Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VPNUnlimited has changed their CA #261

Open
5 of 6 tasks
SamJongenelen opened this issue Dec 15, 2023 · 7 comments
Open
5 of 6 tasks

VPNUnlimited has changed their CA #261

SamJongenelen opened this issue Dec 15, 2023 · 7 comments

Comments

@SamJongenelen
Copy link

SamJongenelen commented Dec 15, 2023
edited
Loading

Is there a pinned issue for this?

  • I have read the pinned issues

Is there an existing or similar issue for this?

  • I have searched the existing issues

Is there any comment in the documentation for this?

  • I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to the container/transmission?

  • I have checked the container repo for issues

Are you using the latest release?

  • I am using the latest release

Have you tried using the dev branch latest?

  • I have tried using dev branch

Config used

no options

Current Behavior

Tunnel wont work. I've contacted Keepsolid Inc and they told me their servers have indeed been supplied new certificates. We would need to regenerate the openvpn files

Expected Behavior

would connect.

How have you tried to solve the problem?

Contacted Keepsolid. They confirmed CA changed

Log output

2023-12-15 18:39:21 VERIFY ERROR: depth=2, error=self-signed certificate in certificate chain: C=US, ST=NY, L=New York, O=KeepSolid Inc., OU=KeepSolid Root CA, CN=KeepSolid Root CA, emailAddress=[email protected], serial=429164281094478856831696042475561970021707008630
2023-12-15 18:39:21 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2023-12-15 18:39:21 TLS_ERROR: BIO read tls_read_plaintext error
2023-12-15 18:39:21 TLS Error: TLS object -> incoming plaintext read error
2023-12-15 18:39:21 TLS Error: TLS handshake failed

Environment

- OS: na
- Docker: na

Anything else?

provider VPNUnlimited has changed their CA. The OVPN files need updating, as currently we get errors while connecting
@Yondz
Copy link
Contributor

Yondz commented Dec 15, 2023
edited
Loading

Hi there,

Until this gets fixed on the repo (all .ovpn files must be updated), you can temporarily create your own updated .ovpn file and use custom provider in the configuration as explained in http://haugene.github.io/docker-transmission-openvpn/supported-providers/#using_a_local_single_ovpn_file_from_a_provider

What I did on my setup is this workaround :

  1. Copy the currently used .ovpn file from this repo and replaced <ca> <cert> and <key> inside using the values from a freshly generated .ovpn file from vpnunlimited web account manager.
  2. Put this file in a folder on your host machine that will be mounted in your container to /etc/openvpn/custom as stated in the documentation.
  3. Change docker env var OPENVPN_PROVIDER to custom

Hope this helps :)

@SamJongenelen
Copy link
Author

SamJongenelen commented Dec 15, 2023
edited
Loading

I was contemplating that, thanks for the steps! I'll try it tonight.

edit: worked like a charm. In my case, I was able to use the actual .ovpn file downloaded from the web account manager.

@ArnaudScheffler
Copy link

Hello,

I wrote this little script to download configurations for all VPNUnlimited servers. It's far from being perfect but it does the job. The only thing you need to do to use it is to retrieve the value of the php session cookie once you've logged in the web account manager.

# pip install requests
import requests


def get_device_ids(php_session: str):
    cookies = {'PHPSESSID': php_session}
    res = requests.get('https://my.keepsolid.com/api/account/config/devices/', cookies=cookies)
    json = res.json()
    return [x['uuid'] for x in json]


def get_region_ids(php_session: str):
    cookies = {'PHPSESSID': php_session}
    res = requests.get('https://my.keepsolid.com/api/account/config/regions/', cookies=cookies)
    json = res.json()
    return [x['id'] for x in json]


def get_config(region_id: str, php_session: str, device_id: str):
    cookies = {'PHPSESSID': php_session}
    params = {
        'deviceId': device_id,
        'region': region_id,
        'protocol': 'openvpn',
        'platform': 'win',
        'is_vps': 0
    }
    res = requests.get('https://my.keepsolid.com/api/account/config/', params=params, cookies=cookies)
    data = res.json()['download_data']
    # add ping-exit 30
    data = data.replace('ping 5\n', 'ping 5\nping-exit 30\n')
    # add auth-user-pass /config/openvpn-credentials.txt
    data = data.replace('remote-cert-tls server\n',
                        'remote-cert-tls server\nauth-user-pass /config/openvpn-credentials.txt\n')
    # add tls-cipher "DEFAULT:@SECLEVEL=0"
    data += '\ntls-cipher "DEFAULT:@SECLEVEL=0"'
    return data


