tinc - Jul 2017 - Can't use proxy after client upgrade

Hello,

After upgrading my client system from Debian jessie to Debian stretch
(which includes an update from tinc 1.0.24 to tinc 1.0.31), I am
having trouble with my VPN:

As long as I let tinc connect directly (no "Proxy" configuration
option on the client), everything works fine:

# tincd -n rath -D -d
tincd 1.0.31 starting, debug level 1
/dev/net/tun is a Linux tun/tap device (tun mode)
Listening on 0.0.0.0 port 655
Listening on :: port 655
Ready
Trying to connect to ebox (45.79.69.51 port 655)
Connected to ebox (45.79.69.51 port 655)
Connection with ebox (45.79.69.51 port 655) activated

However, as soon as I use a proxy script, the connection fails. This
happens even when the proxy just runs netcat:

# grep '^[^#]' tinc.conf 
ConnectTo = ebox
Name = thinkpad
Proxy = exec /etc/tinc/rath/triv_proxy.sh
LocalDiscovery = no
AddressFamily = ipv4
PingTimeout = 10

# cat /etc/tinc/rath/triv_proxy.sh
#!/bin/sh
echo "proxy.sh: connecting to ${NODE} via netcat..." >&2
exec nc "${REMOTEADDRESS}" "${REMOTEPORT}"

# tincd -n rath -D -d 4
tincd 1.0.31 starting, debug level 4
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
Listening on 0.0.0.0 port 655
Ready
Trying to connect to ebox (45.79.69.51 port 655)
Using proxy /etc/tinc/rath/triv_proxy.sh
Connected to ebox (45.79.69.51 port 655)
proxy.sh: connecting to ebox via netcat...
Got ID from ebox (45.79.69.51 port 655): 0 ebox 17
Sending METAKEY to ebox (45.79.69.51 port 655): 1 421 672 0 0
85F239FFC4CB544F04B4AC16150F90BF8EB648FD2C831A0435D45EC05ECC2594E0C4BEEC03135D0E4499377D8D71C05CF9392D90E8C5710F6E67DD99A2ED3F09FE0B6738D6F7EAF2B1FD62BCD1B330A50F4B6C58DB13168C883A7EB97518AAA7702E00D16132EC81FC8D6F4A839AD131B341F3ADB1AA0B64B7AC2C3F7D6C970CBDA445D7749DA70B554639CD785E87D360863E8EB0C2B0A92D23CA2B6AAF46EBDE57175A9A5ACD01923585FA04C7BE79BC70A4548D675CFC9C6E7D5379453501D27CB4C31DD1AEBAEADDA264DDFBBB38014E2759A58634E873C04B162062D31320AD147C837A105E20204BF082A6FE91CB1B3399123475AEC8BB1DAC6F306D58
Sending 527 bytes of metadata to ebox (45.79.69.51 port 655)
Flushing 527 bytes to ebox (45.79.69.51 port 655)
Connection closed by ebox (45.79.69.51 port 655)
Closing connection with ebox (45.79.69.51 port 655)
Could not set up a meta connection to ebox
Trying to re-establish outgoing connection in 5 seconds
Purging unreachable nodes


On the server, I see:

# tincd -n rath -D -d 4
tincd 1.0.24 (Nov  8 2014 18:45:28) starting, debug level 4
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
Listening on 0.0.0.0 port 655
Listening on :: port 655
Ready
Connection from 78.53.225.26 port 35902
Sending ID to <unknown> (78.53.225.26 port 35902): 0 ebox 17
Sending 10 bytes of metadata to <unknown> (78.53.225.26 port 35902)
Flushing 10 bytes to <unknown> (78.53.225.26 port 35902)
Got METAKEY from <unknown> (78.53.225.26 port 35902): 1 421 672 0 0
85F239FFC4CB544F04B4AC16150F90BF8EB648FD2C831A0435D45EC05ECC2594E0C4BEEC03135D0E4499377D8D71C05CF9392D90E8C5710F6E67DD99A2ED3F09FE0B6738D6F7EAF2B1FD62BCD1B330A50F4B6C58DB13168C883A7EB97518AAA7702E00D16132EC81FC8D6F4A839AD131B341F3ADB1AA0B64B7AC2C3F7D6C970CBDA445D7749DA70B554639CD785E87D360863E8EB0C2B0A92D23CA2B6AAF46EBDE57175A9A5ACD01923585FA04C7BE79BC70A4548D675CFC9C6E7D5379453501D27CB4C31DD1AEBAEADDA264DDFBBB38014E2759A58634E873C04B162062D31320AD147C837A105E20204BF082A6FE91CB1B3399123475AEC8BB1DAC6F306D58
Unauthorized request from <unknown> (78.53.225.26 port 35902)
Closing connection with <unknown> (78.53.225.26 port 35902)
Purging unreachable nodes
Connection from 78.53.225.26 port 35908
Sending ID to <unknown> (78.53.225.26 port 35908): 0 ebox 17
Sending 10 bytes of metadata to <unknown> (78.53.225.26 port 35908)
Flushing 10 bytes to <unknown> (78.53.225.26 port 35908)
Metadata socket read error for <unknown> (78.53.225.26 port 35908):
Connection reset by peer
Closing connection with <unknown> (78.53.225.26 port 35908)
Purging unreachable nodes


Anyone able to help?


Best,
-Nikolaus

-- 
GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«

On Mon, Jul 03, 2017 at 02:24:55PM +0200, Nikolaus Rath wrote:
> After upgrading my client system from Debian jessie to Debian stretch
> (which includes an update from tinc 1.0.24 to tinc 1.0.31), I am
> having trouble with my VPN:
[...]
> Proxy = exec /etc/tinc/rath/triv_proxy.sh
Indeed, it seems like Proxy = exec was broken by a commit that fixed
some issue with the other proxy types. For now the workaround is to use
1.0.29 or earlier if you need this. I'll let you know when this is
fixed.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20170711/a91e2b55/attachment.sig>

On Jul 11 2017, Guus Sliepen <guus-NnCthlHDAqpg9hUCZPvPmw at
public.gmane.org> wrote:
> On Mon, Jul 03, 2017 at 02:24:55PM +0200, Nikolaus Rath wrote:
>
>> After upgrading my client system from Debian jessie to Debian stretch
>> (which includes an update from tinc 1.0.24 to tinc 1.0.31), I am
>> having trouble with my VPN:
> [...]
>> Proxy = exec /etc/tinc/rath/triv_proxy.sh
>
> Indeed, it seems like Proxy = exec was broken by a commit that fixed
> some issue with the other proxy types. For now the workaround is to use
> 1.0.29 or earlier if you need this. I'll let you know when this is
> fixed.
Could you tell me which commit this is? I'd rather just revert that
commit than switch to older version?


Best,
-Nikolaus

-- 
GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«