Barrier user experience #1884

shodanx2 · 2023-01-25T08:31:22Z

shodanx2
Jan 25, 2023

Hello,

I need to install barrier, I know from having used it 20 years ago that, when it works it works great.

And I know from having used it about a years ago, it's hell to install.

Now I need to use it for a new purpose and I've forgotten all about how to set it up again !

So I decided to document my user experience re-figuring it out and maybe that could help other people trying to set it up. And if someone is still working on this software they would know what needs fixing.

This is for a windows 10 barrier server and linux client running ubuntu 22.10

Installed 2.4 on window

got missing barrier.pem error

installed previous version, it works

added my client to the server config interactive editor

started putty, tried to connect with DISPLAY=:0 barrierc serverhostname.lan

console doesn't echo anymore,

a client connects (not even the name in log)

nothing happens

It might be wayland, disable wayland from my ubuntu 22.10 client

sudo nano /etc/gdm3/custom.conf

WaylandEnable=true

did not fix the problem

figure out new command line

barrierc --enable-crypto --display :0 --debug INFO -f serverhostname.lan

screen@screenll:~$ barrierc --enable-crypto --display :0 --debug INFO -f shodan.lan
[2023-01-25T02:14:59] INFO: --enable-crypto is used by default. The option is deprecated.
[2023-01-25T02:14:59] NOTE: started client
[2023-01-25T02:14:59] NOTE: connecting to 'shodan.lan': 192.168.1.10:24800
[2023-01-25T02:14:59] INFO: OpenSSL 3.0.5 5 Jul 2022
[2023-01-25T02:14:59] ERROR: ssl certificate doesn't exist: /home/screen/.local/share/barrier/SSL/Barrier.pem
[2023-01-25T02:14:59] ERROR: could not load client certificates
[2023-01-25T02:14:59] ERROR: ssl certificate doesn't exist: /home/screen/.local/share/barrier/SSL/Barrier.pem
[2023-01-25T02:14:59] ERROR: could not load client certificates
[2023-01-25T02:14:59] ERROR: ssl certificate doesn't exist: /home/screen/.local/share/barrier/SSL/Barrier.pem
[2023-01-25T02:14:59] ERROR: could not load client certificates
[2023-01-25T02:14:59] NOTE: peer fingerprint (SHA1): 11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39 (SHA256): CC:F5:F6:79:B8:7D:5E:72:3B:4D:B8:30:A5:33:CD:0F:35:07:00:7D:25:C6:03:58:C4:79:E7:B1:F2:FF:27:38
[2023-01-25T02:14:59] NOTE: fingerprint_db_path: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T02:14:59] NOTE: Could not read fingerprints from: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T02:14:59] NOTE: Fingerprint does not match trusted fingerprint
[2023-01-25T02:14:59] ERROR: failed to verify server certificate fingerprint
[2023-01-25T02:15:14] WARNING: failed to connect to server: Timed out
[2023-01-25T02:15:15] NOTE: connecting to 'shodan.lan': 192.168.1.10:24800
[2023-01-25T02:15:15] INFO: OpenSSL 3.0.5 5 Jul 2022
[2023-01-25T02:15:15] ERROR: ssl certificate doesn't exist: /home/screen/.local/share/barrier/SSL/Barrier.pem
[2023-01-25T02:15:15] ERROR: could not load client certificates
[2023-01-25T02:15:15] ERROR: ssl certificate doesn't exist: /home/screen/.local/share/barrier/SSL/Barrier.pem
[2023-01-25T02:15:15] ERROR: could not load client certificates
[2023-01-25T02:15:15] ERROR: ssl certificate doesn't exist: /home/screen/.local/share/barrier/SSL/Barrier.pem
[2023-01-25T02:15:15] ERROR: could not load client certificates
[2023-01-25T02:15:15] NOTE: peer fingerprint (SHA1): 11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39 (SHA256): CC:F5:F6:79:B8:7D:5E:72:3B:4D:B8:30:A5:33:CD:0F:35:07:00:7D:25:C6:03:58:C4:79:E7:B1:F2:FF:27:38
[2023-01-25T02:15:15] NOTE: fingerprint_db_path: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T02:15:15] NOTE: Could not read fingerprints from: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T02:15:15] NOTE: Fingerprint does not match trusted fingerprint
[2023-01-25T02:15:15] ERROR: failed to verify server certificate fingerprint
[2023-01-25T02:15:18] NOTE: stopped client

download this script wget https://gist.githubusercontent.com/dayne/e3a7f31f0624bf299faf9fadfe510322/raw/2c64b78c7abb4493d9fafee5f36032a6161b0e44/barrierc-trust.sh

