[BitVisor-devel-en:122] Re: Bitvisor Wireguard problems?
Hideki EIRAKU
hdk at igel.co.jp
Tue Jun 18 19:06:21 JST 2024
Hello,
If BitVisor looks crashed, enabling syslog makes debugging easier.
docs/getting_started.md describes about the syslog feature.
> Now I need your help as in looking over the default ".vpn" settings it
> seems as though someone was able to connect with a SoftEther server
> perhaps on VPN-Gate and I also have a SoftEther server set up and
> would like to do a test to see if that works since if it does then
> that effectively confirms that there is a bug in the Wireguard code
> that is causing the crash and hope fully the person that developed it
> can help locate that bug to get it fixed, if at all possible.
The IPsec VPN feature in BitVisor was introduced before the open
sourced SoftEther VPN was released. About 15 years ago, I tested it
with Linux IPsec and racoon daemon. I could not find what I did at
that time. In addition, it probably has security issues because of
the too old version of OpenSSL and poor random number generation in
crypto/chelp/chelp.c.
The racoon.conf file that I probably used in 2009 has the following
lines, just for your information:
------------------------------------------------------------
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode aggressive,main;
my_identifier user_fqdn "user1 at tsukuba.ac.jp";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 12 hours;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
------------------------------------------------------------
WireGuard implementaion comes from
https://github.com/smartalock/wireguard-lwip. It does not use OpenSSL
code and looks much simpler than IPsec VPN. Hardware random number
generator (RDRAND instruction) is used if available.
--
Hideki EIRAKU <hdk at igel.co.jp>
From: Lonnie Cumberland <lonnie at outstep.com>
Subject: Re: Bitvisor Wireguard problems?
Date: Fri, 14 Jun 2024 10:34:23 -0400
> Happy Friday All,
>
> I have been trouble shooting the "crashing" problem and here is what I
> have found out so far.
>
> 1. If turn off "Wireguard" in the "make config" and set the
> "net=ippass" then everything runs perfect with no crashing.
> 2. I tested with wireguard "on" and "net=ipwggos" and also various
> settings with these (Actually made a build with each one and tested)
> but still the crash occurred:
>
> [ ] CPU_MMU_SPT_1 Shadow type 1 (very slow and stable)
> [ ] CPU_MMU_SPT_2 Shadow type 2 (faster and unstable)
> [*] CPU_MMU_SPT_3 Shadow type 3 (faster and unstable)
> [ ] CPU_MMU_SPT_DISABLE Disable SPT (fast, insecure and no MMIO)
>
> Now I need your help as in looking over the default ".vpn" settings it
> seems as though someone was able to connect with a SoftEther server
> perhaps on VPN-Gate and I also have a SoftEther server set up and
> would like to do a test to see if that works since if it does then
> that effectively confirms that there is a bug in the Wireguard code
> that is causing the crash and hope fully the person that developed it
> can help locate that bug to get it fixed, if at all possible.
>
> With this in mind, can someone please tell me the basic vpn
> configuration that is needed to connect to a SoftEther VPN server?
>
> Default ".vpn" settings in the defconfig
>
> -----------------------------------------------------
> .vpn = {
> .mode = "L3IPsec",
> .virtualGatewayMacAddress = "00-88-88-88-88-88",
> .bindV4 = "true",
> .guestIpAddressV4 = "192.168.100.1",
> .guestIpSubnetV4 = "255.255.255.0",
> .guestMtuV4 = "1400",
> /* .guestVirtualGatewayIpAddressV4 = "192.168.6.254",
> */
> .dhcpV4 = "true",
> .dhcpLeaseExpiresV4 = "3600",
> .dhcpDnsV4 = "192.168.3.254",
> .dhcpDomainV4 = "sec.softether.co.jp",
> .adjustTcpMssV4 = "1240",
> .hostIpAddressV4 = "192.168.12.11",
