Re: [Openvpn-users] TLS key negotiation failed to occur ISP screws up the VPN
On Sat, May 18, 2024 at 12:00 PM Bo Berglund wrote: > On Sat, 18 May 2024 11:22:37 +0200, Gert Doering > wrote: > > >Since you do not want to hear that, we won't tell you that 2.4.0 is > >8 years old, and a zillion improvements went into what is now 2.6.10, > > Just curious: > I am running openvpn server on an Ubuntu 22.04.4 LTS and here is what I > get from > apt: > Please do not hijack an ongoing discussion. Ask in a new thread. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] TLS key negotiation failed to occur ISP screws up the VPN
> > > > This node where the logs were from (server): > OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] > [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 > > Other (client) > OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] > [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 29 2022 > > Please do not tell me to upgrade I will upgrade it in the next 5 years but > this was working just fine till now. > These version combinations will work on a good day, but when there is a network glitch, they could go into a restart dance with both backing off exponentially and missing each other. This issue was fixed in 2.5.3. If the above is indeed the issue, a quick way to recover is to restart the server and client at the same time as Gert mentioned. But that will last only until the next bad day. > Here is the log from the client: > By matching logs I mean client and server logs at time frames that overlap. We want to see what the server is doing when the client is trying to connect. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] TLS key negotiation failed to occur ISP screws up the VPN
Hi, > Fri May 17 13:23:15 2024 us=936860 SIGUSR1[soft,tls-error] received, process restarting > Fri May 17 13:23:15 2024 us=937343 Restart pause, 300 second(s) If this is the tls-server side of the p2p connection, this is weird. What version of OpenVPN is this? We fixed the backoff logic in 2.5.3 to delay only on one side (the client-side iirc) as otherwise the two sides could miss each other and lead to timeout. Could you please post matching logs from the other side as well? Selva On Fri, May 17, 2024 at 8:15 AM shadowbladeee via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > Hello Folks, > > I have a VPN setup which works since years it's a simple peer to peer udp > VPN. There was absolute zero change on the two endpoints, nothing on the > routers, network equipment, servers etc. The VPN simply stopped functioning > like a week ago with no reason. I have pretty much restarted all components > (of course did not change anything). I get this in the log on the server: > > RFri May 17 13:22:15 2024 us=116136 TLS: Initial packet from > [AF_INET]:39729, sid=77d2b662 053040f3 > WWWWrrWrFri May 17 13:23:15 2024 us=858988 > TLS Error: TLS key negotiation failed to occur within 60 seconds (check > your network connectivity) > Fri May 17 13:23:15 2024 us=859084 TLS Error: TLS handshake failed > Fri May 17 13:23:15 2024 us=859405 TCP/UDP: Closing socket > Fri May 17 13:23:15 2024 us=859487 Closing TUN/TAP interface > Fri May 17 13:23:15 2024 us=859528 /sbin/ip addr del dev tun1 local > 10.0.0.1 peer 10.0.0.2 > Fri May 17 13:23:15 2024 us=936860 SIGUSR1[soft,tls-error] received, > process restarting > Fri May 17 13:23:15 2024 us=937343 Restart pause, 300 second(s) > Fri May 17 13:28:15 2024 us=939065 Diffie-Hellman initialized with 2048 > bit key > Fri May 17 13:28:15 2024 us=942435 Outgoing Control Channel > Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication > Fri May 17 13:28:15 2024 us=942581 Incoming Control Channel > Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication > Fri May 17 13:28:15 2024 us=943674 Control Channel MTU parms [ L:1557 > D:1184 EF:66 EB:0 ET:0 EL:3 ] > Fri May 17 13:28:15 2024 us=947603 TUN/TAP device tun1 opened > Fri May 17 13:28:15 2024 us=949077 TUN/TAP TX queue length set to 100 > Fri May 17 13:28:15 2024 us=949249 do_ifconfig, > tt->did_ifconfig_ipv6_setup=0 > Fri May 17 13:28:15 2024 us=949702 /sbin/ip link set dev tun1 up mtu 1500 > Fri May 17 13:28:15 2024 us=961794 /sbin/ip addr add dev tun1 local > 10.0.0.1 peer 10.0.0.2 > Fri May 17 13:28:15 2024 us=975521 Data Channel MTU parms [ L:1557 D:1269 > EF:57 EB:395 ET:0 EL:3 ] > Fri May 17 13:28:15 2024 us=975855 Local Options String (VER=V4): > 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,ifconfig 10.0.0.2 > 10.0.0.1,keydir 0,cipher AES-256-CBC,auth SHA1,keysize > 256,tls-auth,key-method 2,tls-server' > Fri May 17 13:28:15 2024 us=976030 Expected Remote Options String > (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,ifconfig > 10.0.0.1 10.0.0.2,keydir 1,cipher AES-256-CBC,auth SHA1,keysize > 256,tls-auth,key-method 2,tls-client' > Fri May 17 13:28:15 2024 us=976118 Could not determine IPv4/IPv6 protocol. > Using AF_INET > Fri May 17 13:28:15 2024 us=976236 Socket Buffers: R=[163840->163840] > S=[163840->163840] > Fri May 17 13:28:15 2024 us=976352 UDPv4 link local (bound): > [AF_INET][undef]:43000 > Fri May 17 13:28:15 2024 us=976428 UDPv4 link remote: [AF_UNSPEC] > RFri May 17 13:28:16 2024 us=563831 TLS: Initial packet from > [AF_INET]:45086, sid=94460619 1b42cb70 > WWrrWrrrWrWrFri May 17 13:29:16 2024 us=241264 > TLS Error: TLS key negotiation failed to occur within 60 seconds (check > your network connectivity) > Fri May 17 13:29:16 2024 us=241385 TLS Error: TLS handshake failed > Fri May 17 13:29:16 2024 us=242113 TCP/UDP: Closing socket > Fri May 17 13:29:16 2024 us=242322 Closing TUN/TAP interface > Fri May 17 13:29:16 2024 us=242433 /sbin/ip addr del dev tun1 local > 10.0.0.1 peer 10.0.0.2 > Fri May 17 13:29:16 2024 us=356949 SIGUSR1[soft,tls-error] received, > process restarting > Fri May 17 13:29:16 2024 us=357112 Restart pause, 300 second(s) > Fri May 17 13:34:16 2024 us=357823 Diffie-Hellman initialized with 2048 > bit key > Fri May 17 13:34:16 2024 us=358991 Outgoing Control Channel > Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication > Fri May 17 13:34:16 2024 us=359037 Incoming Control Channel > Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication > Fri May 17 13:34:16 2024 us=359179 Control Channel MTU parms [ L:1557 > D:1184 EF:66 EB:0 ET:0 EL:3 ] > Fri May 17 13:34:16 2024 us=359788 TUN/TAP device tun1 opened > Fri May 17 13:34:16 2024 us=359859 TUN/TAP TX queue length set to 100 > Fri May 17 13:34:16 2024 us=359905 do_ifconfig, > tt->did_ifconfig_ipv6_setup=0 > Fri May 17 13:34:16 2024 us=359947 /sbin/ip link set dev
Re: [Openvpn-users] Limit the number of users based on the key
> > 2- The Active Directory server is located inside the company, and if users > want to connect to the OpenVPN server from outside the company, then how is > authentication done? > VPN authentication is done by your OpenVPN server. As long as the server has access to the AD, it does not matter where the user is connecting from. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Migrating to new CA
Hi, > think I am getting closer with the "one step" process with an > intermediary cert. I am able to start up the server with both the new CA > signed server cert and the intermediary as outlined in "Step 3" above. > However, its like the server is not sending two server certs to the > connecting client and the stacked crt is not working. In my openvpn config > if I have something like > > ca keys/new/ca2.crt > cert keys/new/ronly.pem > key keys/new/r-only.key > Where ca2.crt contains both the root certificates (old and new) and > ronly.pem contains both the new OpenVPN server cert and the intermediary CA > crt signed by the old CA, it only works for one client or the other based > on where I have the certificate in the .pem file. So if I put the new cert > first in the list, new clients can connect. > This is the correct order -- the server certificate first, followed by the cross-signed certificate. OpenVPN parses the first one as the server certificate and uses trailing ones, if any, for building the chain. > If I put the intermediary first in the file, old clients can connect, but > not the new ones. > With that order the key won't match the certificate and the server should not even start. Looks like your cross-signed certificate has the server's public key -- it should have the new CA's public key signed by the old CA. What error do you get on old clients with the correct order? > Is there an extra step I need to do or am I misunderstanding where the > intermediary cert needs to go or what needs to be signed ? > You can check by verifying the new server certificate against old CA using openssl CLI like this: $ openssl verify -show_chain -CAfile old-ca.crt -untrusted cross-signed-cert.crt new-server-cert.crt It should show the cross-signed certificate at depth 1 linking the new server certificate to the old CA at depth 2. Direct verification using new CA would be $ openssl verify -show_chain -CAfile new-ca.crt new-server-cert.crt Selva > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Migrating to new CA
> > Thanks Selva for the link! Two rounds will be a bit laborious as there > are many endpoints. If I have to go for option A (Stacked CAs on all > clients, stacked CAs on the server then update the server), is there a > downside with leaving an expired CA cert on all the clients ? Or can they > just be left there until the devices get re-imaged over time ? > > Then clients will continue to trust server certs issued by the old CA which may not be desirable in some setups. If you are also updating the client version at the same time, test this out first -- hard to anticipate what all could go wrong. Newer version clients may reject the old server certificate for outdated MD or key-size. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Migrating to new CA
On Mon, Oct 2, 2023 at 3:00 PM mike tancsa wrote: > I am in a position where I want to start migrating users away from my > old CA which will expire in the medium term future to a new CA. I have > many endpoint and cant just "OK, everyone download a new files now." > So I am looking at the steps in > > https://www.hexonet.net/blog/migrating-new-ca-for-openvpn > > which allows both sets of clients to connect to existing > infrastructure. Moving to different ports / IPs etc is not easy to do > either as firewalls at local sites are controlled by many orgs and > getting those changed is non trivial. > > Step 1 ok - new CA added (stacked) > > Step 2, "Also, the server certificate is replaced by one signed by the > new CA." Also done. Clients with certs signed with the new CA can connect. > > Step 3, "Additionally, an intermediate certificate (OLD-NEW-IM.crt) that > uses the private key of the new CA, but is signed by the old CA, gets > added to the server certificate file. IMPORTANT: When signing the new > server certificate, the 'authorityKeyIdentifier' section must only > include the keyid, and not the issuer. This is necessary to prevent > issues related to different subjects of the old and new CA's." > > Thats the part I am not sure of. Can this be done with easy rsa 3 or do > I need to manually do it with openssl. I am thinking this is an openssl > cli thing. If so, has anyone done this that can share the steps ? > If you can afford two rounds of client config updates, this could be done without step 3 -- see the following thread from users list: https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05983.html Essentially, update to the stacked CA (old+new) on server and stacked CA + new client certs on clients one by one. When all clients are updated, change the server certificate to the new one. Then do another round of client update where old CA is removed from the stack. A link certificate allows one to do this in one round of client updates as also discussed in that thread. I have used OpenSSL CLI in the past for this but do not have a recipe at hand. No idea whether easyrsa could do it. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Internal DNS server & Windows 11 behaviour
Hi Bruno, > Another reason which incited me to continue using the "Connect" client > was the fact that for rather old people not very accustomed to VPNs and > the like (my "customers" are mostly retired people in their sixties or > seventies), having a big window open, with a clear feedback showing data > flowing in and out and displaying quite clearly valuable information as > the local IP address and the server's address, seemed easier to use and > also for me to diagnose when problems occur. > Thanks for the feedback. As Gert said, knowing what users want/expect will help us improve the UI. When I had users I used to tell them to just check whether the icon turns green and complain if it doesn't. In my case the VPN was for access to the office/corporate network from outside, and the only thing that mattered was whether they can access internal resources such as files, software license servers etc. Once setup, OpenVPN-GUI run with "silent_connection" worked very well for that. Until the next time I decided to tweak the setup and break it. By the way, the GUI does show the tunnel IP in the tray icon popup as well as on the status window. But not the remote IP --- we show the connected profile name instead. Unfortunately, there is very limited space in a tray icon popup, but we could add this to the status window which opens up when you double click the tray icon when connected/connecting. My users never could diagnose anything on their own, and I preferred to go through the client and server logs. Regards, Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Internal DNS server & Windows 11 behaviour
Hi, > Hi Gert, many thanks, everything's fine, the "block-outside-dns" option > works perfectly, but we'll have to use OpenVPN GUI only, as OpenVPN > Connect rejects this as an unknown option. Not a big deal, at least we > have a working solution. > I'm just being curious, is there any reason why you would prefer Connect over OpenVPN-GUI? Apart from the superficial looks, that is Thanks, Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Is it possible to view the running OpenVPN configuration?