screen@screenll:~$ ./[barrierc-trust.sh](http://barrierc-trust.sh/) shodan.lan
trusting shodan.lan
checking for /home/screen/.local/share/barrier/SSL/Fingerprints
creating directory: /home/screen/.local/share/barrier/SSL/Fingerprints
no TrustedServers.txt exists yet
nc: missing port number
FATAL: Unable to connect to shodan.lan at port
$ nc -z shodan.lan

screen@screenll:~$ ./[barrierc-trust.sh](http://barrierc-trust.sh/) shodan.lan:24800
trusting shodan.lan:24800
checking for /home/screen/.local/share/barrier/SSL/Fingerprints
no TrustedServers.txt exists yet
Verified ability to connect to shodan.lan at port 24800
Getting shodan.lan:24800 fingerprint and storing into TrustedServer.txt
updated: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt with
11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39


screen@screenll:~$ cat /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39

screen@screenll:~$ barrierc --enable-crypto --display :0 --debug INFO -f shodan.lan
[2023-01-25T02:22:13] INFO: --enable-crypto is used by default. The option is deprecated.
[2023-01-25T02:22:13] NOTE: started client
[2023-01-25T02:22:13] NOTE: connecting to 'shodan.lan': 192.168.1.10:24800
[2023-01-25T02:22:13] INFO: OpenSSL 3.0.5 5 Jul 2022
[2023-01-25T02:22:13] ERROR: ssl certificate doesn't exist: /home/screen/.local/share/barrier/SSL/Barrier.pem
[2023-01-25T02:22:13] ERROR: could not load client certificates
[2023-01-25T02:22:13] ERROR: ssl certificate doesn't exist: /home/screen/.local/share/barrier/SSL/Barrier.pem
[2023-01-25T02:22:13] ERROR: could not load client certificates
[2023-01-25T02:22:13] ERROR: ssl certificate doesn't exist: /home/screen/.local/share/barrier/SSL/Barrier.pem
[2023-01-25T02:22:13] ERROR: could not load client certificates
[2023-01-25T02:22:13] NOTE: peer fingerprint (SHA1): 11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39 (SHA256): CC:F5:F6:79:B8:7D:5E:72:3B:4D:B8:30:A5:33:CD:0F:35:07:00:7D:25:C6:03:58:C4:79:E7:B1:F2:FF:27:38
[2023-01-25T02:22:13] NOTE: fingerprint_db_path: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T02:22:13] NOTE: Read 1 fingerprints from: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T02:22:13] NOTE: Fingerprint does not match trusted fingerprint
[2023-01-25T02:22:13] ERROR: failed to verify server certificate fingerprint

using winscp
copy C:\Users\shodan\AppData\Local\Barrier\SSL\barrier.pem to /home/screen/.local/share/barrier/SSL/barrier.pem

screen@screenll:~$ barrierc --enable-crypto --display :0 --debug INFO -f shodan.lan
[2023-01-25T02:30:39] INFO: --enable-crypto is used by default. The option is deprecated.
[2023-01-25T02:30:39] NOTE: started client
[2023-01-25T02:30:39] NOTE: connecting to 'shodan.lan': 192.168.1.10:24800
[2023-01-25T02:30:39] INFO: OpenSSL 3.0.5 5 Jul 2022
[2023-01-25T02:30:39] NOTE: peer fingerprint (SHA1): 11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39 (SHA256): CC:F5:F6:79:B8:7D:5E:72:3B:4D:B8:30:A5:33:CD:0F:35:07:00:7D:25:C6:03:58:C4:79:E7:B1:F2:FF:27:38
[2023-01-25T02:30:39] NOTE: fingerprint_db_path: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T02:30:39] NOTE: Read 1 fingerprints from: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T02:30:39] NOTE: Fingerprint does not match trusted fingerprint
[2023-01-25T02:30:39] ERROR: failed to verify server certificate fingerprint

fingerprint on the server
11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39
fingerprint on the client
11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39

[2023-01-25T02:31:44] NOTE: peer fingerprint (SHA1): 11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39 (SHA256): CC:F5:F6:79:B8:7D:5E:72:3B:4D:B8:30:A5:33:CD:0F:35:07:00:7D:25:C6:03:58:C4:79:E7:B1:F2:FF:27:38

bang head on wall

copy paste from logs 11:49:E7:BA:A0:7E:DC:64:33:D1:ED:60:4A:B7:21:53:A1:52:88:39 to trusted server file ?

[2023-01-25T02:50:23] NOTE: Read 2 fingerprints from: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T02:50:23] NOTE: Fingerprint does not match trusted fingerprint
[2023-01-25T02:50:23] ERROR: failed to verify server certificate fingerprint

ok time to make new certification files

openssl.exe found in C:\Program Files\Barrier
but can't run openssl there, ok

D:\shodan\Documents\key>md barrierkey
D:\shodan\Documents\key>cd barrierkey

D:\shodan\Documents\key\barrierkey>C:\Program Files\Barrier\openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
'C:\Program' is not recognized as an internal or external command,
operable program or batch file.

