Suramya's Blog : Welcome to my crazy life…

October 4, 2022

Workaround for VPN Unlimited connection issues with latest Debian

VPN’s are a great way to ensure that your communication remains private when using a pubic internet connection such as when you are connected to an Airport or Coffee shop Wifi. Plus they are good for getting access when a site is blocked where you are, for example in India VideoLan.org the main site for VLC Media player has been blocked for a while. I primarily use VPN Unlimited on all my systems as I have a lifetime subscription though I also have other VPN’s that I use sometimes.

Unfortunately, the native VPN Unlimited application for Linux has stopped working a while ago due to a compatibility issue with SSL. When I upgraded to the latest version of Debian back in July 2022 it suddenly stopped working with the following error message:

vpn-unlimited: symbol lookup error: /lib/libvpnu_private_sdk.so.1: undefined symbol: EVP_CIPHER_block_size

Reinstalling the software didn’t resolve the issue and neither did a search on the internet help. When I reached out to support they told me that Debian 11 wasn’t yet supported and they didn’t have an ETA for the new version to be released. They did recommend that I manually create & download an openvpn config from their site that would allow me to connect to the VPN manually using OpenVPN instead of the App. Unfortunately, the config generated didn’t work either as it would fail to connect with the following error message in the logs:

Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.0845]vpn[0x559d7fc46900,833a72d8-a08a-474e-a854-c926cd6c694a,"VPN Unlimited"]: starting openvpn
Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.0847] audit: op="connection-activate" uuid="833a72d8-a08a-474e-a854-c926cd6c694a" name="VPN Unlimited" pid=2829 uid=1000 result="success"
Sep 21 02:56:55 StarKnight kded5[2780]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: 2
Sep 21 02:56:55 StarKnight kded5[2780]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: 3
Sep 21 02:56:55 StarKnight NetworkManager[233850]: 2022-09-21 02:56:55 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless
"allow-compression yes" is also set.
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: OpenSSL: error:0A00018E:SSL routines::ca md too weak
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: Cannot load certificate file /home/suramya/.local/share/networkmanagement/certificates/E87E7A7D6DA16A89C7B4565273D3A792_hk_openvpn/cert.crt
Sep 21 02:56:55 StarKnight nm-openvpn[233850]: Exiting due to fatal error
Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.1095] vpn[0x559d7fc46900,833a72d8-a08a-474e-a854-c926cd6c694a,"VPN Unlimited"]: dbus: failure: connect-failed (1)
Sep 21 02:56:55 StarKnight NetworkManager[1123]:  [1663709215.1095] vpn[0x559d7fc46900,833a72d8-a08a-474e-a854-c926cd6c694a,"VPN Unlimited"]: dbus: failure: connect-failed (1)

After a little more back and forth with the support team (which was extremely responsive and quick) which in turn reached out to their developers we identified the issue with the OpenVPN config. The fix for this will be deployed to all their servers by the end of this month. In the mean time I was given a workaround that resolved the issue for me. To fix the issue add this line to your OVPN file under the VPN section:

tls-cipher=DEFAULT:@SECLEVEL=0 

More information on this is available in the OpenVPN forum. Keep in mind that this is not a really secure configuration and if you are working on something really top secret you should use another VPN till the issue is actually fixed instead of this workaround as it is not secure.

However, just wanted to share this here for others who might be having this same issue. Hope this helps.

– Suramya

January 20, 2010

List all machines connected to a LAN with additional details on each

Filed under: Knowledgebase,Security Tools,Tech Related — Suramya @ 12:15 AM

If you ever had to figure out how many systems are connected to a network and what IP’s they have then you will find this tip useful. It is also useful to identify any rouge machines on your network if you know how many systems are supposed to be there on that network. Like in case of my home network, where I know the exact no of machines.

There are multiple software out that, that allow you to do this. Some are free, some are very expensive. In my opinion the best one is nmap. It is free, fast and can be scripted.

To find all machines on my LAN (IP Range: 192.168.2.x) I just have to issue the following command:

nmap -sP 192.168.2.0/24

This gives an output like the following when I run it as a normal user:

suramya@Wyrm:~$ nmap -sP 192.168.2.0/24

Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-20 00:01 IST
Host 192.168.2.1 is up (0.0018s latency).
Host 192.168.2.5 is up (0.00018s latency).
Host 192.168.2.100 is up (0.00018s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.93 seconds

When I run the same command as root, it gives me additional information that looks like:

Wyrm:~# nmap -sP 192.168.2.0/24
Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-19 23:50 IST
Host 192.168.2.1 is up (0.0015s latency).
MAC Address: 00:XX:XX:XX:XX:XX (Cisco-Linksys)
Host 192.168.2.5 is up.
Host 192.168.2.100 is up (0.011s latency).
MAC Address: 00:XX:XX:XX:XX:XX (Intel)
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.00 seconds

In this case, as you can see nmap also gives me the MAC address of the machine. 192.168.2.5 is the machine I ran the scan from so I didn’t get any information on that one.