On Sat, Jul 22, 2023 at 3:20 AM Leroy Tennison via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > I have a situation where the conf file was modified by someone else but no > backup was made (I know, bad practice, I don't have control over that) but > ps seems to indicate that OpenVPN wasn't restarted afterward. Looking at > the command line displayed by ps, the config file is listed and the > parameter I'm interested in (max-clients) isn't one of them. > Even if the process has not been restarted, a SIGHUP "restart" could have reread the config file. That said, if OpenVPN was started with verb >= 4, check the log file. Almost all settings are output to the log at that verbosity. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A00007B:SSL routines::bad
Hi, > I’m willingly testing the new GHA build and let you know the result as soon as possible. The link I sent was for the zip file for x64 build -- the following may be more transparent to show the branch it corresponds to. https://github.com/selvanair/openvpn/actions/runs/4384798323#artifacts Selva > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A00007B:SSL routines::bad
Hello, On Thu, Mar 9, 2023 at 4:01 AM openvpn wrote: > Hi, I’m posting the follow question here as I was redirect to this > mailing list for support by OpenVPN forum. > > > > > https://forums.openvpn.net/viewtopic.php?p=110748=error+0A7B#p110748 > Thanks for your report. I think we introduced a bug while changing the pkcs11-helper interface to support RSA-PSS signatures. We now directly call pkcs11h_certificate_signAnyEx() but failed to convert the ECDSA signature to the form OpenSSL expects -- PKCS#11 returns r|s, OpenSSl wants DER encoded asn.1. If you want to try out a fixed version, use openvpn.exe from the GHA build here: https://github.com/selvanair/openvpn/suites/11479839963/artifacts/592797275 Just replacing the one installed in C:\Program Files\OpenVPN\bin with this should do. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.6 cryptoapicert ISSUER not viable
Hi, On Sat, Mar 4, 2023 at 10:53 AM wrote: > > Am I wrong in assuming ISSUER: is a search parameter under > cryptoapicert? > > I've tried it in a lab and receive the message *"unsupported certificate > specification "* > This feature was added after the 2.6.0 release. It will be in 2.6.1 release. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN-GUI 11.36.0: There might be a bug
On Thu, Feb 9, 2023 at 4:54 PM Stella Ashburne wrote: > Hi, > > I have three config directories/folders, each from a different VPN > provider. They are all in C:\Program Files\OpenVPN > > Let's call the three config folders config-1, config-2 and config-3 > > The default config folder is simply called config > > After renaming one of them to config, I notice that the names from the > other config folders remain in "System Profiles". > > In order to remove these other names, I need to uninstall OpenVPN and > reinstall it. Only then will these other names disappear. > > This is a bug, isn't it? Just restart openvpn-gui (ie., exit and double click to start again), no need to re-install. The GUI scans and adds newly added (or renamed) configs to the list but does not delete old ones from memory for technical reasons. There is a patch in the works to hide those from the user though the data will still remain in memory. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Correct way to handle routing when on home network?
Hello, On Wed, Sep 28, 2022 at 1:10 PM Sebastian Arcus wrote: > > On 27/09/2022 21:09, tincantech wrote: > Some updates from today's testing: > > Test case 1 > > Topology: subnet > Adapter: WinTUN > Netbios over TCP/IP: disabled or enabled > Result: 300kbs (for both states of NetBIOS over TCP/IP) > > Test case 2 > > Topology: subnet > Adapter: TAP > Netbios over TCP/IP: disabled or enabled > Result: 900Mbs (for both states of Netbios over TCP/IP) > > > Essentially using "topology subnet" seems to work fine with the TAP > adapter, but routes all smb traffic through the tunnel with the WinTUN > adapter, even when Netbios over TCP/IP is disabled. > > I'm not sure if this actually clarifies things or makes it worse. I > re-run the tests several times, and rebooted the machine after changing > the settings on the adapters and before running the tests > This is getting more and more mysterious. Somehow SMB traffic is using the VPN IP and hence getting routed through the tunnel. DNS/netbios would have been the obvious culprit, but that doesn't seem to be the case... As Windows has no built-in policy routing facilities (does it?), probably there is some third party port forwarding running on the client? However, that should have affected both wintun and tap-windows tunnels. Can you mount a shared folder using the LAN IP of the server like \\192.168.112.xx and see whether that makes a difference? tcpdump could also help figure out why there are two smb streams one using LAN IP and other using the VPN, which is carrying what traffic, which one gets established first etc.. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Correct way to handle routing when on home network?
On Fri, Sep 23, 2022 at 5:07 PM Sebastian Arcus wrote: > On 23/09/2022 14:48, Selva Nair wrote: > > Having said that, I took another look at the routing table on the > Win10 > > client and noticed something odd. The only /32 routes I could find > are > > 192.168.112.236 255.255.255.255 On-link > > 192.168.112.236281 > > 192.168.112.255 255.255.255.255 On-link > > 192.168.112.236281 > > > > the .236 address is the client , so I presume that the .255 address > is > > the VPN server IP ? If so, then you've got a very peculiar network > > issue, as you say your network range is 192.168.112.0/24 > > <http://192.168.112.0/24> . > > > > > > Windows always adds an onlink route to broadcast address --- that's what > > you are > > seeing with the route to 192.168.112.255, not a route to the "server". > > Nothing peculiar. > > > > One thing not clearly mentioned is whether the SMB "server" is on the > > VPN "server". > > If so, smb mount may be using a hostname that resolves as the VPN IP of > > the server. > > Or the VPN IP itself. Then SMB traffic will flow via the VPN. > > A very good point to raise indeed. The Samba server is the same machine > as the vpn server. I already thought of that, and I checked on the > Windows 10 client that the host name used to access the share does > indeed resolve to the internal lan ip of the samba/vpn server - > 192.168.112.1. Thank you for the suggestion though. > Are you sure? Check netstat to see established connections. SMB may not be resolving IP the way you think it does. If this was a routing issue with all traffic to the server going through the tunnel, the tunnel itself would not work at all because of circular routing. There is no way for SMB traffic to flow through the VPN tunnel other than the client using the VPN IP of the server. Check again. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Correct way to handle routing when on home network?
