From c6c0209ad45fb7d2e45370ee3a39f2dd437603b0 Mon Sep 17 00:00:00 2001 From: "kali kaneko (leap communications)" Date: Mon, 17 May 2021 17:50:23 +0200 Subject: [feat] log dns lookup if first cert fetch fails --- docs/circumvention.rst | 20 +++++++++++++++++--- pkg/vpn/bonafide/eip_service.go | 10 +++++----- pkg/vpn/diagnose.go | 19 +++++++++++++++++++ pkg/vpn/openvpn.go | 3 +++ 4 files changed, 44 insertions(+), 8 deletions(-) create mode 100644 pkg/vpn/diagnose.go diff --git a/docs/circumvention.rst b/docs/circumvention.rst index 8c220cc..ee31e58 100644 --- a/docs/circumvention.rst +++ b/docs/circumvention.rst @@ -9,9 +9,23 @@ Bootstrapping the connection There are two different steps where circumvention can be used: boostrapping the connection (getting a certificate and the configuration files) and using an -obfuscated transport protocol. At the moment RiseupVPN offers obfs4 transport -"bridges" (you can try them with the `--obfs4` command line argument). For the -initial bootstrap, there are a couple of techniques that will be attempted. +obfuscated transport protocol. + +For the initial bootstrap, there are a couple of techniques that will be +attempted. If this fails, please open an issue with the relevant log +information. + +Obfuscated bridges +----------------------------- + +At the moment RiseupVPN offers obfs4 transport "bridges" (you can try them with +the `--obfs4` command line argument, a way to enable them from the gui will be +following soon). + +If you know you need bridges but the current ones do not work for you, please +get in contact. We're interested in learning what are the specific censorship +measures being deployed in your concrete location, and we could work together +to enable new bridges. Getting certificates off-band ----------------------------- diff --git a/pkg/vpn/bonafide/eip_service.go b/pkg/vpn/bonafide/eip_service.go index 5755b6c..c106135 100644 --- a/pkg/vpn/bonafide/eip_service.go +++ b/pkg/vpn/bonafide/eip_service.go @@ -79,17 +79,17 @@ func (b *Bonafide) fetchEipJSON() error { eip3API := config.APIURL + "3/config/eip-service.json" resp, err := b.client.Post(eip3API, "", nil) for err != nil { - log.Printf("Error fetching eip v3 json: %v", err) - // TODO why exactly 1 retry? Make it configurable, for tests - time.Sleep(retryFetchJSONSeconds * time.Second) resp, err = b.client.Post(eip3API, "", nil) if err != nil { - // TODO it might be that it's not an error, but an empty file or whatever done + // TODO it might be that we get no error, but an empty file or whatever done // by DNS poisoning. Should try to parse the file. uri := b.getURLNoDNS("eip") - log.Println("Fetching ", uri) resp, err = b.client.Post(uri, "", nil) } + if err != nil { + log.Printf("Error fetching eip v3 json: %v", err) + time.Sleep(retryFetchJSONSeconds * time.Second) + } } defer resp.Body.Close() diff --git a/pkg/vpn/diagnose.go b/pkg/vpn/diagnose.go new file mode 100644 index 0000000..5d12d4d --- /dev/null +++ b/pkg/vpn/diagnose.go @@ -0,0 +1,19 @@ +package vpn + +import ( + "log" + "net" +) + +func logDnsLookup(domain string) { + addrs, err := net.LookupHost(domain) + if err != nil { + log.Println("ERROR cannot resolve address:", domain) + log.Println(err) + } + + log.Println("From here,", domain, "resolves to:") + for _, addr := range addrs { + log.Println(addr) + } +} diff --git a/pkg/vpn/openvpn.go b/pkg/vpn/openvpn.go index a568a32..244195b 100644 --- a/pkg/vpn/openvpn.go +++ b/pkg/vpn/openvpn.go @@ -202,6 +202,8 @@ func (b *Bitmask) getCert() (certPath string, err error) { } } if failed || !isValidCert(certPath) { + d := config.APIURL[8 : len(config.APIURL)-1] + logDnsLookup(d) cert, err := b.bonafide.GetPemCertificateNoDNS() if cert != nil { log.Println("Successfully did certificate bypass") @@ -214,6 +216,7 @@ func (b *Bitmask) getCert() (certPath string, err error) { failed = true } } + return certPath, err } -- cgit v1.2.3