D:\shodan\Documents\key\barrierkey>"C:\Program Files\Barrier\openssl.exe" req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
WARNING: can't open config file: C:\OpenSSL/ssl/openssl.cnf
Unable to load config info from C:\OpenSSL/ssl/openssl.cnf

Ah, need to specify a config file

D:\shodan\Documents\key\barrierkey>"C:\Program Files\Barrier\openssl.exe" -config "C:\Program Files\Barrier\openssl.cnf"  req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
WARNING: can't open config file: C:\OpenSSL/ssl/openssl.cnf
openssl:Error: '-config' is an invalid command.

Oh, there isn't one, found one in gajim

D:\shodan\Documents\key\barrierkey>"C:\Program Files\Barrier\openssl.exe" -config "C:\Program Files\Gajim\ssl\openssl.cnf"  req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
WARNING: can't open config file: C:\OpenSSL/ssl/openssl.cnf
openssl:Error: '-config' is an invalid command.

oh wait, wrong syntax

D:\shodan\Documents\key\barrierkey>"C:\Program Files\Barrier\openssl.exe" req -config "C:\Program Files\Gajim\ssl\openssl.cnf"  -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
WARNING: can't open config file: C:\OpenSSL/ssl/openssl.cnf
Generating a 2048 bit RSA private key
................................+++
......+++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Ok, still complains about the config file but works anyway ...

copy cert.pem (50/50 that it's key.pem I guess) to C:\Users\shodan\AppData\Local\Barrier\SSL

Restart server

[2023-01-25T03:02:28] ERROR: could not use ssl private key
[2023-01-25T03:02:28] ERROR: error:0906D06C:PEM routines:PEM_read_bio:no start line

Guess key.pem was the correct answer ...

Nope, the answer is neither

[2023-01-25T03:03:13] NOTE: stopped server
[2023-01-25T03:03:14] INFO: process 18128 was shutdown gracefully
[2023-01-25T03:03:14] INFO: starting new process as privileged user
[2023-01-25T03:03:14] INFO: drag and drop enabled
[2023-01-25T03:03:14] ERROR: failed to get desktop path, no drop target available, error=2
started server (IPv4/IPv6), waiting for clients
server status: active
[2023-01-25T03:03:16] INFO: OpenSSL 1.0.2l  25 May 2017
[2023-01-25T03:03:16] ERROR: could not use ssl certificate
[2023-01-25T03:03:16] ERROR: error:0906D06C:PEM routines:PEM_read_bio:no start line
[2023-01-25T03:03:32] INFO: OpenSSL 1.0.2l  25 May 2017
[2023-01-25T03:03:32] ERROR: could not use ssl certificate
[2023-01-25T03:03:32] ERROR: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib

Ok, I probably did the openssl command wrong, time to search forum

Now I remember, when I last used this on the raspberry pi, I just disabled encryption, maybe it's impossible to make encryption work ?

it's getting late, maybe I should give up already

Maybe I should check out https://github.com/input-leap/input-leap

Ok new command to try , thank you @Desani #1674

openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem

or

D:\shodan\Documents\key\barrierkey>"C:\Program Files\Barrier\openssl.exe" req -config "C:\Program Files\Gajim\ssl\openssl.cnf" -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout Barrier.pem -out Barrier.pem


[2023-01-25T03:16:34] INFO: starting server
[2023-01-25T03:16:34] INFO: config file: C:/Users/shodan/AppData/Local/Temp/Barrier.qmDaHK
[2023-01-25T03:16:34] INFO: log level: INFO
[2023-01-25T03:16:34] INFO: service command updated
[2023-01-25T03:16:34] INFO: service command updated
[2023-01-25T03:16:35] INFO: got ipc shutdown message
[2023-01-25T03:16:35] NOTE: stopped server
[2023-01-25T03:16:36] INFO: process 23808 was shutdown gracefully
[2023-01-25T03:16:36] INFO: starting new process as privileged user
[2023-01-25T03:16:36] INFO: drag and drop enabled
[2023-01-25T03:16:36] ERROR: failed to get desktop path, no drop target available, error=2
started server (IPv4/IPv6), waiting for clients
server status: active
[2023-01-25T03:16:44] INFO: OpenSSL 1.0.2l  25 May 2017
[2023-01-25T03:16:44] INFO: accepted secure socket
[2023-01-25T03:16:44] INFO: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2023-01-25T03:16:44] NOTE: accepted client connection