> > Having said that, I took another look at the routing table on the Win10 > client and noticed something odd. The only /32 routes I could find are >192.168.112.236 255.255.255.255 On-link 192.168.112.236281 >192.168.112.255 255.255.255.255 On-link 192.168.112.236281 > > the .236 address is the client , so I presume that the .255 address is > the VPN server IP ? If so, then you've got a very peculiar network > issue, as you say your network range is 192.168.112.0/24 . Windows always adds an onlink route to broadcast address --- that's what you are seeing with the route to 192.168.112.255, not a route to the "server". Nothing peculiar. One thing not clearly mentioned is whether the SMB "server" is on the VPN "server". If so, smb mount may be using a hostname that resolves as the VPN IP of the server. Or the VPN IP itself. Then SMB traffic will flow via the VPN. The bypass route is not relevant here: OpenVPN adds a bypass route only if redirect-gateway is in use. Which is not the case here. Also the relevant IP of the server for bypass depends on how is remote specified in the config -- remote could be made to resolve always to the public IP (via NAT) or to the LAN IP while on LAN. However, in both cases a bypass route is not required in this particular setup. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] auth-token behaviour change in v2.5.0
Hi, On Sat, Jul 2, 2022 at 6:20 PM Connor Edwards via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > Right, I think I'm getting somewhere with this now. It's not the OpenVPN > server version, it seems to be something to do with the management socket > options. > > I mentioned that we have this in the config: > >management /run/openvpn/server/management.sock unix > >management-client-auth > > If I comment those lines out and add a verify script to just let any user > in: > >auth-user-pass-verify /verify.sh via-env > > There's no issues and the client stays connected through TLS reauths. > The above difference in behaviour rings a bell. I had noticed a similar misbehaviour in 2.6 (possibly also present in 2.5) that is very likely a bug. I looked into it again: On reauth, after auth token verification success, the log shows: test/127.0.0.1:35874 TLS: Username/auth-token authentication succeeded for username 'test' test/127.0.0.1:35874 TLS: Username/Password authentication deferred for username 'test' [CN SET] The "authentication deferred" line above results from the use of management-def-auth, but the management interface will not be notified in this case as auth-token bypasses it during reauth. This would lead to TLS keys going out of sync and eventual client-disconnect as the auth will stay deferred forever. Plugin and script based auths are not affected. The auth-token expiry message you see may be an indirect effect of this --- the server first disconnects the client, while the client continues and eventually does a ping-restart with the old token which will have a timestamp out of the reneg interval.. Could you please post a full verb=4 server log using official community releases for the client and server --- tunnelblick as client should be okay. It's not possible for us to reproduce what a viscosity client or server may be doing. Selva > > Logically you might think that the reason the clients are being kicked off > after a minute or so with management-client-auth is because another command > needs to be entered to allow reauth. But in this case the server does not > inform of reauth over the socket. > >client-auth-nt 0 0 > >>CLIENT:ESTABLISHED,0 > ... > >>CLIENT:DISCONNECT,0 > > I'm aware that external-auth can be appended to the auth-gen-token option > to handoff auth so that the server doesn't verify the token internally. > This isn't what we're looking for - we want the server to handle the auth > token generation and verification internally otherwise we'll have to > implement this ourselves. There's nothing in the docs that says this is > mutually exclusive with using the management socket. > >auth-gen-token 43200 external-auth > > Thanks > > > On Sat, Jul 2, 2022 at 5:07 PM Connor Edwards > wrote: > >> Hello David, >> >> Yep, I have had a look at the source and the auth token feature was >> overhauled in v2.5.0. >> >> This issue is reproducible with the Viscosity client for macOS which uses >> v2.5.5 under the hood. But so far in my testing the client version doesn't >> seem to matter, only the server version does. >> >> My colleague and I have pored over the docs/manpage/source code but we >> haven't been able to find why this is happening. We are using a token >> lifetime of 12 hours: >> >auth-gen-token 43200 >> >> Yet upon a client connecting, the server will log that the token is >> expired not even a few minutes later. >> >> Here is a fairly minimal server/client config that can reproduce it. Note >> that reneg-sec is set to 30 for demonstration of this issue only. >> >> server.conf >> >topology subnet >> >server 192.168.254.0 255.255.255.0 >> >port 443 >> >proto tcp >> >dev tun >> >user openvpn >> >group openvpn >> >ca /etc/openvpn/pki/ca.crt >> >cert /etc/openvpn/pki/issued/server.crt >> >key /etc/openvpn/pki/private/server.key >> >tls-server >> >tls-crypt /etc/openvpn/ta.key >> >tls-cert-profile preferred >> >cipher AES-256-GCM >> >remote-cert-tls client >> >verify-client-cert require >> >auth SHA512 >> >dh none >> >ifconfig-pool-persist ipp.txt >> >keepalive 10 120 >> >persist-key >> >persist-tun >> >management /run/openvpn/server/management.sock unix >> >management-client-auth >> >reneg-sec 30 >> >auth-gen-token 43200 >> >> client.conf >> >remote localhost 443 tcp-client >> >nobind >> >dev tun >> >redirect-gateway def1 ipv6 >> >persist-key >> >pull >> >auth-user-pass >> >tls-client >> >ca ca.crt >> >cert cert.crt >> >key key.key >> >remote-cert-tls server >> >tls-crypt tlscrypt.key >> >auth SHA512 >> >push-peer-info >> >cipher AES-256-GCM >> >> Steps to reproduce: >> >>1. Install OpenVPN server 2.5.5 >>2. Connect to the server management socket with nc >>-U /run/openvpn/server/management.sock >>3. Connect the client to the server >>4. Issue the client-auth-nt command in to the socket to allow the >>connection, for example: client-auth-nt 0 0 >>5. Watch the server logs >>6. Observe that the client is disconnected for an expired
Re: [Openvpn-users] Problem with service on windows server
Hi, If you are referring to running at boot using the so-called automatic service, the service runs as local system and spawns openvpn.exe with elevated privileges. If using the GUI, the "right" way is to run the GUI without elevation, let the interactive service start openvpn.exe as user (not elevated) with the service handling tasks requiring elevation. That is the default and should just work out of the box since version 2.4. If you want to run openvpn.exe from the command line, use an elevated prompt. Setting run-as-administrator on the executable would be a mistake. It's a pity that there is so much out-dated info about OpenVPN on Windows out there. Selva On Tue, Jun 28, 2022 at 12:31 AM Jordan Hayes wrote: > The other thing that's always driven me crazy is that the client needs > to have the "run as administrator" bit set, and it doesn't happen by > default. > > /jordan > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Problem with service on windows server
Hi, > the \\config-auto folder is only created if the 'openVPN Service' is > selected *manually* during installation. > We need to install the automatic service without manual intervention. Is this also the behaviour on a fresh install instead of an update? The logic for installing the service was complicated from start because we wanted to detect when automatic service should be set to autostart, migrate configs into config-auto if required etc. during an update. But, in the process, it seems we have somehow ended up not installing it by default. Actually, always installing and even setting its startup to auto should be safe now as we have a folder exclusively meant for auto-start ones (config-auto). This was not the case with older versions. Selva > However, the 'Interactive-Service' *is* installed by default. > > This feels *needlessly* complicated. > > As a long-time Windows user, I am much more accustomed to turning options > which I do not want OFF than I am turning options which I do want ON. > > Also, the installer does not have the customary: > * FULL (Default) > * Standard - This could be renamed 'CLIENT ONLY', if that is the intention > .. > * Custom - Debugging .. > * Advertiser sponsored - This is common enough. > > which I would normally "hope" to see from a well behaved .msi installer. > > my2c > > > > --- Original Message --- > On Monday, June 27th, 2022 at 22:49, tincantech > wrote: > > > > Correction: 2.5.7-I602 not 2.5.5 > > > > --- Original Message --- > > On Monday, June 27th, 2022 at 22:35, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > > > > > > > Hi, > > > > > > I must point this out: > > > > > > > > > > > > > > > > I am setting up an OpenVPN server on a windows server for a > > > > > > > client, but ran into the problem where the openvpn service in > > > > > > > services doesn’t pick up the config files I placed into the > > > > > > > C:\Program Files\Openvpn\config folder. > > > > > > > > > > > > > > I can start the server from the command line just fine and also > > > > > > > from the openvpn-gui client, but when I start the openvpn > service > > > > > > > in services, the service starts and stays running, but the > server > > > > > > > isn’t listening for incoming connections. > > > > > > > > > > > > It is not clear if the following point effects the OP, however .. > > > > > > The correct folder for auto-start is: > > > C:\Program Files\Openvpn\config-auto > > > > > > However, this directory and the README are not installed using > 2.5.5-I602. > > > > > > This could be due to recent changes. > > > > > > -- > > > > > > > -BEGIN PGP SIGNATURE- > Version: ProtonMail > > wsBzBAEBCAAGBQJiujWDACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec > 9muQuJ2LYAf/Vh4nss7ejL0d+H6gCyxryTURfwoCPL60mfdqXYWuXIBHN19c > rB5lMr3oa9yzx3MU4ga6zBQzbXlwEw3F7wGVokqNDP1u+BSzjQIIYZsC2QBD > wdQMa2wdAIOpwwUml3DIyuz68vFmotXYp37DcafHt/tgTyWLNcaXrLSopM7K > ICwjKFrJ0Wd3Fz9eqMMBMeOimYFCMlqNbYqUWur3Ve9GNMuaou6pURo0X0+e > Gqmxo7QoGDPVYR59NXL2LQTO8mCAVRkd/9oAUbmpP7d/XuKMBPoPo/gcChx6 > k1NGhNQR8DqsyK8vA/xFCIiBhg78NfgZMY2qk0Iq4heyGi+z5KZc0A== > =2LbF > -END PGP SIGNATURE- > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Problem with service on windows server
Hi, Check whether openvpnservice is installed by running the following from a command line sc query OpenVPNService It will show whether the service exists and its current state. If installed but nor running open services and change the startup to automatic and start. If not installed, you may have to uninstall openvpn and re-install it. Select custom install and make sure OpenVPN service is selected. It seems the msi installer has some weird logic in selecting when to install the service (so-called automatic service) and when to set it to auto start. The interactive service used by the GUI is installed by default. Selva On Sat, Jun 25, 2022 at 3:09 PM Austin Witmer wrote: > Hello all! > > I am setting up an OpenVPN server on a windows server for a client, but > ran into the problem where the openvpn service in services doesn’t pick up > the config files I placed into the C:\Program Files\Openvpn\config folder. > > I can start the server from the command line just fine and also from the > openvpn-gui client, but when I start the openvpn service in services, the > service starts and stays running, but the server isn’t listening for > incoming connections. > > The log files aren't being created either, so that make me think that for > some reason the openvpn service isn’t seeing my server.ovpn file with my > configuration. > > By the way, this is the latest version of openvpn downloaded and installed > this morning. > > Do you have any idea what the problem is? Thanks in advance for your help! > > Austin Witmer > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Client 2FA problem with Backslash
On Thu, Mar 10, 2022 at 6:14 AM Jakob Curdes wrote: > Hello all, > > we are trying to implement 2FA for several existing Firebox SSL VPNs > (which essentially uses OpenVPN on server and client side). The remote > users all use the Windows OpenVPN client. This works perfectly without 2FA, > and it works also if you do not need to specify the authentication domain > on user logon. But for the migration it is necessary to do that as I cannot > convert all users at once - the domain you enter in the username field is > then "authpoint" instead of something like "company.private". In the 2FA > process, the OpenVPN client then opens a text window where you can enter a > TOTP token or a "p" for a push request. This all works with the default > domain set, but not when specifying a domain with a backslash: > If you are using OpenVPN-GUI for Windows, looks like a bug. I guess, by text window, you mean the challenge-response dialog that the GUI pops up for 2FA. Username is first input in the username/password dialog and that seems to succeed with the backslash in it. You should be able to see that the username is passed to management with the backslash replaced by "\\" (escaped). Then the challenge response dialog is shown when AUTH_FAILED with challenge is received where the user types the response. In that round the username is submitted again and that seems to be failing. Looks like a bug in the GUI -- we are not expanding the string when submitted from that dialog. generally we use ManagementCommandFromInput() to submit user input and that does the escaping, but for this username which is not input by user but passed in by the server, we send it directly without escaping. Will fix if that is indeed the case. As a quick fix, username@domain instead of domain\username may work with your server. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] LAN-LAN connection via ASUS Router OpenVPN?
