Authentication"
compress lz4-v2
push "compress lz4-v2"
max-clients 10
user root
group root
persist-key
persist-tun
status /var/log/openvpn/ovpn30-status.log
log /var/log/openvpn/ovpn30.log
verb 5
client-to-client
I also start the shapefhisfter dispatcher:

Code: Select all

./shapeshifter-dispatcher -server -transparent -ptversion 2 -transports obfs2 -state state -bindaddr obfs2-192.168.43.100:2233 -orport 127.0.0.1:443

And the client side, I start first the shapeshifter dispatcher:

Code: Select all

./shapeshifter-dispatcher -transparent -client -state state -target 192.168.43.100:2233 -transports obfs2 -proxylistenaddr 127.0.0.1:8888 -logLevel DEBUG -enableLogging
And the openvpn client configuration:

Code: Select all

client
dev tun
proto tcp
#remote 192.168.43.100 443 [b](TO USE WITHOUT THE SHAPESHIFTER SERVER)[/b]
remote 127.0.0.1 8888 [b](TO USE WITH THE SHAPESHIFTER SERVER)[/b]
auth-nocache
auth-user-pass
persist-key
persist-tun
tls-client
pkcs12 franco.diaz.p12
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
fb10c027a6a5ed5e56cf58913b366e93
726ef1cf64891e9830d6c8a17a02a84f
be64c4ef5a18e89196603bd63b553d7a
86012e07c0d8fea916c040f85f01b246
a123a62ed9ee613544c809c235d2bf4b
471eb43b2e9ab5fda66f475c471fddd2
a84c0be476c777716cc821720b132eb1
4044de10b8dfe09be3487ca8eee4ce6b
a8bf21e945fc916daf8eb6b341c94d83
6011ddc6502ce91031abad89df3d61a3
9ea35225d4e5e17abe87b118784e235b
b9f7fedc03200769ca7d84a663b3b775
57012a4b84c768cd1e11ae4820669599
1530acc01f5dfae5cbe5009c18715b48
ff652de63d2f38e041790267b39b8863
8264893cd154a74e20da72dc2590ff29
-----END OpenVPN Static key V1-----
#---------------------------------------------------------------------------------------------------------
</tls-crypt>

cipher AES-256-GCM
#data-ciphers AES-256-GCM [b](IF I LET THIS OPTION ON, LINUX CLIENTS WILL NOT BE ABLE TO CONNECT TO THE SERVER)[/b]
remote-cert-tls server
remote-cert-eku "TLS Web Server Authentication"
auth SHA512
verb 3
resolv-retry infinite
#allow-compression yes [b](IF I LET THIS OPTION ON, LINUX CLIENTS WILL NOT BE ABLE TO CONNECT TO THE SERVER)[/b]
compress lz4-v2
nobind

I can connect without problem using only the openvpn setup, but I would love to make the opevpn connection go inside the shapeshipfter tunnel... The weird thing is that the logs doesn't tell me anything, just:

In the client side:
Image

In the server side:

