Hi,
On Sat, Jul 21, 2018 at 1:21 PM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > Hi, > > On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair <selva.n...@gmail.com> wrote: >> Jon: I have a server for testing static and dynamic challenge. If >> interested I can send you a config. Or use access server with a free >> test license. Mine will just challenge with 1 + 1 = ? kind of >> questions, nothing fancy. > > Thanks, Selva! Your testing server worked fine and I have Tunnelblick > doing dynamic challenge/response properly now. > > However, dynamic C/R needs to include '--auth-retry interact' to work > because the default is to fail fatally. From what I understand, the > configs generated by Open Access Server don't include '--auth-retry > interact', but apparently OpenVPN GUI for Windows forces that option > because it can assume that it is always being used interactively. > Tunnelblick can't assume that because it can be and is used > non-interactively (for example. to connect to a VPN when the computer > starts up and nobody is logged in to interact with). > > I can think of four ways to deal with this problem: > > 1. Have Tunnelblick require that the user include 'auth-retry > interact' in the OpenVPN configuration file. > > 2. Have Tunnelblick guess if the configuration is interactive and, if > it is, to include '--auth-retry interact' in the command line when > starting OpenVPN. > > 3. Have Tunnelblick send 'auth-retry interact' through the management > interface as soon as it sees a ">PASSWORD:Verification Failed: 'Auth' > ['CRV…" message. > > 4. Patch OpenVPN so that the connection will be restarted instead of > getting a fatal error if the error message starts with > ">PASSWORD:Verification Failed: 'Auth' ['CRV", ignoring --auth-retry. This looks like a good suggestion. > > The problem with 3 is that it may not work, or it may work only > sometimes because of a race between OpenVPN processing the failure > message and processing the 'auth-retry interact' from the management > interface. > > One problem I see with 4 is that I don't think that OpenVPN code > (other than in OpenVPN GUI) actually "knows" about dynamic C/R. It > looks to me to be simply a convention between the OpenVPN GUI (and > other GUIs) and the scripts that run on the OpenVPN server. It would > also break a dynamic C/R setup in which 'auth-retry nointeract' was > specified, or in which no 'auth-retry' was included, but they wouldn't > be working setups anyway. Instead of forcing auth-retry interact, it would be enough to change the handling of receive_auth_failed() in push.c -- if the "reason" text contains "AUTH_FAILED,CRV1:" handle it as if AR_INTERACT is in effect. The reason text is already passed to that function. Not doing so looks like an unintentional consequence of the kludgy way dynamic CR is implemented. That way other code paths where auth-retry is used (for private key password etc.) are not affected. > > Another problem with 4 is that presumably it wouldn't appear until > OpenVPN 2.5, which means that it Tunnelblick would require OpenVPN 2.5 > (which is included in Tunnelblick betas) for dynamic C/R to work. > Some, perhaps including Selva's $payingCustomer, may not want to use > Tunnelblick betas or use OpenVPN 2.5 until it is released. As an interim measure, you could send auth-retry interact as soon as tunnelblick connects to the management interface and internally enforce "auth-retry interact" or "none" if found in the config. Just opt not to count the CRV1 message as an auth-failure. It may be also necessary to remember the auth-retry setting in the config and set it back while disconnecting from management interface. > > The good things about 4 are that it would be a pretty small patch (I > think) and it would "automatically" fix what I consider to be an > OpenVPN configuration error. > > 4 is the best solution from a narrow thinking-only-of-Tunnelblick > perspective. Would you all consider a patch that does 4? Yes, I think this would be a sane and useful change. Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