Hi On Fri, Jan 14, 2022 at 10:36 AM Bo Berglund wrote: > > I have two ASUS routers, RT-AC68U and RT-AC86U. > One is sitting at home (RT-AC86U) on a fiber connection and the other will > soon > be placed at my summer home where we have just gotten a fiber installed. > > Now I would like to hook the two sites together using VPN so that I can reach > resources on both LAN from both places. > > I have seen this documentation: > https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ > It shows in principle how it can be done. That doc relates to the commercial OpenVPN Access server, not the community version of OpenVPN. Read this instead: https://community.openvpn.net/openvpn/wiki/HOWTO#ExpandingthescopeoftheVPNtoincludeadditionalmachinesoneithertheclientorserversubnet Ignore the part about bridged setups, stick to routed tun. > > But now I wonder if someone here has done this using the built-in OpenVPN > (client/server) of the ASUS routers and can share their experience? > > I also found ASUS documentation of how to do it but using IPSec rather than > OpenVPN: > https://www.asus.com/support/FAQ/1033578/ > > This also seems to concern a different series of routers than what I have, > though, and the dialogs shown do not look the same as what I have so this is > not > working. > > Do I have to configure my routers as both OpenVPN Server and Client and have > them connect to each other, or can one connect to the other in Client mode > while > the routing will be both ways? I do not know about bullit-in OpenVPN in ASUS routers, but typically you would run one as a server and the other as a client although point-to-point is also possible. Use routed tun mode and set up routing as in the howto linked above. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Kill OpenVPN clients from server so that they do not restart automatically
Hi, On Thu, Dec 30, 2021 at 7:14 AM Paul Pooker wrote: > > Hello, > > I was wondering whether anyone has found a way to kill clients in such a > manner that they are prevented from reconnecting to the server automatically, > with either the client being re-prompted for their passphrase to unlock their > secret key, or for the server to instruct the client to terminate OpenVPN > process on the client side, so that it must be re-executed? I guess by "secret key" you mean the private-key of the client certificate. Use "client-kill HALT" from the server's management interface. Here is the client-id of the client you want to terminate which may be found in the "status 2" and "status 3" listings. For restarting with a password prompt, you could use "client-kill " (leave out the HALT) or "kill cn" along with "--auth-nocache" in the client config. However, this would cause a password prompt during every renegotiation as well. There are ways to avoid that if username/password is in use involves a combination of auth-token and distinguishing between reneg and restart in auth-user-pass-verify process. But, with only private-key password, that is not an option. By the way, remapping signals or changing persist key has to be done in the client config (not on server) for it to have any effect on how signals are interpreted by the client or whether the key is persisted. To not persist the key just leave out that option. Also see "man openvpn". Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Current openvpn(related) CVEs
On Tue, Nov 23, 2021 at 11:13 AM Selva Nair wrote: > > > On Tue, Nov 23, 2021 at 8:51 AM Ralf Hildebrandt < > ralf.hildebra...@charite.de> wrote: > >> Yeah, it's in german, but anyway: >> >> https://www.heise.de/news/FBI-warnt-vor-Einbruechen-via-VPN-Software-6274101.html >> >> "An attacker can take leverage on this architecture and send the >> config command from any application running on the local host machine >> to force the back-end server into initializing a new open-VPN instance >> with arbitrary open-VPN configuration. This could result in the >> attacker achieving execution with privileges of a SYSTEM user." > > This description appears to relate to OpenVPN Interactive Service. If so, it's not correct. The service runs OpenVPN.exe as a user, not as SYSTEM. On top of it a user can send arbitrary configs to the service only if an administrator grants the user permission to do it --- via a group membership. The user cannot start arbitrary "openvpn.exe" processes using the service: the process must reside in a location where an admin user has installed it. Selva > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Current openvpn(related) CVEs
On Tue, Nov 23, 2021 at 8:51 AM Ralf Hildebrandt < ralf.hildebra...@charite.de> wrote: > Yeah, it's in german, but anyway: > > https://www.heise.de/news/FBI-warnt-vor-Einbruechen-via-VPN-Software-6274101.html > > "An attacker can take leverage on this architecture and send the > config command from any application running on the local host machine > to force the back-end server into initializing a new open-VPN instance > with arbitrary open-VPN configuration. This could result in the > attacker achieving execution with privileges of a SYSTEM user." > Are there any plans of protecting the management interface (i.e. on > Windows-Client) using a random passwod, only known to the GUI & > openvpn process? > OpenVPN GUI has always used a random password for the management interface. Its cleared from memory on first use and not saved anywhere. I know of no GUI versions where this was not done. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] push-reset / override defaults in ccd files ?
On Tue, Nov 16, 2021 at 3:16 PM mike tancsa wrote: > Hi all, > > I have a number of vpn endpoints where I push a set of routes > through the server's config. I now need to make an exception for one > such client. As its in the field, I have no easy way of changing the > remote config. Is there a way where I can cancel a route push through > the ccd file ? e.g. in the server conf file I have > > push "route 192.168.68.0 255.255.255.0" > > I want to exclude that push for one site. Is there a way to "un push" > that route in the ccd file ? > > The other option I found was that I can use push-reset. However, after > the client initially connects and everything works, the server which has > "keepalive 5 30", thinks the connection has failed and it times out > because I guess the client no longer sends keep alives > > [x509testcert] Inactivity timeout (--ping-restart), restarting > > and the client never reconnects on its own :( > > I tried adding > > push-reset > push "keepalive 5 30" > > to the ccd file, but that doesnt seem to work. Any ideas ? > "keepalive 5 30" on server leads to push "ping 5" push "ping-restart 30" So try adding those two lines after push-reset: Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue a specific tunnel to re-connect to the next server
On Mon, Nov 15, 2021 at 1:42 PM Rui Santos wrote: > 0 > > On 15/11/21 17:06, Jan Just Keijser wrote: > > Hi Rui, > > > > > Hello Jan! Thanks for getting back to me :) > > > this is indeed what you use the management interface for. Read up at e.g. > > https://openvpn.net/community-resources/management-interface/ > > > > the command is > > kill > > or > > kill : > > > > You can query the list of existing connected clients using the > > status > > command. > Yes, I did all that. The problem with that is that, by using those > commands, I was never able to "tell" the client to connect to the next > server. With the approach you mentioned, the client will 1st try to > connect to the same server it was initially connected to. What I need, > is for the client to connect to the "next" server on the connection > list, compose of several --remote directives. > > However, in the meantime, and getting desperate, I went to look at the > source code, to see how exactly, the --explicit-exit-notify directive > actually accomplishes it. And I found out how to successfully do it. For > the record, and all good and helping people of the open community, > here's the solution: > 1. Open the management interface > 2. Get CID > 3. Issue: client-kill RESTART,[N] > > Hope this will help someone else :) > > Now, what I still miss to accomplish, is bullet number 2: How to make a > client connect to the next server, without trying the server he was > connected to in the 1st place. > This is useful, for example: Imagine a server has a network issue of > some sort, and a ping-timeout happens on the client (normal behavior). > Now what the client actually does, is 1st try to connect to the same > server, which is down. Although the client will eventually connect to > the next server, it will take some time to figure out that the current > server is actually down, thus leaving the network behind the client, > without a working tunnel for longer. > How can this be tweaked? > I do not know any way of avoiding the retry of the current remote once on ping-restart. You could probably alleviate the issue somewhat by using a short "--server-poll-timeout". The default is pretty long (60 sec or 120sec for UDP?). But too small a value would cause unwanted failures. That said, ping restart also takes a while to trigger, so there is not much you can do to avoid a period of broken tunnel. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue a specific tunnel to re-connect to the next server
Hi, > > client-kill CID > > > > from the management interface of the server. Here CID is the client-id > > of the client which could be obtained from status output. This command > > by default causes the client to RESTART. It takes an optional argument > > if you want to, say, HALT the client instead. > The proper message is RESTART,[2]. > RESTART alone, although it will trigger a restart, it will not trigger > the client to connect to the "next" server. > It has been a while since I used this, but now that you mention it, it may need "RESTART,[N]" to move to the next server. Not sure [2] would work.. Please test. Unfortunately this command is very poorly documented. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue a specific tunnel to re-connect to the next server
On Mon, Nov 15, 2021 at 12:08 PM Jan Just Keijser wrote: > Hi Rui, > > On 15/11/21 17:32, Rui Santos wrote: > > Hello everyone, > > > > I'm trying to design a setup where I define 2 servers for a particular > > client to connect to, basically 2 remote directives within the same > > client config file. > > Up until now, it works by: > > - defining explicit-exit-notify 2 on the client config file > I guess you mean server config, not client config. On client, 2 would be interpreted as the number of times to send the notify. > > - defining explicit-exit-notify 2 <- 2 here to connect to the next > > server on the list. > > Now, all this works as documented, when I restart one OpenVPN server, > > the client will connect to the next one on the list... perfect. The > > particular problem I have with this is that, this will issue a > > RECONNECT to all clients connected on that particular server. > > > > Now what I couldn't do, don't even know if it's possible is either: > > - to use the management interface to disconnect one particular tunnel. > > Maybe there's another way to accomplish it. The target here, is to > > make a particular client instance, to connect to the next server on > > the list, without actually restarting the daemon > > - to instruct the client to reconnect to the next server in the list, > > no matter the cause of disconnection, or even at ping-timeout (UDP) > > > > Are any of these approaches even feasible? If so, can someone please > > point me in the right direction? > > > > this is indeed what you use the management interface for. Read up at e.g. > https://openvpn.net/community-resources/management-interface/ > > the command is >kill > or >kill : > I think that will send SIGTERM to the client which you do not want. Instead use client-kill CID from the management interface of the server. Here CID is the client-id of the client which could be obtained from status output. This command by default causes the client to RESTART. It takes an optional argument if you want to, say, HALT the client instead. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] On-demand OVPN connection from Windows 10?