Code: Select all

[.....]
  ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
  authname = 'SHA512'
  prng_hash = 'SHA1'
  prng_nonce_secret_len = 16
  keysize = 0
  engine = DISABLED
  replay = ENABLED
  mute_replay_warnings = DISABLED
  replay_window = 64
  replay_time = 15
  packet_id_file = '[UNDEF]'
  use_iv = ENABLED
  test_crypto = DISABLED
  tls_server = ENABLED
  tls_client = DISABLED
  key_method = 2
  ca_file = '[UNDEF]'
  ca_path = '[UNDEF]'
  dh_file = '/etc/openvpn/server/ovpn30/dh.pem'
  cert_file = '[UNDEF]'
  extra_certs_file = '[UNDEF]'
  priv_key_file = '[UNDEF]'
  pkcs12_file = '/etc/openvpn/server/ovpn30/auth/ovpn30.p12'
  cipher_list = 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256'
  cipher_list_tls13 = 'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256'
  tls_cert_profile = '[UNDEF]'
  tls_verify = '[UNDEF]'
  tls_export_cert = '[UNDEF]'
  verify_x509_type = 0
  verify_x509_name = '[UNDEF]'
  crl_file = '[UNDEF]'
  ns_cert_type = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_eku = 'TLS Web Client Authentication'
  ssl_flags = 192
  tls_timeout = 2
  renegotiate_bytes = -1
  renegotiate_packets = 0
  renegotiate_seconds = 14400
  handshake_window = 60
  transition_window = 3600
  single_session = DISABLED
  push_peer_info = DISABLED
  tls_exit = DISABLED
  tls_auth_file = '[UNDEF]'
  tls_crypt_file = '/etc/openvpn/server/ovpn30/auth/ta.key'
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_pin_cache_period = -1
  pkcs11_id = '[UNDEF]'
  pkcs11_id_management = DISABLED
  server_network = 192.168.168.0
  server_netmask = 255.255.255.0
  server_network_ipv6 = ::
  server_netbits_ipv6 = 0
  server_bridge_ip = 0.0.0.0
  server_bridge_netmask = 0.0.0.0
  server_bridge_pool_start = 0.0.0.0
  server_bridge_pool_end = 0.0.0.0
  push_entry = 'route 192.168.168.0 255.255.255.0'
  push_entry = 'redirect-gateway local def1'
  push_entry = 'dhcp-option DNS 192.168.168.1'
  push_entry = 'dhcp-option DNS 8.8.8.8'
  push_entry = 'compress lz4-v2'
  push_entry = 'route-gateway 192.168.168.1'
  push_entry = 'topology subnet'
  push_entry = 'ping 10'
  push_entry = 'ping-restart 120'
  ifconfig_pool_defined = ENABLED
  ifconfig_pool_start = 192.168.168.2
  ifconfig_pool_end = 192.168.168.253
  ifconfig_pool_netmask = 255.255.255.0
  ifconfig_pool_persist_filename = 'ipp.txt'
  ifconfig_pool_persist_refresh_freq = 600
  ifconfig_ipv6_pool_defined = DISABLED
  ifconfig_ipv6_pool_base = ::
  ifconfig_ipv6_pool_netbits = 0
  n_bcast_buf = 256
  tcp_queue_limit = 64
  real_hash_size = 256
  virtual_hash_size = 256
  client_connect_script = '[UNDEF]'
  learn_address_script = '[UNDEF]'
  client_disconnect_script = '[UNDEF]'
  client_config_dir = '/etc/openvpn/server/ovpn30/ccd'
  ccd_exclusive = DISABLED
  tmp_dir = '/tmp'
  push_ifconfig_defined = DISABLED
  push_ifconfig_local = 0.0.0.0
  push_ifconfig_remote_netmask = 0.0.0.0
  push_ifconfig_ipv6_defined = DISABLED
  push_ifconfig_ipv6_local = ::/0
  push_ifconfig_ipv6_remote = ::
  enable_c2c = ENABLED
  duplicate_cn = DISABLED
  cf_max = 0
  cf_per = 0
  max_clients = 10
  max_routes_per_client = 256
  auth_user_pass_verify_script = '[UNDEF]'
  auth_user_pass_verify_script_via_file = DISABLED
  auth_token_generate = DISABLED
  auth_token_lifetime = 0
  port_share_host = '[UNDEF]'
  port_share_port = '[UNDEF]'
  client = DISABLED
  pull = DISABLED
  auth_user_pass_file = '[UNDEF]'
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
AUTH-PAM: BACKGROUND: INIT service='login'
PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 
Diffie-Hellman initialized with 2048 bit key
Deprecated TLS cipher name 'ECDHE-RSA-AES256-GCM-SHA384', please use IANA name 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'
Deprecated TLS cipher name 'ECDHE-RSA-AES128-GCM-SHA256', please use IANA name 'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'
Deprecated TLS cipher name 'DHE-RSA-AES256-GCM-SHA384', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
Deprecated TLS cipher name 'DHE-RSA-AES128-GCM-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
TLS-Auth MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
TUN/TAP device tun30 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun30 up mtu 1500
/sbin/ip addr add dev tun30 192.168.168.1/24 broadcast 192.168.168.255
Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[131072->131072] S=[16384->16384]
Listening for incoming TCP connection on [AF_INET]192.168.43.100:443
TCPv4_SERVER link local (bound): [AF_INET]192.168.43.100:443
TCPv4_SERVER link remote: [AF_UNSPEC]
GID set to root
UID set to root
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=192.168.168.2 size=252, ipv6=0
IFCONFIG POOL LIST
MULTI: TCP INIT maxclients=10 maxevents=14
Initialization Sequence Complete
My guess is that there is a missconfiguration in the server side... But 2 days has passed since I begin this task, and apperently I'm not smart enough to see my mistake...
What am I doing wrong? Can anyone direct me to a guide to make this work correctly?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN inside shapeshifter-distpatcher not connecting :-(

Post by TinCanTech » Thu Nov 18, 2021 2:19 pm

What ever the problem is, the result is that the server did not receive any VPN packets.

kcyborg
OpenVpn Newbie
Posts: 2
Joined: Thu Nov 18, 2021 7:20 am

Re: OpenVPN inside shapeshifter-distpatcher not connecting :-(

Post by kcyborg » Thu Nov 18, 2021 7:58 pm

TinCanTech wrote:
Thu Nov 18, 2021 2:19 pm
What ever the problem is, the result is that the server did not receive any VPN packets.
But both (shapeshifter-dispatcher server and client) said they are connected...

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN inside shapeshifter-distpatcher not connecting :-(

Post by TinCanTech » Fri Nov 19, 2021 12:49 am

Find the packets with tcpdump.

Post Reply