bug#39660: openvpn-client-service does not support auth-user-pass

bug#39660: openvpn-client-service does not support auth-user-pass

[Joshua Branson via Bug reports for GNU Guix]

Hello,

I recently bought a vpn service from expressvpn.  They have a closed
source app to connect, but of course we do not want to use that.
Luckily, they allow a manual connection via openvpn.  I downloaded
their script to manually connect.  It looks like they require all
manual connections to authenticate via a username and password.

Their support team told me that the manually connection must
authenticate via a username and password.  They do not support any
other manual connection.  Guix's openvpn-client-service does not
support authenticating via a username and password.

According to this forum thread
(https://forums.openvpn.net/viewtopic.php?t=11342), I was able to
manually connect to expressvpn.  via "sudo expressvpn
my_expressvpn_<countryname>.ovpn". by changing

"auth-user-pass" to "auth-user-pass login.conf".

login.conf looks like

#+BEGIN_SRC text
username
password
#+END_SRC

The express vpn file that I downloaded looks like this:

#+BEGIN_SRC text
dev tun
fast-io
persist-key
persist-tun
nobind
remote someaddress.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass login.conf

<cert>
-----BEGIN CERTIFICATE-----
secret info
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
secret info
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
secret info
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
secret info
-----END CERTIFICATE-----
</ca>
#+END_SRC

A solution would be to modify our current openvpn-client-service to
allow authentication via a username and password, or to supply a
configuration file.

Also it looks like expressvpn may one day move to wireguard:

https://www.expressvpn.com/blog/expressvpn-wireguard-update/


I hope this helps!

Thanks,

Joshua

bug#39660: openvpn-client-service does not support auth-user-pass

[Julien Lepiller]

Le 18 février 2020 09:43:22 GMT-05:00, Joshua Branson via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :
>
>Hello,
>
>I recently bought a vpn service from expressvpn.  They have a closed
>source app to connect, but of course we do not want to use that.
>Luckily, they allow a manual connection via openvpn.  I downloaded
>their script to manually connect.  It looks like they require all
>manual connections to authenticate via a username and password.
>
>Their support team told me that the manually connection must
>authenticate via a username and password.  They do not support any
>other manual connection.  Guix's openvpn-client-service does not
>support authenticating via a username and password.
>
>According to this forum thread
>(https://forums.openvpn.net/viewtopic.php?t=11342), I was able to
>manually connect to expressvpn.  via "sudo expressvpn
>my_expressvpn_<countryname>.ovpn". by changing
>
>"auth-user-pass" to "auth-user-pass login.conf".
>
>login.conf looks like
>
>#+BEGIN_SRC text
>username
>password
>#+END_SRC
>
>The express vpn file that I downloaded looks like this:
>
>#+BEGIN_SRC text
>dev tun
>fast-io
>persist-key
>persist-tun
>nobind
>remote someaddress.expressnetw.com 1195
>
>remote-random
>pull
>comp-lzo no
>tls-client
>verify-x509-name Server name-prefix
>ns-cert-type server
>key-direction 1
>route-method exe
>route-delay 2
>tun-mtu 1500
>fragment 1300
>mssfix 1200
>verb 3
>cipher AES-256-CBC
>keysize 256
>auth SHA512
>sndbuf 524288
>rcvbuf 524288
>auth-user-pass login.conf
>
><cert>
>-----BEGIN CERTIFICATE-----
>secret info
>-----END CERTIFICATE-----
></cert>
><key>
>-----BEGIN RSA PRIVATE KEY-----
>secret info
>-----END RSA PRIVATE KEY-----
></key>
><tls-auth>
>#
># 2048 bit OpenVPN static key
>#
>-----BEGIN OpenVPN Static key V1-----
>secret info
>-----END OpenVPN Static key V1-----
></tls-auth>
><ca>
>-----BEGIN CERTIFICATE-----
>secret info
>-----END CERTIFICATE-----
></ca>
>#+END_SRC
>
>A solution would be to modify our current openvpn-client-service to
>allow authentication via a username and password, or to supply a
>configuration file.
>
>Also it looks like expressvpn may one day move to wireguard:
>
>https://www.expressvpn.com/blog/expressvpn-wireguard-update/
>
>
>I hope this helps!
>
>Thanks,
>
>Joshua

Hi, I just pushed a change to master: the openvpn-client-configuration now accepts a auth-user-pass parameter ohich should be a string repnesenting the file path of your login.conf. I also added fast-io (not set by default, experimental and probably useless on GNU/Linux, according to the openvpn manual). Some of your options might be missing, but I think you now have the requirel part of your config available in the service definition!

bug#39660: openvpn-client-service does not support auth-user-pass

[Joshua Branson via Bug reports for GNU Guix]

Julien and I discussed on irc that guix currently does not have a
method of generating my config file.  Here is just an updated list of
the options that I (and possibly others) may need or want.

#+BEGIN_SRC org
These are all the options that my config file has.  If the box does
not have an X, then we should add this in the service definition.

- [ ] "persist-key"
- [ ] "persist-tun"
- [ ] "remote-random"
- [ ] "pull"
- [X] "comp-lzo no"
- [ ] "tls-client"  does tls-auth provide this option???
- [ ] "verify-x509-name Server name-prefix"
- [ ] "ns-cert-type server"  This is possibly deprecated?
- [ ] "key-direction 1" This is another way of specifying tls-auth?
- [X] "route-method exe" This is only useful on Windows.
- [ ] "route-delay 2"
- [X] "tun-mtu 1500" The documentation says most cases...I should
  leave this to it's default parameter.  So unless needed, we probably
  shouldn't need to add it to guix.
  