On Wed, Sep 22, 2021 at 4:35 PM Gert Doering wrote: > Hi, > > On Wed, Sep 22, 2021 at 03:45:26PM -0400, Selva Nair wrote: > > Is it worth the trouble? Isn't this use case arising from wanting to use > > the GUI for something that it's not? > > Yeah, maybe it's the wrong approach, and a CLI tool might be better. > > OTOH, I'm not sure how that would play out with "openvpn has been started, > and the CLI tool now returns and all connection to the running process > is lost" (so, how to stop it?). > Management interface? Just to stop gracefully one could use --exit-event A CLI that uses the interactive service to start openvpn.exe optionally with a management password would be interesting to have. Sending commands to the management i/f from a python or perl script [*] should be easy? Maybe even from powershell for those into that kind of stuff. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] On-demand OVPN connection from Windows 10?
Hi, On Wed, Sep 22, 2021 at 12:55 PM Gert Doering wrote: > Hi, > > On Wed, Sep 22, 2021 at 06:22:15PM +0200, Bo Berglund wrote: > > - send a silent_connection 1 command > > - Wait a while for the command to be executed > > - then send the actual connection command > > - Wait until we have a connection > > @selva: how complicated would it be to create a "hey, gui, please make > this call *blocking* until all pending VPN client connections are > established (or have given up)" command? > We do use SendMessage() which blocks until the receiver has "processed" the message (up to 30 seconds). But the meaning of "processing" is vague. Currently, it means the receiver has parsed it and issued a command to its message queue. Nothing is done immediately in a GUI -- for connect, it will spawn openvpn and yield. At some point management i/f will trigger a read and after many such events a connection is established. If the GUI were to send a message back to the sender at that point we have to decide what those critical events are -- connection established, disconnected, reconnected or something else? The receiver has no idea at what point the sender wants a message. Also we do not have a method for receiving messages from the running instance. Even if we were to add it, it's still hard to define the meaning of completion of a command. More natural way would be for the sender to periodically check the state of a connection. Which also requires the ability for the GUI to send back messages. As the sender has no Window initialized, that will have to use some other IPC mechanism than messages. Is it worth the trouble? Isn't this use case arising from wanting to use the GUI for something that it's not? Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] On-demand OVPN connection from Windows 10?
On Wed, Sep 22, 2021 at 9:18 AM Bo Berglund wrote: > On Tue, 21 Sep 2021 10:37:10 -0400, Selva Nair > wrote: > > >> >> >We have some support for sending commands to the GUI to > >> >> >connect, disconnect etc.. See > >> >> > > >> >> > > >> >> > >> > https://github.com/OpenVPN/openvpn-gui#send-commands-to-a-running-instance-of-openvpn-gui > > I looked in the documentation and found this among "supported cmds": > > silent_connection 0 | 1 > > I want to use it to stop the connection dialog from being displayed while > the > connect process runs: > > So I tried to add the command into the openvpn-gui argument list when > starting a > connection programatically (all on one line): > > C:\Programs\OpenVPN\bin\openvpn.exe --command silent_connection 1 > --command > connect SSRClient001-tun > With no GUI running, try openvpn.exe --silent_connection 1 --connect SSRClient001-tun The purpose of --command is sto send commands to a running instance of the GUI. And, only one --command is allowed at a time. You can also go to the settings menu of the GUI, set silent connection to on. It will be remembered when you start the GUI next time from the command line. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] On-demand OVPN connection from Windows 10?
Hi On Tue, Sep 21, 2021 at 8:42 AM Bo Berglund wrote: > On Fri, 18 Jun 2021 11:15:00 -0400, Selva Nair > wrote: > > >Hi, > > > >On Fri, Jun 18, 2021 at 3:36 AM Bo Berglund > wrote: > > > >> On Sat, 12 Jun 2021 14:01:51 -0400, Selva Nair > >> wrote: > >> > >> >> I wonder if there is some way (on Windows) to start the tunnel > >> connection > >> >> from > >> >> the special comm program and then close it down when the comm > session is > >> >> over > >> >> and the program closes. > >> >> I have written the comm program and I could add such a feature if it > is > >> >> possible > >> >> to accoplish. > >> >> > >> >> OpenVPN-GUI is sort of a GUI program so I suspect it does not have > any > >> >> useful > >> >> hooks... > >> >> > >> > > >> >We have some support for sending commands to the GUI to > >> >connect, disconnect etc.. See > >> > > >> > > >> > https://github.com/OpenVPN/openvpn-gui#send-commands-to-a-running-instance-of-openvpn-gui > >> > > >> >Selva > >> > >> I have now tested the individual commands to connect and disconnect > using a > >> small program just for testing this interaction. It seems to work very > >> well. > >> > >> But when I integrated it into the main client application I found that > what > >> happens on the connect call > >> > >> openvpn-gui.exe --command connect serverconfig > >> > >> is that the connection dialog pops up showing all of the progress > messages > >> while > >> connecting, but at this time the call to openvpn-client returns *before* > >> the > >> connection is established so my following actions are errored out > because > >> there > >> is not yet a connection. > >> When I traced this in the debugger with a breakpoint directly following > >> the call > >> it reaches the breakpoint before the dialog has finished... > >> > >> So now I am wondering if the connect call just *triggers* openvpn-gui to > >> start > >> the connect process but it does so in its main thread so it exits the > user > >> call? > >> > >> > >That is correct. It uses Windows messages and returns as soon as the > >message is delivered. You will have to do some checks like ping the remote > >through the tunnel to determine the connection has started up. The status > >window popup can be avoided by toggling silent-connection (see the > >supported commands in README). > > > >Selva > > I am returning to this issue after the summer, when I had to make a pause, > so I > have a follow-up question: > > I implemented the GUIO call to start a connection and I made it hide the > dialog > window. So now I need to cover all bases so to speak... > > Since ping is not really working well to detect a connection I figured > that I > could invoke the Windows command: > > ipconfig /all > > and examine the result to check that an adapter with the correct starting 3 > octets of the tunnel IPv4 address appears (or is already present). I have > noted > that it is present when connected but not when unconnected. > > What I don't understand is for how long I should wait until giving up after > commanding a connection? > Depending on your network, about 30 seconds max, probably. But it also depends on whether you want it to try the next remote if one fails, how many times to retry etc. > > I have noted that the OpenVPN GUI application runs a *very long time* > (maybe > forever) if there is no connection to the server, seems to restart every > minute... > > Is there a way to make it stop if it does not connect within a certain > (short) > time? > If you want to stop using the "send commands to running GUI" feature, send the disconnect command. openvpn-gui.exe --command disconnect profilename See the readme in GUI repo. Or, add "connect-retry-max 1" to the config file. See OpenVPN manpage. Which is better depends on the use case. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [Openvpn-devel] Adding RSA-PSS support in pkcs11-helper
Hi Mike, Having this in a release depends on getting the PR merged upstream. My patch for updating the API with signature parameters has been merged into pkcs11-helper, so, in principle, we could now handle this in OpenVPN. But that takes some effort. Thanks for testing, Selva On Fri, Jul 30, 2021 at 8:39 AM mike tancsa wrote: > Hi, > > Thanks, I finally got around to testing this with the current > version of OpenVPN from git and it works great on my > Aladin/SafeNet/Gemalto/Thales token (model 510x) > > Would be great if this was part of the default build/distribution. > > I can now get TLS1.3 working using the pkcs11 interface. > > ---Mike > > On 5/2/2021 7:13 PM, Selva Nair wrote: > > Hi, > > > > Currently RSA-PSS signatures are handled in pkcs11-helper by asking > > the token to do raw RSA signature of data already padded by OpenSSL. > > Many new hardware tokens refuse to support this mode and require the > > padding to be done in hardware. > > > > For a recent user report see this thread: > > > https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html > > < > https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html > > > > > > Probably there are some related tickets on Trac too. > > > > In OpenVPN, we have a couple of options to fix this: > > > > (i) Use a different library like libp11 (for OpenSSL only). > > (ii) Extend pkcs11-helper > > (iii) Roll something new on our own :) > > > > After some thought, I have decided that extending pkcs11-helper may be > > the least painful approach --- not including the mental distress in > > getting code reviews and changes accepted. The "helper" has several > > features that we depend on and not readily available in alternatives. > > > > If anyone is interested in testing this, see > > https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support > > <https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support> > > > > Though I've opened a PR at > > https://github.com/OpenSC/pkcs11-helper/pull/31 > > <https://github.com/OpenSC/pkcs11-helper/pull/31> , it's only an RFC > > and would likely require some iterations. > > > > Comments, suggestions for improvement, and test reports, are most > welcome. > > > > Thanks, > > > > Selva > > > > > > ___ > > Openvpn-devel mailing list > > openvpn-de...@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Re: CA migration?
Hi On Thu, Jul 22, 2021 at 9:10 PM Joe Patterson wrote: > Or, make a new ca.crt file with both the old and new ca certs, no > cross-signing required. Deploy to server, then to clients, so that > both server and clients trust both CA's. Then update the client certs > one by one to the new CA. Then update the server cert to the new CA. > Then deploy a ca.crt with only the new CA cert. > This requires two rounds of client updates. But simpler than cross-signing. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Re: CA migration?
