riseup-vpn errors (BookwormPup64 10.0.4)

[galen]

Installed the vpn
Rebooted
#su spot
#riseup-vpn
GUI runs but firewall and VPN fails
Anyone have it running?

[bigpup]

What exact version of BookwormPup????

How did you do the install of VPN?

[xx_T3n0ch_X]

Installed the vpn
Rebooted
#su spot
#riseup-vpn
GUI runs but firewall and VPN fails
Anyone have it running?

Try this bash script with YAD GUI, you will need to install openvpn from the ppm repo, and make sure your puppy does not have the ipv6 tools/modules blacklisted (most don't). As always, use at your own risk,

riseupvpny_1.8.1.pet

(14.16 KiB) Downloaded 56 times

[Jasper]

@xx_T3n0ch_X

Thanks for this

Works in Fossapup64-95, straight from the menu entry.

I did notice there was an initial comment/warning when it first connected and I added an additional line to my config file.

It works fine, but am a little unsure as if it is correct.

Any advice?

[xx_T3n0ch_X]

@xx_T3n0ch_X

Thanks for this

Works in Fossapup64-95, straight from the menu entry.

I did notice there was an initial comment/warning when it first connected and I added an additional line to my config file.

It works fine, but am a little unsure as if it is correct.

Any advice?

Yes it will be fine.

[Jasper]

Thanks for the clarification

[xx_T3n0ch_X]

I'm glad it worked, if any of you reading this know about VPNs and OPENVPN, and how to improve the configuration file, let me know to include the changes.

[Jasper]

@xx_T3n0ch_X

Is it possible to resize the gui?

The two columns on the initial screen are large. On the LHS it says "Connect" and I have forgotten already what it said on the RHS

I did try to resize the dialog box but dragging the cursor from the top corners did not allow me to do so.

<EDIT>

I have compiled OpenVPN 2.6.8 for Fossapup64-95 and from memory it needs to be compiled alongside OpenSSL.

Fossapup64-5 uses a discontinued build version ie 1.x. Bookworm users have the latest 3.x build included.

[xx_T3n0ch_X]

@xx_T3n0ch_X

Is it possible to resize the gui?

The two columns on the initial screen are large. On the LHS it says "Connect" and I have forgotten already what it said on the RHS

I did try to resize the dialog box but dragging the cursor from the top corners did not allow me to do so.

in the file: riseupvpny, locate user_settings, remove --center to be able to change size with the mouse, or keep --center and adjust size to your liking by modifying --width and --height

[Jasper]

@xx_T3n0ch_X

This is the dialog box I am referring to.

This is reduced by 50% on a 1920x1080 monitor.

I did remove the entry here but that makes no difference.

[xx_T3n0ch_X]

@xx_T3n0ch_X

This is the dialog box I am referring to.

This is reduced by 50% on a 1920x1080 monitor.

I did remove the entry here but that makes no difference.

wtf, I never seen that before, could it be the yad version?

[Jasper]

Maybe this line?

Changed the values with no luck.

[xx_T3n0ch_X]

Maybe this line?

Changed the values with no luck.

That is the one that draws the window to see the log, not related to the "Start Window"

[Jasper]

Yes, it was a YAD error.

Compiled and used the current build and the GUI looks normal now

Many thanks

If anyone using FossaPup95 needs the YAD update:

yad-13.0-x86_64
https://www.mediafire.com/file/g44g0jqg ... 4.pet/file

[xx_T3n0ch_X]

BookwormPup32-23.12+1.iso with yad 0.42.81 (GTK+ 3.24.38) on qemu

sc.jpeg (119.12 KiB) Viewed 1852 times

[Jasper]

@xx_T3n0ch_X

I had to make a change in my config file as I spotted this comment in the log.

Code: Select all

005 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.

It may be only specific to Fossapup64-95 as I am using OpenSSL 1.1.1s.

My new configuration eliminates the issue.

It also will serve as a reminder when I upgrade OpenVPN to the next build.

[galen]

What exact version of BookwormPup????

How did you do the install of VPN?

