Jan:
Thank's for the help. I have patched my openvpn and the problem was solved.
Behinhd are the patches for openvpn-2.0.9 and openvpn-2.1.1.
Devel's please incorporate this to openvpn code.
----------------------------------------- 2.0.9
------------------------------------------
----------------------------------------- Begin
-----------------------------------------
rubio@rubio-laptop:~/openvpn-2.0.9$ diff -Nru multi.c multi.c-patched
--- multi.c 2010-03-02 14:55:53.000000000 -0300
+++ multi.c-patched 2010-03-02 14:39:46.000000000 -0300
@@ -393,6 +393,9 @@
struct multi_instance *mi)
{
+ /* setenv incoming cert common name for script */
+ setenv_str (mi->context.c2.es, "common_name", tls_common_name
(mi->context.c2.tls_multi, true));
+
/* setenv client real IP address */
setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context));
----------------------------------------- END
-------------------------------------------
----------------------------------------- 2.0.9
------------------------------------------
----------------------------------------- 2.1.1
------------------------------------------
----------------------------------------- Begin
-----------------------------------------
rubio@rubio-desktop:~/openvpn-2.1.1$ diff -Nru multi.c multi.c.patched
--- multi.c 2009-10-24 21:17:29.000000000 -0200
+++ multi.c.patched 2010-03-02 14:57:12.000000000 -0300
@@ -447,6 +447,9 @@
multi_client_disconnect_setenv (struct multi_context *m,
struct multi_instance *mi)
{
+ /* setenv incoming cert common name for script */
+ setenv_str (mi->context.c2.es, "common_name", tls_common_name
(mi->context.c2.tls_multi, true));
+
/* setenv client real IP address */
setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context));
----------------------------------------- END
-------------------------------------------
----------------------------------------- 2.0.9
------------------------------------------
2010/3/1 Jan Just Keijser <janj...@nikhef.nl>:
> Hi,
>
> Giancarlo Rubio wrote:
>>
>> Hi all.
>>
>> I have a issue with "OpenVPN 2.0.9 i586-suse-linux [SSL] [LZO]
>> [EPOLL]" similiar to other user [1]. Using options
>> --client-disconnect (to use firewall rules),
>> --username-as-common-name, sometimes, the disconnect-script return
>> erroneous CN. I use iptables rules to connect and disconnect clients,
>> the connect are ok, but disconnect receive invalid CN and the firewall
>> rule still invalid, because any user have a firewall ruleset based on
>> his CN.
>>
>> Details
>>
>> # cat /var/log/openvpn-status.log
>> OpenVPN CLIENT LIST
>> Updated,Mon Mar 1 11:28:22 2010
>> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
>> user1,xxxxx,74953,83914,Mon Mar 1 10:33:13 2010
>> user2,xxxxx,2080665,8540472,Mon Mar 1 08:51:36 2010
>> user3,xxxxx,3493297,7694229,Mon Mar 1 07:48:33 2010
>> user4,xxxx,609998,1533127,Mon Mar 1 09:43:43 2010
>> ROUTING TABLE
>> Virtual Address,Common Name,Real Address,Last Ref
>> 10.8.0.6,user1,xxxxx,Mon Mar 1 11:28:00 2010
>> 10.8.0.110,user2,xxxxxx,Mon Mar 1 11:28:15 2010
>> 10.8.0.106,user3,xxxxxx,Mon Mar 1 11:28:20 2010
>> 10.8.0.42,user4,xxxxx,Mon Mar 1 11:28:13 2010
>> GLOBAL STATS
>> Max bcast/mcast queue length,0
>> END
>>
>> * Firewall rules
>>
>> Chain FORWARD (policy DROP 1434 packets, 151K bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 11 876 ACCEPT all -- * * 10.8.0.126
>> 12.86.0.0/16
>> 10 671 ACCEPT all -- * * 12.86.0.0/16
>> 10.8.0.126
>> 21773 1293K ACCEPT all -- * * 10.8.0.34
>> 182.36.1.34
>> 22171 5480K ACCEPT all -- * * 182.36.1.34
>> 10.8.0.34
>> 3042 1987K ACCEPT all -- * * 10.8.0.90
>> 182.36.1.4
>> 4020 2839K ACCEPT all -- * * 182.36.1.4
>> 10.8.0.90
>> 12557 3871K ACCEPT all -- * * 10.8.0.42
>> 12.86.0.0/16
>> 13036 8805K ACCEPT all -- * * 12.86.0.0/16
>> 10.8.0.42
>> 338 54579 ACCEPT all -- * * 10.8.0.42
>> 122.16.35.0/23
>> 264 28680 ACCEPT all -- * * 122.16.35.0/23
>> 10.8.0.42
>> 10151 1673K ACCEPT all -- * * 10.8.0.106
>> 12.86.0.0/16
>> 11612 9301K ACCEPT all -- * * 12.86.0.0/16
