Hi On Wed, Apr 1, 2020 at 10:17 AM Dajka Tamás <vi...@vipernet.hu> wrote:
> Hi all, > > > > I’ve a _*working*_ server-client setup (tap + L2 bridge; server-bridge > with on-lan DHCP), where the pam-auth plugin does the authentication (OTP > with static-challenge, works OK). However, if I disable the plugin > authentication and enable ’management-client-auth’ (nothing else chages in > either of the configs), the client fails to establish the data channel > (authentication works, control channel is ok). > > > > In the server logs I see the following (with mgmt auth): > > > > mysecretuser/CLIENT_PUBLIC_IP:63979 TLS Warning: no data channel send key > available: [key#0 state=S_ACTIVE id=0 sid=f1576b13 7324afbe] [key#1 > state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 > sid=00000000 00000000] > > mysecretuser/CLIENT_PUBLIC_IP:63979 MULTI: C2C/MCAST/BCAST > > > > and a lot of these: > > > > mysecretuser/CLIENT_PUBLIC_IP:63808 TCPv4_SERVER READ [172] from > [AF_INET]CLIENT_PUBLIC_IP:63808: P_DATA_V2 kid=0 DATA len=171 > > mysecretuser/CLIENT_PUBLIC_IP:63808 Key [AF_INET]CLIENT_PUBLIC_IP:63808 > [0] not initialized (yet), dropping packet. > > mysecretuser/CLIENT_PUBLIC_IP:63808 TCPv4_SERVER READ [347] from > [AF_INET]CLIENT_PUBLIC_IP:63808: P_DATA_V2 kid=0 DATA len=346 > > mysecretuser/CLIENT_PUBLIC_IP:63808 Key [AF_INET]CLIENT_PUBLIC_IP:63808 > [0] not initialized (yet), dropping packet. > > mysecretuser/CLIENT_PUBLIC_IP:63808 TCPv4_SERVER READ [108] from > [AF_INET]CLIENT_PUBLIC_IP:63808: P_DATA_V2 kid=0 DATA len=107 > > mysecretuser/CLIENT_PUBLIC_IP:63808 Key [AF_INET]CLIENT_PUBLIC_IP:63808 > [0] not initialized (yet), dropping packet. > > Looks like your script is not sending a complete response and the server is still waiting to authenticate the client. Unlike scripts, management doesn't block, but the session will not get fully initialized until the management client has responded. > > > What can be the matter? Do I need to supply anything else via mgmt@server > other than ’client-auth ID ID’ upon successful authentication? > You have to send back either "client-deny CID KID <reason text>" OR "client-auth-nt CID KID" OR "client-auth CID KID client-specific directives END" If you have no client-connect confg parameters to send, use "client-auth-nt" as in my demo script that you referred to. if sending "client-auth" with no directives, you still have to send the line "END". Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