> .hostIpSubnetV4 = "255.255.255.0",
> .hostMtuV4 = "1500",
> .hostIpDefaultGatewayV4 = "192.168.12.254",
> .optionV4ArpExpires = "60",
> .optionV4ArpDontUpdateExpires = "true",
> .vpnGatewayAddressV4 = "192.168.11.1",
> .vpnAuthMethodV4 = "Password",
> .vpnPasswordV4 = "password1",
> .vpnIdStringV4 = "user1 at tsukuba.ac.jp",
> .vpnCertV4 = "",
> .vpnCaCertV4 = "",
> .vpnRsaKeyV4 = "",
> .vpnSpecifyIssuerV4 = "false",
> .vpnPhase1ModeV4 = "Aggressive",
> .vpnPhase1CryptoV4 = "3DES",
> .vpnPhase1HashV4 = "SHA-1",
> .vpnPhase1LifeSecondsV4 = "7200",
> .vpnPhase1LifeKilobytesV4 = "0",
> .vpnWaitPhase2BlankSpanV4 = "100",
> .vpnPhase2CryptoV4 = "3DES",
> .vpnPhase2HashV4 = "SHA-1",
> .vpnPhase2LifeSecondsV4 = "7200",
> .vpnPhase2LifeKilobytesV4 = "0",
> .vpnConnectTimeoutV4 = "5",
> .vpnIdleTimeoutV4 = "300",
> .vpnPingTargetV4 = "192.168.3.120",
> .vpnPingIntervalV4 = "12",
> .vpnPingMsgSizeV4 = "32",
> .bindV6 = "false",
> .guestIpAddressPrefixV6 = "2000::",
> .guestIpAddressSubnetV6 = "64",
> .guestMtuV6 = "1400",
>
> .raV6 = "true",
> .raLifetimeV6 = "300",
> .raDnsV6 = "2001:dc4::1",
> .hostIpAddressV6 = "5000::1:2:3:4",
> .hostIpAddressSubnetV6 = "64",
> .hostMtuV6 = "1500",
> .hostIpDefaultGatewayV6 = "5000::254",
> .optionV6NeighborExpires = "60",
> .vpnGatewayAddressV6 = "1000::1",
> .vpnAuthMethodV6 = "Password",
> .vpnPasswordV6 = "Akihabara",
> .vpnIdStringV6 = "testv6 at tsukuba.ac.jp",
> .vpnCertV6 = "",
>
> .vpnRsaKeyV6 = "",
>
> .vpnPhase1CryptoV6 = "3DES",
> .vpnPhase1HashV6 = "SHA-1",
> .vpnPhase1LifeSecondsV6 = "7200",
> .vpnPhase1LifeKilobytesV6 = "0",
> .vpnWaitPhase2BlankSpanV6 = "100",
> .vpnPhase1ModeV6 = "Aggressive",
> .vpnPhase2CryptoV6 = "3DES",
> .vpnPhase2HashV6 = "SHA-1",
> .vpnPhase2LifeSecondsV6 = "7200",
> .vpnPhase2LifeKilobytesV6 = "0",
> .vpnPhase2StrictIdV6 = "false",
> .vpnConnectTimeoutV6 = "5",
> .vpnIdleTimeoutV6 = "300",
> .vpnPingTargetV6 =
> "2001:200:564:0:230:48ff:fe83:cf41",
> .vpnPingIntervalV6 = "12",
> .vpnPingMsgSizeV6 = "32",
> },
>
> -----------------------------------------------------
>
> Thanks for any help that you can provide.
>
> Looking forward to hearing from you soon,
> Lonnie
>
>
> On 6/13/2024 6:25 PM, Lonnie Cumberland wrote:
>> Hello All,
>>
>> I was able to replicate the "crashing" out of Bitvisor that was
>> exhibited in the VMware Workstation 17 Pro by actually loading
>> Bitvisor on the Intel NUC 7 without a hypervisor like VMware or QEMU.
>>
>> I created a USB boot stick to boot up bitvisor.efi via the loadvmm.efi
>> when I went into a UEFI shell. Once bitvisor was loaded then I started
>> the Ubuntu 22.04 via the "efi\ubuntu\grub.efi" and the OS cam up as
>> expected and started sending Keep-Alive packets to my Wireguard server
>> node. All was good up to this point. Then, I checked that I could
>> ping a few places like Yahoo and some others with no problem.
>>
>> The problem came as soon as I started up a web browser which seemed to
>> open and go to an initial website but then everything just "froze up"
>> and effectively crashed. I had to hard-boot the system at this stage,
>> and was not able to get any logs or helpful information.
>>
>> My guess is that it may have something to do with the way that
>> bitvisor handles multiple CPU's but I am not sure.
>>
>> I will try to get things working in QEMU and see if I can get some
>> type of information to send over to the mailing list since this is a
>> real problem that seems to crash out bitvisor in the way that it
>> handles the guest OS and maybe it can be fixed by more knowledgeable
>> people.
>>
>> Just wanted to report these findings and hope to hear from someone
>> soon.
>>
>> Thanks and have a great day,
>> Lonnie
More information about the BitVisor-devel-en
mailing list