>> 10.8.0.106
>> 112 132K ACCEPT all -- * * 10.8.0.106
>> 122.16.35.0/23
>> 83 3344 ACCEPT all -- * * 122.16.35.0/23
>> 10.8.0.106
>> 3199 523K ACCEPT all -- * * 10.8.0.110
>> 12.86.0.0/16
>> 3290 1765K ACCEPT all -- * * 12.86.0.0/16
>> 10.8.0.110
>> 0 0 ACCEPT all -- * * 10.8.0.110
>> 122.16.35.0/23
>> 0 0 ACCEPT all -- * * 122.16.35.0/23
>> 10.8.0.110
>> 3165 331K ACCEPT all -- * * 10.8.0.38
>> 12.86.0.0/16
>> 3681 3122K ACCEPT all -- * * 12.86.0.0/16
>> 10.8.0.38
>> 430 486K ACCEPT all -- * * 10.8.0.38
>> 122.16.35.0/23
>> 302 13545 ACCEPT all -- * * 122.16.35.0/23
>> 10.8.0.38
>> 529 35483 ACCEPT all -- * * 10.8.0.6
>> 12.86.0.0/16
>> 387 50812 ACCEPT all -- * * 12.86.0.0/16
>> 10.8.0.6
>> 0 0 ACCEPT all -- * * 10.8.0.6
>> 122.16.35.0/23
>> 0 0 ACCEPT all -- * * 122.16.35.0/23
>> 10.8.0.6
>>
>> if you look on connect clients only
>> 10.8.0.6,10.8.0.110,10.8.0.106,10.8.0.42 are connected, but rules that
>> 10.8.0.38,10.8.0.34 are in the firewall.
>> It's not firewall rule problem, is the wrong CN cause this.
>>
>> * My certificate name was "cliente".
>> * The CN in openvpn.log are correct, only in disconnect script is the
>> problem.
>>
>> Mon Mar 1 00:28:33 2010 us=813731 user2/201.25.210.77:60054
>> SIGTERM[soft,remote-exit] received, client-instance exiting
>> ..........
>>
>> Mon Mar 1 09:41:02 2010 us=98845 user1/187.88.88.67:1090 [hrsilva]
>> Inactivity timeout (--ping-restart), restarting
>> Mon Mar 1 09:41:02 2010 us=98899 user1/187.88.88.67:1090
>> SIGUSR1[soft,ping-restart] received, client-instance restarting
>> ..........
>>
>> Mon Mar 1 09:44:43 2010 us=226821 user3/187.88.200.66:1108
>> [lffernandez] Inactivity timeout (--ping-restart), restarting
>> Mon Mar 1 09:44:43 2010 us=226856 user3/187.88.200.66:1108
>> SIGUSR1[soft,ping-restart] received, client-instance restarting
>>
>>
>>
>> Behind are the same description off the problem by other user.
>>
>> ----------------------
>>
>> A few days ago I've set up an openvpn server on my server with mysql
>> backend
>> based on auth-user-pass-verify, client-connect, client-disconnect. Both
>> client-connect and client-disconnect works has a main purpuse of setting
>> iptables rules for forwarding each connection to a public ip, taken from
>> an
>> ip-pool table. Also, each connection is registered in a table called
>> active.
>> When the client disconnects, it deletes from active, deletes the iptables
>> rule and logs everything...
>>
>> The authentication and every record is indexed by the common name (which
>> is
>> the username, not the cert name, so username-as-common-name on ).. so if i
>> add a row in the "active" table with client-connect and then look for it
>> with client-disconnect, it is based on the common name.
>>
>> So, now about the problem: some of the time (about 1 every 5 disconnect)
>> the
>> $common-name variable shows the cert name and not the username, thus
>> making
>> it impossible to find in active table, leaving many false iptables rules
>> and
>> funny logs like:
>>
>> username 1245682814 80.99.12.202 79.172.201.189
>> 10.0.0.2 CONNECT
>>
>> certname 1245685700 80.99.12.202
>> 10.0.0.2 DISCONNECT
>>
>>
>>
>> Is this a bug or did i make a mistake?
>>
>>
>
> congratulations, you have found a bug indeed...
> I'm posting my analysis here but will copy it later to openvpn-devel, so we
> can figure out what to do with it:
>
> in multi.c the function multi_client_connect_setenv contains
>
> 1410 /* setenv incoming cert common name for script */
> 1411 setenv_str (mi->context.c2.es, "common_name", tls_common_name
> (mi->context.c2.tls_multi, true));
>
> this is missing from the corresponding multi_client_disconnect_setenv
> function....
>
> So you can either patch multi.c yourself or perhaps you can record the name
> of the username when you set up the firewall rules so that you can also use
> that username to tear it down again (e.g. match IP to username or something
> like that).
>
> HTH,
>
> JJK
>
>
--
Giancarlo Rubio