10.0.4

synaptic I think

[OscarTalks]

I'm glad it worked, if any of you reading this know about VPNs and OPENVPN, and how to improve the configuration file, let me know to include the changes.

Hello xx_T3n0ch_X
Good work on the riseup yad gui script program. Thanks for posting it. I probably know less than you about this topic overall, but what I can tell you is that BookwormPup has openvpn-2.6.x which works in conjunction with openssl-3 rather than the earlier Pups which had openssl-1.1 and this upgrade from 1.1 to 3.x does tend to introduce some slight differences and tighter rules when it comes to the configuration. There are more warnings about --cipher and --data-ciphers and --data-ciphers-fallback and when I was doing some testing the other day I was having some difficulty working it all out.

Anyway, in BookwormPup in my initial very brief test of your riseupvpny it did work. The wget downloads of the files (cert,key,list) did give a couple of hiccups before connecting and downloading. I selected one of the Paris gateways and it connected OK. Not sure if the IPv6 routing is working though. Also on my hardware there is a DNS leak to my ISP via the router hub. There are several ways in which openvpn or client programs attempt to address this DNS lookups situation. I haven't even looked at any logs yet so would need to investigate further, but looks like a worthwhile project to me.

[galen]

some links
https://dnsleak.com/
https://ipleak.net/

[OscarTalks]

I compiled the dco kernel module for kernel 6.1.67 for my compiled-from-source openvpn-2.6.8
The feature (Data Channel Offload) is now recognised and shown in openvpn --version so hopefully it does improve performance.

I think you can use cipher AES-256-GCM and also data-ciphers AES-256-GCM in the .ovpn config file but not essential. some of those options get pushed from the server side I believe. I always like to see if I can connect without any of those 'WARNING' or 'DEPRECATED OPTION' or 'Note' messages popping up, even though often they are not fatal errors.

[xx_T3n0ch_X]

On my machine:

Code: Select all

OpenVPN 2.4.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 21 2023
library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Originally developed by James Yonan

The option cipher AES-256-GCM fails, and the option data-ciphers, appears to not be available.

The warnings, notes, and deprecated options, when utilizing the configuration file in the pet, are the following:

Code: Select all

Thu Jan  4 05:57:07 2024 us=486428 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Thu Jan  4 05:57:07 2024 us=67965 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jan  4 05:57:08 2024 us=726973 NOTE: setsockopt TCP_NODELAY=1 failed

I tried the website ipleak mentioned by @galen , I think it passed:

Screenshot 2024-01-04 at 06-58-14 IP_DNS Detect.png (68.15 KiB) Viewed 1619 times

it is important to mention my browser set up, and /etc/resolv.conf:

Firefox 121.0 with Disable Webrtc, ublock origin, privacy badger, chameleon, local cdn, clear url

the /etc/resolv.conf:

Code: Select all

nameserver 9.9.9.11
nameserver 149.112.112.11
2620:fe::11
2620:fe::fe:11
domain https://dns11.quad9.net/dns-query
tls://dns11.quad9.net

Changing the DNS resolver to quad9.net solved the ISP leaking my ip, but again, we are trusting yet another entity.

[OscarTalks]

Hello,
Yes, I am testing in BookwormPup64 with openvpn-2.6.8 which uses data-ciphers, supposedly in place of cipher, but sometimes it still complains with a "Note" if cipher is not set so I find that all is OK if I use AES-256-GCM as the setting for both. I know that openvpn-2.4.12 which I am still using in FossaPup does not recognise the data-ciphers option and maybe AES-256-GCM is not negotiable as a cipher in that scenario. I don't want to introduce BF-CBC at all because that is an old one which forces openvpn to disable dco.

I think the riseup VPN server is blocking IPv6 traffic which is probably a good thing. The option is there in Connection Manager in Puppy to turn off IPv6 protocol. I reckon that is worth looking at if running a VPN as it represents another potential route for a leak.