Hi, On Thu, Jul 22, 2021 at 3:40 AM Ralf Hildebrandt < ralf.hildebra...@charite.de> wrote: > * Bo Berglund : > > On Wed, 21 Jul 2021 10:57:50 +0200, Ralf Hildebrandt > > wrote: > > > > >But how do I do this? Can I make openvpn accept client certificates > > >from two CAs (the old and the new one)? > > > > Why using a new certificate? > > I need a new CA due to the german BSI crypto regulations (RSA 2048 is > not enough) > > The usual approach for updating CA would be to use cross-signed (or link) certificates. I haven't tried it with OpenVPN, but here is a thought: First update the server cert signed by the new CA but include a link cert for the new CA signed by the old CA. That will make it possible for clients to still verify the new server cert. Change the CA cert on the server to a stack of old and new CA. Then gradually update the cert and ca on clients to the new one (new CA only not old+new). When all clients are updated remove the old CA cert and the link cert on the server. Totally untested. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2fa user authentication
Hi On Mon, Jul 5, 2021 at 11:58 AM David Mehler wrote: > Hello, > > Thank you for your reply. I do not have a plugin-auth-pam I've run a > find for it.Where would this be at, this would be perfect, espeecially > if I'm understanding your response right each client certificate would > then be bound to a specific username and password which would have to > be validated serverside. > The plugin location may depend on the distribution. In ubuntu and debian it may be in /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so Note that you need a fairly recent version of OpenVPN (iirc 2.4.10 or later) for the plugin to take apart the password and PIN and present it to PAM. You will need: In client config: auth-user-pass static challenge "Challenge text (eg., Enter the auth code)" 1 In server config *plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login:USERNAME Password: PASSWORD Verification OTP"* This assumes your PAM module prompts for login:, Password: and, say, Verification code: (See README.auth-pam distributed with OpenVPN for how to format the above line to match your pam setup). There is a lot of discussion of this in the users-list. Search the list archive. One of the latest threads is https://sourceforge.net/p/openvpn/mailman/message/37266238/ For older versions of PAM plugin which does not understand OTP, one option is to ask the user to input the password and OTP as a single string and then take it apart in your PAM module. In that case remove static challenge from user config. But this is no longer required, nor recommended -- use 2.4.10+ or 2.5.x on the server. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] On-demand OVPN connection from Windows 10?
Hi, On Fri, Jun 18, 2021 at 3:36 AM Bo Berglund wrote: > On Sat, 12 Jun 2021 14:01:51 -0400, Selva Nair > wrote: > > >> I wonder if there is some way (on Windows) to start the tunnel > connection > >> from > >> the special comm program and then close it down when the comm session is > >> over > >> and the program closes. > >> I have written the comm program and I could add such a feature if it is > >> possible > >> to accoplish. > >> > >> OpenVPN-GUI is sort of a GUI program so I suspect it does not have any > >> useful > >> hooks... > >> > > > >We have some support for sending commands to the GUI to > >connect, disconnect etc.. See > > > > > https://github.com/OpenVPN/openvpn-gui#send-commands-to-a-running-instance-of-openvpn-gui > > > >Selva > > I have now tested the individual commands to connect and disconnect using a > small program just for testing this interaction. It seems to work very > well. > > But when I integrated it into the main client application I found that what > happens on the connect call > > openvpn-gui.exe --command connect serverconfig > > is that the connection dialog pops up showing all of the progress messages > while > connecting, but at this time the call to openvpn-client returns *before* > the > connection is established so my following actions are errored out because > there > is not yet a connection. > When I traced this in the debugger with a breakpoint directly following > the call > it reaches the breakpoint before the dialog has finished... > > So now I am wondering if the connect call just *triggers* openvpn-gui to > start > the connect process but it does so in its main thread so it exits the user > call? > > That is correct. It uses Windows messages and returns as soon as the message is delivered. You will have to do some checks like ping the remote through the tunnel to determine the connection has started up. The status window popup can be avoided by toggling silent-connection (see the supported commands in README). Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] On-demand OVPN connection from Windows 10?
On Sat, Jun 12, 2021 at 6:28 PM Bo Berglund wrote: > On Sat, 12 Jun 2021 22:05:51 +0200, Bo Berglund > wrote: > > >>We have some support for sending commands to the GUI to > >>connect, disconnect etc.. See > >> > >> > https://github.com/OpenVPN/openvpn-gui#send-commands-to-a-running-instance-of-openvpn-gui > >> > >>Selva > > > >Thanks a lot! > > > >This is exactly what I need in Windows! > >I just tried it in a user level command window and it works just fine > both to > >connect and to disconnect. > >I will now integrate it into my client comm application and let it > connect and > >disconnect automatically. > > > >Just another question: > >Can OpenVPN-GUI connect this way to a server if there is already a > connection to > >somewhere else active at this time? > >I think that there is some limitation on Windows regarding the tunnel > >adapters... > > Found the answer by google: > > https://michlstechblog.info/blog/openvpn-connect-to-multiple-vpns-on-windows/ That's right for version 2.4 and older. The new way is to use tapctl.exe to create adapters. Its installed by default in 2.5.x. Run "C:\Program Files\OpenVPN\bin\tapctl.exe help" from an elevated command prompt for usage. The GUI itself has virtually no limitation on the number of concurrent connections you can have. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] On-demand OVPN connection from Windows 10?
Hi On Sat, Jun 12, 2021 at 1:53 PM Bo Berglund wrote: > I am using the OpenVPN Gui application on my Windows 10 laptop to connect > to a > variety of locations where I have put OpenVPN servers. > This has always until now been a matter of establishing a connection prior > to > doing something on or via the remote network. > > But now I have another use case, which is to communicate with a remote > device, > which as connected to an OpenVPN server where client-to-client is enabled > but > where there is no exit server side on the VPN server. So all > communications are > on the tunnel itself. > > In this case the process (which works) is this: > - Connect to the tunnel-only server > - Run the special comm program designed to talk to the remote device > - Communicate with the remote device, which is connected 24/7 > - When done close down the VPN tunnel > > I wonder if there is some way (on Windows) to start the tunnel connection > from > the special comm program and then close it down when the comm session is > over > and the program closes. > I have written the comm program and I could add such a feature if it is > possible > to accoplish. > > OpenVPN-GUI is sort of a GUI program so I suspect it does not have any > useful > hooks... > We have some support for sending commands to the GUI to connect, disconnect etc.. See https://github.com/OpenVPN/openvpn-gui#send-commands-to-a-running-instance-of-openvpn-gui Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Client-to-client setup fails mysteriously... (1/1)
Hi, You can share large logs using some service like pastebin in pure text format. Compressed logs are hard to look through. As per the logs the server gets the initial TLS packet from the second client, but hears nothing after that. The client gets nothing back from the server. So something is blocking the return path from the server. Does your server have multiple interfaces? If yes, you will need to add --multihome. Though the error in this case should be more random than the systematic failure of the second connection. Otherwise try to see what's going on the routers on both ends. Do you know which client is triggering the HMAC error at the end of the server log? This may be unrelated, though. Selva On Fri, Jun 4, 2021 at 7:26 PM Bo Berglund wrote: > > > > > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Client-to-client setup fails mysteriously...
Hi, You have to post the full client and server logs -- we need to see the whole server log showing one connection succeeding and the subsequent one failing. And the corresponding (i.e matching) client logs. I want to see what routes are being set up, which port and IP connections are coming from, what is pushed to the clients etc. Not snippets of logs here and there. In the absence of that I'm out. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Client-to-client setup fails mysteriously...
On Fri, Jun 4, 2021 at 3:34 PM Bo Berglund wrote: > > On Fri, 04 Jun 2021 20:17:59 +0200, Bo Berglund wrote: > > >What could be causing this strange behavior? > > > >It seems like when the server has been connected to it goes blind for a while > >but then returns to normal for a new comm session > >Don't know how long one has to wait for. > > I have now added the directive: > explicit-exit-notify > > to the client side ovpn files, but it does not make much difference. > > From what I can see now the openvpn server is only able to authenticate and > connect a *single* client at a time! Thus defeating the whole idea behind > using > client-to-client in the first place... > > As soon as one connection succeeds a connection from the other device that > succeeded earlier now fails in the TLS phase. You haven't shown us the server log without which you cannot make any conclusions. The client log ends at WAIT state which could mean either there is no route to the server or the server is not responding to TLS handshake. Post the server log. My guess would be that there is some messed up routing is happening. Once the RPi is connected your Win10 client may be losing route to the server. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] MSI Installer Source?
On Thu, Jun 3, 2021 at 3:12 PM Colin Ryan wrote: > > Folks, > > I've been customizing the NSIS installer for years. Want to look at > moving to the MSI installer. Is there a source file for the community > edition that I can use as a starting point? Have you checked openvpn-build? That's where build-related things live including the nsis and msi scripts. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Ovpn 2fa auth
Hi On Thu, Jun 3, 2021 at 1:40 PM Gokan Atmaca wrote: > > Hello > > I am using Ubuntu server. I am using openvpn as SSL and TLS. PAM auth. > together... Now I want to use google mfa. I got the following errors > in the settings I made. > I can ssh sign with the same 2fa information. > > > What could cause the problem ? > > > -% ovpn_srv: > plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so > openvpn login USERNAME password PASSWORD pin OTP That looks right assuming the prompts from the pam module in /etc/pam.d/openvpn will match "login", "password" and "pin" > > > -% log: > openvpn(pam_google_authenticator)[3183]: debug: Secret file > permissions are 0400. Allowed permissions are 0600 > openvpn(pam_google_authenticator)[3183]: debug: > "/home/thapeex4/.google_authenticator" read > openvpn(pam_google_authenticator)[3183]: debug: shared secret in > "/home/thapeex4/.google_authenticator" processed > openvpn(pam_google_authenticator)[3183]: Did not receive verification > code from user > openvpn(pam_google_authenticator)[3183]: Did not receive verification > code from user > openvpn(pam_google_authenticator)[3183]: Invalid verification code for > thapeex4 > openvpn(pam_google_authenticator)[3183]: debug: > "/home/thapeex4/.google_authenticator" written Have you checked whether the client is setup to pass the username, password and pin in the right format? You have to use --static-challenge in the client config and either run openvpn client using a UI that supports static challenge. Running from the command line should work too. Server logs at verb=4 should have more info -- the above snippets only show debug messages from the pam module. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] GUI auto-disconnect option
On Thu, May 27, 2021 at 11:40 AM tincantech via Openvpn-users wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Thursday, 27 May 2021 16:25, Gert Doering wrote: > > > Hi, > > > > On Thu, May 27, 2021 at 04:33:54PM +0200, Bo Berglund wrote: > > > > > > In c:\program files\openvpn\bin\ there is a "tapctl.exe" which you > > > > need to run from an "run as administrator" cmd.exe, and which then > > > > can do "tapctl help", "tapctl create --name MySecondTAP", etc. > > > > > > My corresponding dir contains this: > > > > [..] > > > > > So there seems to be no such utility... > > > > You are using old software :-) - tapctl is part of the msi installers, > > 2.5.0 and up. > > > > There is a way to create new tap drivers with older OpenVPN versions > > but I have never bothered to find out how. > > > > You should find TAP Utilities (something like that) in your Windows menu. That or look for addtap.bat which should be in somewhere like %PROGRAMFILES%\Tap-Windows\bin and run it as admin. I believe these utilities are installed for 2.4.x and earlier unless you customized the installation. If possible use 2.5.x and tapctl.exe Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] GUI auto-disconnect option
Hi, > HI, > > the OP did not follow up, so here it is: > https://forums.openvpn.net/viewtopic.php?f=10=32300 The user wants to automatically disconnect a connection when another one using a different config is started. > I guess it could be a useful switch ? > No, it's not. Not everyone wants a single connection to be active at a time. For example, I right now have three connections to different locations active -- that won't be possible if we were to second guess and disconnect active connections. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to disconnect a user from the server?