- The next two options only make sense when we are using the protocol
  udp.  We should probably specify them someway that you can only use
  them if protocol is upd.  Something like:

   #+BEGIN_SRC scheme
   (proto udp
     (upd-options
       (fragment 1300)
       (mssfix 1200))
   #+END_SRC

- [X] "fragment 1300"
- [X] "mssfix 1200"


- [ ] "cipher AES-256-CBC"
- [X] keysize 256 deprecated.  Do not need. and my key size is the
  cipher size anyway.  The documentation does not reccommend manually changing your keysize.
- [X] auth SHA512  I have no idea where this is in the documentation
- [X] sndbuf 524288  The documentation says that the default should work.
- [X] rcvbuf 524288  as above
- [X] auth-user-pass login.conf
#+END_SRC

We should also probably allow a file option.  Some users may have a
working file.  Perhaps we should support this:

#+BEGIN_SRC scheme
(openvpn-client-service
  #:file  "/path/to/openvpn.conf")
#+END_SRC

Joshua

bug#39660: openvpn-client-service does not support auth-user-pass

[Julien Lepiller]

Le 21 février 2020 12:10:44 GMT-05:00, Joshua Branson via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :
>
>Julien and I discussed on irc that guix currently does not have a
>method of generating my config file.  Here is just an updated list of
>the options that I (and possibly others) may need or want.
>
>#+BEGIN_SRC org
>These are all the options that my config file has.  If the box does
>not have an X, then we should add this in the service definition.
>
>- [ ] "persist-key"
>- [ ] "persist-tun"
We already have both of them. Are they not documented? They should be persist-key? and persist-tun? respectively.

>- [ ] "remote-random"
>- [ ] "pull"
>- [X] "comp-lzo no"
>- [ ] "tls-client"  does tls-auth provide this option???
tls-auth and tls-client are different options. tls-client replaces the client directive we currently generate for all openvpn-client-configuration.

>- [ ] "verify-x509-name Server name-prefix"
>- [ ] "ns-cert-type server"  This is possibly deprecated?
>- [ ] "key-direction 1" This is another way of specifying tls-auth?
>- [X] "route-method exe" This is only useful on Windows.
>- [ ] "route-delay 2"
>- [X] "tun-mtu 1500" The documentation says most cases...I should
>  leave this to it's default parameter.  So unless needed, we probably
>  shouldn't need to add it to guix.
>  
>- The next two options only make sense when we are using the protocol
>  udp.  We should probably specify them someway that you can only use
>  them if protocol is upd.  Something like:
>
>   #+BEGIN_SRC scheme
>   (proto udp
>     (upd-options
>       (fragment 1300)
>       (mssfix 1200))
>   #+END_SRC
>
>- [X] "fragment 1300"
>- [X] "mssfix 1200"
>
>
>- [ ] "cipher AES-256-CBC"
>- [X] keysize 256 deprecated.  Do not need. and my key size is the
>cipher size anyway.  The documentation does not reccommend manually
>changing your keysize.
>- [X] auth SHA512  I have no idea where this is in the documentation
>- [X] sndbuf 524288  The documentation says that the default should
>work.
>- [X] rcvbuf 524288  as above
>- [X] auth-user-pass login.conf
>#+END_SRC
>
>We should also probably allow a file option.  Some users may have a
>working file.  Perhaps we should support this:
>
>#+BEGIN_SRC scheme
>(openvpn-client-service
>  #:file  "/path/to/openvpn.conf")
>#+END_SRC
>
>Joshua

bug#39660: (no subject)

[Joshua Branson]

>>
>>- [ ] "persist-key"
>>- [ ] "persist-tun"
>We already have both of them. Are they not documented? They should be 
>persist-key? and persist-tun? respectively.

That was my mistake.  Please ignore that.  They are documented sir.
(sorry Military school).

>>- [ ] "remote-random"
>>- [ ] "pull"
>>- [X] "comp-lzo no"
>>- [ ] "tls-client"  does tls-auth provide this option???
>tls-auth and tls-client are different options. tls-client replaces the client 
>directive we currently generate for all openvpn-client-configuration.

When I look at my currently generated openvpn configuration file I see:
#+BEGIN_SRC
joshua@dobby ~/prog/guile/guix-config$ cat /gnu/store/nm4dvmsffrghdxjlqj712qhrv6w4fd4m-openvpn.conf
client
proto udp
dev tun
ca /home/joshua/prog/guile/guix-config/vpn/ca2.crt
cert /home/joshua/prog/guile/guix-config/vpn/client.crt
key /home/joshua/prog/guile/guix-config/vpn/client.key
persist-key 
persist-tun 
fast-io 
verb 3
auth-user-pass /home/joshua/prog/guile/guix-config/vpn/login.conf
remote-cert-tls server
nobind
resolv-retry infinite
remote asecretremote.com 1195
#+END_SRC

I do not see the "tls-client" option, but my working vpn client configuration file has "tls-client" in it.

My current vpn configuration is:

   (openvpn-client-service
    #:config
    (let ([base-dir "/home/joshua/prog/guile/guix-config/vpn/"])
      (openvpn-client-configuration
       (auth-user-pass (string-append base-dir "login.conf"))
       (ca (string-append base-dir "ca2.crt"))
       (cert (string-append base-dir "client.crt"))
       (key (string-append base-dir "client.key"))
       ;; the expressvpn file I use disables lzo compression
       (comp-lzo? #f)
       (fast-io? #t)
       (remote
        (list
         (openvpn-remote-configuration
          (name "asecretremote.com")
          (port 1195)))))))


Also, I can confirm that your auth-user-pass does work.

Thanks,

Joshua