I have also used ConnMan to set system DNS to Cloudflare. Yet another entity as you say, but considered highly reputable (at least until now), so there is no leak to my ISP any more. I was just wondering if something in your client script could address DNS in some way, as many users will have that situation of the network manager sending lookups to the router gateway which obviously is then sent to the ISP DNS. In my simple VPN program I do have the DNS switching to Cloudflare and then back to the user's settings on VPN disconnection (modifying /etc/resolv.conf). I think there must be better ways, but with openvpn-2.4.x they were calling other external third party scripts to switch things as the executable had no way of doing so directly. Maybe 2.6.x has introduced new and better mechanisms, not sure. Anyway, I am still playing around with it. The server connects very quickly and delivers good speed, so worth having.

[galen]

audit your connection leaks

https://browserleaks.com/

[galen]

DNS providers that do not censor or log your DNS queries:

FreeDNS — open, free and public DNS —
37.235.1.174
37.235.1.177

DNS.Watch — free, no logging, DNSSEC enabled –
84.200.69.80
84.200.70.40

Censurfridns.DK — two Danish uncensored DNS servers –
91.239.100.100
89.233.43.71

Opendns
208.67.222.222
208.67.222.220

[xx_T3n0ch_X]

@OscarTalks

I was just wondering if something in your client script could address DNS in some way, as many users will have that situation of the network manager sending lookups to the router gateway which obviously is then sent to the ISP DNS

Thank you for your advice, I will look into it. I'm quite new at everything.

@galen , thanks for the info.

[Jasper]

Hi all

My server list text file is empty now therefore it cannot connect to a server.

Can someone share this with me?

It is found in the .risevpn directory in /root

It is simply a text file of their named servers.

Thanks in advance

[xx_T3n0ch_X]

Hi all

My server list text file is empty now therefore it cannot connect to a server.

Can someone share this with me?

It is found in the .risevpn directory in /root

It is simply a text file of their named servers.

Thanks in advance

I think, something changed with the API, I'll take a look tomorrow.

[festus]

Hi all

My server list text file is empty now therefore it cannot connect to a server.

Can someone share this with me?

It is found in the .risevpn directory in /root

It is simply a text file of their named servers.

Thanks in advance

Hey, Jasper, here is the list of servers, in /root/.riseupvpn/servers_list.txt:

Code: Select all

vpn01-sea.riseup.net|Seattle
vpn19-ams.riseup.net|Amsterdam
vpn17-mia.riseup.net|Miami
vpn03-par.riseup.net|Paris
vpn10-mtl.riseup.net|Montreal
vpn15-sea.riseup.net|Seattle
vpn16-sea.riseup.net|Seattle
vpn05-par.riseup.net|Paris
vpn14-par.riseup.net|Paris
vpn02-par.riseup.net|Paris
vpn07-par.riseup.net|Paris
vpn04-ams.riseup.net|Amsterdam
vpn11-par.riseup.net|Paris
vpn06-ams.riseup.net|Amsterdam
vpn13-ams.riseup.net|Amsterdam
vpn18-mtl.riseup.net|Montreal
vpn08-par.riseup.net|Paris
vpn12-nyc.riseup.net|New York City
vpn09-mia.riseup.net|Miami

Hope this helps.

bliss, festus

[Jasper]

@festus

Thanks for the list

Unfortunately, it gives me an error message stating it cannot connect to the chosen server and advises to try another one.

Tried a few different servers with no luck.

[FloraMae]

The riseupvpn pet doesn't seem to be working.

After install and launch it says

# riseupvpny
Could not read certificate from /root/.riseupvpn/client.key
Unable to load certificate
https://api.black.riseup.net/1/configs/eip-service.json:
2024-05-02 00:19:18 ERROR 404: Not Found.
https://api.black.riseup.net/1/cert:
2024-05-02 00:19:19 ERROR 404: Not Found.
2024-05-02 00:19:22 URL:https://black.riseup.net/ca.crt [542/542] -> "/root/.riseupvpn/riseup.crt" [1]
Could not read certificate from /root/.riseupvpn/client.key
Unable to load certificate

and the gateway dropdown has nothing.
Is this known to be broken and is there a fix? I tried using the riseup vpn installed via apt but it complains about running as root. I tried run-as-spot and it starts but never connects.