Hi, > > @selva I can't kill the whole client, as I'm doing a duplicate-cn. Hence I > had to kill via IP address and port to pinpoint exactly that user. > > However I have found a secret feature, which it seems you guys weren't aware > of. ;-) > > client-deny 4 0 "Disconnect Now" client-deny is for failing client authentication, and is supposed to be used when the client is connecting or doing re-auth with --management-client-auth. It may work mid-session, but that's undocumented and could change. The third argument is KID, not PID. Also, the client will receive an AUTH_FAILED leading to restart-- so it will connect right back especially when passwords are cached. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to disconnect a user from the server?
On Tue, May 11, 2021 at 2:04 PM tincantech via Openvpn-users wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, 11 May 2021 15:07, Houman wrote: > > > Hello, > > > > I have been struggling to find a way to disconnect a specific user from the > > OpenVPN server. > > I believe there is one way to kill the user's connection by IP address/port > > via the management interface. That's really bad though, because the user is > > still connected to the VPN and has no idea about it. Ideally I should be > > able to disconnect the user properly, so that the user can see he is no > > longer connected to the client. > > I seem to remember some discussion about sending messages to the client on a > forced disconnect, even going so far as to present those messages to a client > GUI. > Is that something which I imagined or is this still under consideration ? echo msg support is functional in 2.5 and Windows GUI supports it. But its only useful for sending messages during connection initiation (i.e, whenever echo commands can be sent). You cannot push such messages mid-way through a connection. client-kill is the right way to disconnect or restart with optional advance to next remote. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to disconnect a user from the server?
Hi, Use "client-kill CID HALT" from the management interface. The third argument of this command is optional (defaults to RESTART) -- what you want is HALT. Use "status 2" to get the CID of the client. The client will get a termination signal. If you are using the Windows GUI for the client, it will popup a message saying connection was terminated. Selva On Tue, May 11, 2021 at 10:11 AM Houman wrote: > > Hello, > > I have been struggling to find a way to disconnect a specific user from the > OpenVPN server. > I believe there is one way to kill the user's connection by IP address/port > via the management interface. That's really bad though, because the user is > still connected to the VPN and has no idea about it. Ideally I should be > able to disconnect the user properly, so that the user can see he is no > longer connected to the client. > > Or alternatively do you know if there is a plugin for OpenVPN to handle CoA > (Change-Of-Authorisation) requests from Freeradius? Because Freeradius could > just do that, if OpenVPN had support for it. > > Your help is much appreciated, > Thank you, > Houman > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Adding RSA-PSS support in pkcs11-helper
Hi, Currently RSA-PSS signatures are handled in pkcs11-helper by asking the token to do raw RSA signature of data already padded by OpenSSL. Many new hardware tokens refuse to support this mode and require the padding to be done in hardware. For a recent user report see this thread: https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html Probably there are some related tickets on Trac too. In OpenVPN, we have a couple of options to fix this: (i) Use a different library like libp11 (for OpenSSL only). (ii) Extend pkcs11-helper (iii) Roll something new on our own :) After some thought, I have decided that extending pkcs11-helper may be the least painful approach --- not including the mental distress in getting code reviews and changes accepted. The "helper" has several features that we depend on and not readily available in alternatives. If anyone is interested in testing this, see https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support Though I've opened a PR at https://github.com/OpenSC/pkcs11-helper/pull/31 , it's only an RFC and would likely require some iterations. Comments, suggestions for improvement, and test reports, are most welcome. Thanks, Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
Hi On Wed, Apr 28, 2021 at 11:52 AM Gert Doering wrote: > > Hi, > > On Wed, Apr 21, 2021 at 07:29:52PM +0200, Dajka Tamás wrote: > > If interested, I can send the script over ( PAM is used for user > > auth against an MS AD, and Radius is used for SecurID, since that > > handle???s challenge-response auths, so we can wait for the user???s > > answer to dynamic questions without blocking the whole auth flow). > > I'm certainly interested. > > > So, if you want to do a bit more complex stuff, than the management > > interface will be your friend (a perl/python/php/whatever daemon > > will be needed to connect to the mgmt interface and handle the > > requests from the openvpn server). > > > > For simple tasks a static-challenge + PAM auth can be more than enough. > > I've come to like the auth-PAM plugin (after I fought it for a while, > and won :-) ). It does async nowadays, and if it does what you need, > it's easier to use than setting up "things talking to management". > > I haven't looked into dynamic challenges yet, but it seems I should... > Selva: am I reading the source correctly, a plugin can not create a dynamic > challenge? No it doesn't. There were two issues blocking this: (i) PAM_CONV_AGAIN needed to restart the PAM stack at a point is not supported by most PAM modules of interest (ii) a customized AUTH_FAILED message could be sent only from the management interface (during reauth --- initial auth is fine). For (i) probably we can avoid PAM_CONV_AGAIN and do this using deferred auth. For (ii) not sure whether this has changed with Arne's recent patches -- also there was a patch from viscosity folks for custom AUTH_FIALED from plugins. Maybe it's time to look into this again. Selva Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10
Hi Mike, On Wed, Apr 21, 2021 at 4:55 PM mike tancsa wrote: > On 4/21/2021 12:05 PM, Selva Nair wrote: > > I think that patch is still not applied upstream. I tested softhsm > > using your instructions and it works for TlS 1.3 and PSS -- softhsm2 > > gets request to sign pre-padded PSS data as Raw RSA and it seems to > > handle that. > > > > I can understand some hardware tokens may refuse to sign pre-padded > > data, so we need to find a fix for this. > > > If it would help development efforts, I am happy to donate a couple of > keys to the project. I have an assortment of old (CardOS based) and > new (SafeNet5110 which supports ECC). I would be mailing from Canada, > so ideally anyone close by, but happy to send internationally too. > Thanks for the offer, this could help. Tokens I have are some fairly ancient one's that do not support RSA-PSS nor ECC. Would be good to have some newer tokens. Domestic mail would work for me. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
Hi, On Wed, Apr 21, 2021 at 1:35 PM Joe Patterson wrote: > I stand corrected! That's very useful to know. > > Does the "OTP" keywork in the plugin correspond to the OTP argument in > the static challenge? > No, the argument to static-challenge is local to the client and only used for prompting the user. It's not passed to the server. You can write it differently in each client config if you wish. > Like if my static challenge was "static-challenge 'enter the number > from your authenticator' 1", I'd use auth_pam.so "openvpn login: > USERNAME Password: PASSWORD Verification 'enter the number from your > authenticator'"? > The capitalized words, USERNAME, PASSWORD and OTP are hard coded and stand for the values for username, password and otp received from the client. These get used against the corresponding prompts, "login:", "Password:" and "Verification" in my example. So those latter words are specific to your set up. Only the beginning of the prompt is matched, so "Verification" would also match, say, a pam prompt of "Verification PIN:". It's also possible to expose the common name to PAM -- use COMMONNAME as the place-holder. See README.auth-pam. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
Hi On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson wrote: > > What you're looking for is the openvpn challenge/response protocol, > which can be used when authentication is done via the management > interface. > > https://openvpn.net/community-resources/management-interface/ > describes it a bit. > > I know that the MFA portion of the management interface system I wrote > (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP > tokens via static challenge (which is where you put the > "static-challenge" directive in the client config) as well as > concatenating them with the password. > > Unfortunately, as far as I can tell, static and dynamic > challenge-response isn't available if you're using a plugin or script > for authentication. So if you're ready to take the plunge into using > the management interface, you can do it. Otherwise, you're stuck with > concatenating the OTP token to the password. Static challenge can be used with plugins and scripts on the server -- management-auth not required. Here is a pared down example of what I use: Add to client config *static-challenge "OTP " 1* This causes the openvpn client (or its UI/GUI) to prompt separately for username, password and OTP . The prompt text for the latter is taken from the first argument to static-challenge. The second arg (1 above) controls echo-ing of the pin. See the man page of openvpn for details. This prompt is also supported by OpenVPN-GUI on windows and, I think, by tunnelblick, viscosity and probably others. On the server, details vary depending on the need and verification mechanism used. I use PAM for which one adds to the server config: *plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login:USERNAME Password: PASSWORD Verification OTP"* (See README.auth-pam distributed with OpenVPN for how to format the above line to match your pam setup). And have a pam config /etc/pam.d/openvpn with, say, *@include common-authaccount required pam_access.so@include common-account@include common-password@include common-session* where common-auth has *auth required pam_google_authenticator.so* among other modules. There are so many ways of setting up PAM depending on how the user is authenticated (unix user db, ldap, Active Directory, ...), what kind of OTP is in use etc. The above is only meant to describe the essentials. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10