Well, this looks promessing

client side

[2023-01-25T03:20:31] NOTE: connecting to 'shodan.lan': 192.168.1.10:24800
[2023-01-25T03:20:31] INFO: OpenSSL 3.0.5 5 Jul 2022
[2023-01-25T03:20:31] NOTE: peer fingerprint (SHA1): F6:08:9E:51:5E:41:BA:FE:05:D7:20:B3:9A:86:6F:ED:55:64:64:EE (SHA256): 25:2D:6B:AB:53:FD:FB:8A:1D:BC:1A:1C:86:FB:75:82:FC:4D:4E:33:C5:6A:1E:4B:57:BF:A2:7A:CF:7F:77:2B
[2023-01-25T03:20:31] NOTE: fingerprint_db_path: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T03:20:31] NOTE: Read 2 fingerprints from: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T03:20:31] NOTE: Fingerprint does not match trusted fingerprint
[2023-01-25T03:20:31] ERROR: failed to verify server certificate fingerprint

server side

[2023-01-25T03:20:30] INFO: accepted secure socket
[2023-01-25T03:20:30] INFO: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2023-01-25T03:20:30] NOTE: accepted client connection
[2023-01-25T03:20:45] NOTE: new client disconnected
[2023-01-25T03:20:46] INFO: OpenSSL 1.0.2l  25 May 2017
[2023-01-25T03:20:46] INFO: accepted secure socket
[2023-01-25T03:20:46] INFO: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2023-01-25T03:20:46] NOTE: accepted client connection
[2023-01-25T03:21:01] NOTE: new client disconnected
[2023-01-25T03:21:02] INFO: OpenSSL 1.0.2l  25 May 2017
[2023-01-25T03:21:02] INFO: accepted secure socket
[2023-01-25T03:21:02] INFO: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
[2023-01-25T03:21:02] NOTE: accepted client connection

running barrierc-trust.sh again

screen@screenll:~$ ./barrierc-trust.sh shodan.lan:24800
trusting shodan.lan:24800
checking for /home/screen/.local/share/barrier/SSL/Fingerprints
warning, an existing TrustedServers.txt file exists - backing up to TrustedServer.txt.backup
Verified ability to connect to shodan.lan at port 24800
Getting shodan.lan:24800 fingerprint and storing into TrustedServer.txt
updated: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt with
F6:08:9E:51:5E:41:BA:FE:05:D7:20:B3:9A:86:6F:ED:55:64:64:EE

It seems barrier is now unmaintained and I'm running around in circles

input-leap/input-leap#1414

Q: Input Leap vs. barrier?
    A: Input Leap is a fork of barrier, by barrier's active maintainers. See https://github.com/input-leap/input-leap/issues/1414 for more details. barrier is considered unmaintained.

screen@screenll:~$ barrierc --display :0 --debug INFO -f shodan.lan
[2023-01-25T03:29:45] NOTE: started client
[2023-01-25T03:29:45] NOTE: connecting to 'shodan.lan': 192.168.1.10:24800
[2023-01-25T03:29:45] INFO: OpenSSL 3.0.5 5 Jul 2022
[2023-01-25T03:29:45] NOTE: peer fingerprint (SHA1): F6:08:9E:51:5E:41:BA:FE:05:D7:20:B3:9A:86:6F:ED:55:64:64:EE (SHA256): 25:2D:6B:AB:53:FD:FB:8A:1D:BC:1A:1C:86:FB:75:82:FC:4D:4E:33:C5:6A:1E:4B:57:BF:A2:7A:CF:7F:77:2B
[2023-01-25T03:29:45] NOTE: fingerprint_db_path: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T03:29:45] NOTE: Read 1 fingerprints from: /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
[2023-01-25T03:29:45] NOTE: Fingerprint does not match trusted fingerprint
[2023-01-25T03:29:45] ERROR: failed to verify server certificate fingerprint
[2023-01-25T03:30:00] WARNING: failed to connect to server: Timed out
[2023-01-25T03:30:00] NOTE: stopped client
screen@screenll:~$ cat /home/screen/.local/share/barrier/SSL/Fingerprints/TrustedServers.txt
F6:08:9E:51:5E:41:BA:FE:05:D7:20:B3:9A:86:6F:ED:55:64:64:EE

Ok, it doesn't work, can't install input-leap with apt,

I give up

mie00 · 2023-12-06T16:49:27Z

mie00
Dec 6, 2023

Writing this as I struggled to make it work for my laptop and pc, there was a change so it only checks sha256 fingerprints, but the wiki only describes how to add sha1 for trusted servers. The solution is to add the sha256 to the trusted servers file instead, but in this form:

v2:sha256:<the server's sha256>

You can find the sha256 either in the client logs or using an openssl command that outputs sha256 instead of sha1.
Also this probably should be added to the docs as I couldn't find it anywhere and I was only able to trace it in the source code.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Barrier user experience #1884

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Barrier user experience #1884

shodanx2 Jan 25, 2023

Replies: 1 comment

mie00 Dec 6, 2023

shodanx2
Jan 25, 2023

mie00
Dec 6, 2023