if __name__ == '__main__':
    # Log in on https://my.keepsolid.com/products/vpn/ and get the PHPSESSID cookie value.
    # Use this value in the following variable
    session = '[CHANGE_ME]'
    devices = get_device_ids(session)
    if len(devices) < 1:
        raise Exception('No devices found. You must create a device in order to download the .ovpn files.')
    regions = get_region_ids(session)
    for region in regions:
        conf = get_config(region, session, devices[0])
        with open('../openvpn/vpnunlimited/' + region.replace('__', '-') + '.ovpn', 'w') as f:
            f.write(conf)

I can create a PR with all my files but I don't really understand how private they are. Are the cert and key attached to my account ?

@SamJongenelen
Copy link
Author

SamJongenelen commented Dec 20, 2023
edited
Loading

Its exactly the reason i didnt do it. I am unsure which parts are private and which public .

Cool script btw

@SensehacK
Copy link

Can confirm, updating with custom config .ovpn file with CA certificates works now.

@5nguy
Copy link

5nguy commented Jan 2, 2024
edited
Loading

Confirm. As the .ovpn files generated from VPNUnlimited don't contain any private information, a simple workaround is overwrite the .ovpn in the downloaded repo (openvpn) with the new one from the provider and mention the server in OPENVPN_CONFIG variable.

@5nguy
Copy link

5nguy commented Jan 2, 2024
edited
Loading

Hello,

I wrote this little script to download configurations for all VPNUnlimited servers. It's far from being perfect but it does the job. The only thing you need to do to use it is to retrieve the value of the php session cookie once you've logged in the web account manager.

# pip install requests
import requests


def get_device_ids(php_session: str):
    cookies = {'PHPSESSID': php_session}
    res = requests.get('https://my.keepsolid.com/api/account/config/devices/', cookies=cookies)
    json = res.json()
    return [x['uuid'] for x in json]


def get_region_ids(php_session: str):
    cookies = {'PHPSESSID': php_session}
    res = requests.get('https://my.keepsolid.com/api/account/config/regions/', cookies=cookies)
    json = res.json()
    return [x['id'] for x in json]


def get_config(region_id: str, php_session: str, device_id: str):
    cookies = {'PHPSESSID': php_session}
    params = {
        'deviceId': device_id,
        'region': region_id,
        'protocol': 'openvpn',
        'platform': 'win',
        'is_vps': 0
    }
    res = requests.get('https://my.keepsolid.com/api/account/config/', params=params, cookies=cookies)
    data = res.json()['download_data']
    # add ping-exit 30
    data = data.replace('ping 5\n', 'ping 5\nping-exit 30\n')
    # add auth-user-pass /config/openvpn-credentials.txt
    data = data.replace('remote-cert-tls server\n',
                        'remote-cert-tls server\nauth-user-pass /config/openvpn-credentials.txt\n')
    # add tls-cipher "DEFAULT:@SECLEVEL=0"
    data += '\ntls-cipher "DEFAULT:@SECLEVEL=0"'
    return data


if __name__ == '__main__':
    # Log in on https://my.keepsolid.com/products/vpn/ and get the PHPSESSID cookie value.
    # Use this value in the following variable
    session = '[CHANGE_ME]'
    devices = get_device_ids(session)
    if len(devices) < 1:
        raise Exception('No devices found. You must create a device in order to download the .ovpn files.')
    regions = get_region_ids(session)
    for region in regions:
        conf = get_config(region, session, devices[0])
        with open('../openvpn/vpnunlimited/' + region.replace('__', '-') + '.ovpn', 'w') as f:
            f.write(conf)

I can create a PR with all my files but I don't really understand how private they are. Are the cert and key attached to my account ?

Nice script. I see some VPN providers publishing these certificate and key. You can also see these informations in the existing vnpunlimited .opvn . What is private, in my opinion is the login information that are given separately.

Otherwise, I see that your script uses id var from regions json instead of region as id is unique ID but not region (can have more than one server). In other provider folder, some use region with multiple remote servers in .opvn file when a region has more than one id (servers). I think your script is better by using unique id f or each server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@SamJongenelen @Yondz @SensehacK @ArnaudScheffler @5nguy