If you want additional details on a system you can issue the following command to get the system to try and identify the OS and services running in detail.

nmap -A 192.168.2.5

It gives an output that looks something like:

Wyrm:~# nmap -A 192.168.2.5
Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-19 23:52 IST
Interesting ports on 192.168.2.5:
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 8 (protocol 2.0)
| ssh-hostkey: 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx (DSA)
|_ 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx (RSA)
80/tcp open http Apache httpd 2.2.14 ((Debian))
|_ html-title: Index of /
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
631/tcp open ipp CUPS 1.4
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 – 2.6.28
Network Distance: 0 hops
Service Info: OS: Linux

Host script results:
additional information on the server

Hope you also find this useful.

– Suramya

March 23, 2007

Programs that detect/monitor File alteration

Filed under: Knowledgebase,Security Tools,Tech Related — Suramya @ 5:56 PM

The following is a list of programs that detect/monitor file changes on both *nix/Windows:

Good article on how to do a File Integrity Assesment and how to securely use AIDE.

– Suramya

July 31, 2006

ScatterChat: A secure instant messaging client.

Filed under: Computer Security,My Thoughts,Security Tools,Tech Related — Suramya @ 5:15 PM

Now this is a cool software. It allows a user to encrypt all communications using end-to-end encryption and routing based on Tor (Tor Overview)

The program is a ‘friendly’ fork of the Gaim project. In case you are wondering what a fork is, a project fork or branch happens when a developer (or a group of them) takes a copy of source code from one software package and starts to independently develop a new package.

The software itself is pretty cool, but its likely to come under heavy fire from various govt and ‘spy’ agencies because the design of the software makes it really hard for anyone to eavesdrop on anyone. They will claim that this will allow terrorists and child pornographers to communicate anonymously.

It might be used by a terrorist but then so can a car (used as a getaway vehicle), a cell phone (used as a communication tool), watch (to sync timed attacks)… does this mean all of them should be banned as well? Any technology developed can be used for good as well as bad purposes.. starting with fire all the way upto a nuclear reaction… now that the genie is out of the bottle you can’t stuff it back in.

I think it will be useful for all sorts of people including:

Spies, to let them communicate with the home office, report anonymously
Corporate whistle blowers: they can report wrongs/broken laws without getting into trouble
People behind the great firewall of china, where you can be arrested for disagreeing with the government.

Check out the software: ScatterChat

Thanks to Schneier on Security for the link.

– Suramya

PS: I haven’t tried the software yet so don’t know how stable it is. Though I will be installing it shortly so will let you know how it goes.

November 2, 2005

Network monitoring with Cacti

Filed under: Computer Software,Security Tools,Tech Related — Suramya @ 9:04 PM

Interesting software to try out for network monitoring. Hopefully it will be simpler to use/setup than some of the other software I have tried earlier.

Network monitoring with Cacti

October 11, 2005

Protecting Files at Home Using Encrypted Containers

Filed under: Security Tools,Security Tutorials,Tech Related — Suramya @ 9:05 PM

This is an awesome article on how to create Encrypted Containers that makes it easy to create encrypted backup locations that can copied to other systems without hassle and are simple to use.

Protecting Files at Home Using Encrypted Containers

May 25, 2005

Tools for configuring iptables

Configuring firewalls is not easy if you don’t know what you are doing and most of us don’t have the time of the paitience to spend hours figuring out internet security. But having a badly configured firewall is worse than having no firewall ’cause it gives you a false sense of security.

Thankfully there are tools out there that allow you to configure a decent firewall without needing a degree in rocket science. Chris Lynch has written an article on Newsforge which looks at Three tools to help you configure iptables.

Check it out.

– Suramya

May 11, 2005

Tools to display Folder Permissions in Windows

Filed under: Security Tools,Tech Related — Suramya @ 3:19 AM

Tools that will display group and user permissions on a set of folder:

Hyena

AccessEnum

xcacls

DumpSec

Scriptlogic

– Suramya

May 8, 2005

Monitor Per protocol/port bandwidth usage

Filed under: Security Tools,Tech Related — Suramya @ 4:16 AM

These programs will generate a per protocol/port bandwidth usage information on a given server:

flowscan

www.ntop.org

– Suramya

May 7, 2005

How to log shell sessions?

Filed under: Security Tools,Tech Related — Suramya @ 4:11 AM

Use a program called script, it makes a typescript of terminal session, meaning it logs everything printed on your terminal. Use `man script` to get more information about it.

– Suramya

Older Posts »

Powered by WordPress