Hi, On Wed, Apr 21, 2021 at 6:32 AM Jan Just Keijser wrote: > > Hi, > > On 20/04/21 20:05, Selva Nair wrote: > > On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser wrote: > >> [...] > > >> This is surprising. SoftHSM would support raw RSA signatures and hence > >> should work with OpenVPN + pkcs11-helper 1.26 and later even with TLS > >> 1.3 and PSS signatures. The problem should arise only for tokens that > >> insist on doing the padding internally. > >> > >> By any chance, are you using an older pkcs11-helper library? > >> > >> > > I was using the "default" pkcs11-helper library from Fedora Core 32, > which is still at version 1.22; note that Fedora 33 *also* uses > pkcs11-helper 1.22 (the upcoming Fedora 34 will include v1.27). > > I grabbed pkcs11-helper from github and compiled it then recompiled > OpenVPN 2.5.1 with it. Now, when using softhsm, I get > > 2021-04-21 10:12:01 us=639135 PKCS#11: Adding PKCS#11 provider > '/usr/lib64/libsofthsm2.so' > 2021-04-21 10:12:01 us=640607 PKCS#11: Cannot deserialize id > 19-'CKR_ATTRIBUTE_VALUE_INVALID' > 2021-04-21 10:12:01 us=640614 Cannot load certificate > "pkcs11:model=SoftHSM%20v2;token=SoftToken1;..." using PKCS#11 interface The deserialize error seems to indicate it's not able to parse the id. What does openvpn --show-pkcs11-ids /usr/lib64/libsoftshsm2.so. To use the id like "pkcs11:." you would need the RFC7512 patch which we apply in our Windows builds. Or use the old style id like: pkcs11-id 'SoftHSM\x20project/SoftHSM\x20v2/serial-goes-here/SoftToken1/20210420' I think that patch is still not applied upstream. I tested softhsm using your instructions and it works for TlS 1.3 and PSS -- softhsm2 gets request to sign pre-padded PSS data as Raw RSA and it seems to handle that. I can understand some hardware tokens may refuse to sign pre-padded data, so we need to find a fix for this. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10
Hi, On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser wrote: > > Hi Selva, > ..some good info snipped.. > > I agree that it is better to stop using pkcs11-helper (if possible). I can > reproduce the problem using "softhsm" (from http://www.opendnssec.org/) as > well, thus you don't even need a hardware token for this. > > This is what I tested: > > softhsm2-util --init-token --slot 0 --label "SoftToken1" > pkcs11-tool --module libsofthsm2.so --login -w client-key.der --type privkey > --id 20210420 > pkcs11-tool --module libsofthsm2.so --login -w client-cert.der --type cert > --id 20210420 > > and then run openvpn using > > ~/src/openvpn-2.5.1/src/openvpn/openvpn --config pkcs11-udp-client.conf > --verb 5 > > with > > [...] > pkcs11-providers /usr/lib64/libsofthsm2.so > pkcs11-id > 'pkcs11:model=SoftHSM%20v2;token=SoftToken1;manufacturer=SoftHSM%20project;serial=ea81c0d7adb47653;id=%20%21%04%20' > > and I get the exact same error: > > 2021-04-20 12:05:09 us=913235 OpenSSL: error:141F0006:SSL > routines:tls_construct_cert_verify:EVP lib > 2021-04-20 12:05:09 us=913246 TLS_ERROR: BIO read tls_read_plaintext error > 2021-04-20 12:05:09 us=913250 TLS Error: TLS object -> incoming plaintext > read error > 2021-04-20 12:05:09 us=913254 TLS Error: TLS handshake failed > 2021-04-20 12:05:09 us=913351 TCP/UDP: Closing socket This is surprising. SoftHSM would support raw RSA signatures and hence should work with OpenVPN + pkcs11-helper 1.26 and later even with TLS 1.3 and PSS signatures. The problem should arise only for tokens that insist on doing the padding internally. By any chance, are you using an older pkcs11-helper library? Selva > > > Hopefully this will enable others to reproduce the problem. > As for fixing pkcs11-helper: I doubt whether that is worth the effort, I'd > rather switch to lib11/openssl-pkcs11 engine or perhaps even p11-kit-proxy > (although both have their own issues) > > HTH, > > JJK > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10
Hi JJK, On Mon, Apr 19, 2021 at 7:19 AM Jan Just Keijser wrote: > Hi Selva, > > > On 15/04/21 20:20, Selva Nair wrote: > > [...] > > >> > >> > >> Another thing I am not clear on, is where the cert signature type is set > >> / required. I am guessing the entire chain needs to be at least SHA256 > >> right ? PKI's CA CRT, CSR, signed CRT ? > > We are referring to the signature algorithm set in the ClientHello > during TLS > > handshake. OpenSSL 1.1.1 will include rsa_pss_pss_sha256 and similar > > as a supported algorithms in the signature_algorithms extension > > of clientHello. This is true even if you choose TLS 1.2. The idea of > editing > > OpenSSL.cnf is to remove PSS schemes from that list. > > > I can reproduce this issue with a Safenet token on Linux: > > - openvpn 2.4 or 2.5 built with openssl 1.1 fails to connect to a server > built with openssl 1.1 ; it has no problems connecting to a server built > with openssl 1.0.2 > > - modifying the openssl.cnf file like this: > > ## > openssl_conf = default_modules > > [ default_modules ] > ssl_conf = ssl_module > > [ ssl_module ] > system_default = crypto_policy > > [ crypto_policy ] > SignatureAlgorithms = RSA+SHA256 > ## > and adding >--tls-max-version 1.2 > does allow me to connect, so changing the SignatureAlgorithms works. > I am having problems with openvpn and the Safenet driver on my Fedora 32 > box, but that has more to do with the (out of date) Safenet driver than > with OpenVPN. > > However, I think this *IS* an OpenVPN (or more likely, pkcs11-helper) > issue, as I can set up a TLS 1.3 connection using openssl s_server + > s_client with rsa-pss using the openssl-pkcs11 engine and the same token: > > ## server: > openssl s_server -CAfile ca.crt -cert server.crt -key server.key -www > > ## client: > openssl s_client -engine pkcs11 -cert client.crt -keyform engine -key > 20210419 -connect localhost:4433 > > (the key id is the ID of the private key on the token and was set to > today's date). > > Shared Signature Algorithms: > > ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1 > > > I'll continue to investigate, In the successful case using the pkcs11 engine, any idea what sigalg is being used -- especially the padding that is being requested from the token? pkcs11-helper only supports RSA_PKCS1_PADDING (=CKM_RSA_PKCS for the token) and RSA_NO_PADDING (=CKM_RSA_X_509). We added the latter to 1.26 to handle PSS with OpenSSL. The openssl callback the "helper" hooks into only provides padded data when PSS is in use. The pkcs11 engine uses libp11, isn't it? It hooks into EVP_PKEY_METHOD(s) as we do in cryptoapi and can thus let the token handle PSS padding. The question would be whether the token supports signing of prepadded data (raw RSA). If it does, we need to troubleshoot OpenVPN + pkcs11-helper further, otherwise we can't fix this without changing pkcs11-helper. A better fix would be to stop using pkcs11-helper unless mbedtls is in use for which we probably have no other option. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10
Hi, On Thu, Apr 15, 2021 at 1:46 PM mike tancsa wrote: > > On 4/14/2021 8:23 PM, Selva Nair wrote: > > > > You can restrict TLS version using th eoption --tls-version-min in > > OpenVPN config file, but restricting to TLS 1.2 is not enough with > > OpenSSL 1.1.1. It defaults to PSS for both TLS 1.2 and 1.3. > > > > Rather than building your own OpenSSL, a much simpler option would be > > to make an openssl.cnf file and restrict signature algorithms. See my > > comment on the trac > > ticket link I posted in my previous reply. > > > Thanks, still no luck just yet getting things to work using the .cnf > file. Not sure why its not picking up the pointer properly. I will > keep trying. You can privately email me the OpenSSL config file you are using, and I can take a look. > > > > Another thing I am not clear on, is where the cert signature type is set > / required. I am guessing the entire chain needs to be at least SHA256 > right ? PKI's CA CRT, CSR, signed CRT ? We are referring to the signature algorithm set in the ClientHello during TLS handshake. OpenSSL 1.1.1 will include rsa_pss_pss_sha256 and similar as a supported algorithms in the signature_algorithms extension of clientHello. This is true even if you choose TLS 1.2. The idea of editing OpenSSL.cnf is to remove PSS schemes from that list. > > Also, I was playing around creating a default CA from scratch using > easy-rsa. It by default generates a CA cert as so Recreating certificates will not make any difference. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10
Hi, On Wed, Apr 14, 2021 at 8:09 PM mike tancsa wrote: > Thank you very much for the analysis and pointer. The application is a > kiosk type environment and for a number of reasons, the windows dialog > PIN popping up is not workable. Its been a while since I built OpenVPN > from source, but I imagine I could roll a version of the OpenSSL.DLL > that would max out at TLS 1.2 or at least default to that ? > > You can restrict TLS version using th eoption --tls-version-min in OpenVPN config file, but restricting to TLS 1.2 is not enough with OpenSSL 1.1.1. It defaults to PSS for both TLS 1.2 and 1.3. Rather than building your own OpenSSL, a much simpler option would be to make an openssl.cnf file and restrict signature algorithms. See my comment on the trac ticket link I posted in my previous reply. That said, it's my guess that the token is refusing to sign pre-padded data. You may want to ask the token supplier (SafeNet Inc) about it. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] PKCS11 problems with 2.5.1 under windows 10
Hi, As per the logs its requesting unpadded signature of size 256 (padding = 3) which is expected with OpenSSL 1.1.1 and TLS 1.2 or 1.3 as the it requires PSS padded signature and OpenSSL provides the padded data to sign with padding = NONE. My guess would be that your hardware token doesn't support signing pre-padded data. In case cryptoapi, we pass in the unpadded data and the padding type, so that both padding and signing is handled by the cryptography provider (token's dll through Windows). 2.4.7 is built with older OpenSSL that does not support TLS 1.3 and doe snot use PSS padding by default. For newer releases, there is a work around like use TLS1.2 and configure OpenSSL to not negotiate PSS padding with the server[1], but why not use cryptoapi as it works? Selva [1] https://community.openvpn.net/openvpn/ticket/1296#comment:12 On Wed, Apr 14, 2021 at 6:03 PM mike tancsa wrote: > > Trying out a newer version of OpenVPN community edition (latest from the > website) on windows 10 and running into problems with a config that > works from 2.4.7. If I use the token with OpenVPN 2.4.7 it works as > expected. On 2.5.1, I get a series of errors when using the pkcs11 > method. The token works fine with cryptoapicert as the interface to the > eToken. > > cryptoapicert "SUBJ:officeVPN" > > However, if I use > > pkcs11-providers eTpkcs11.dll > pkcs11-id 'pkcs11:model=eToken;token=. > > (i.e the output of --show-pkcs11-ids) > > > I enter the PIN, and its the right PIN as the fail count on the token > doesn't go down. It just fails and asks for the PIN again. The pkcs11 > fail bits from the log are below. Like I said, this same token works > with the same config under 2.4.7 and works with 2.5.1 if I use it via > cryptoapcicert. Any idea where / why I am getting those 2 errors using > the pkcs11 method under 2.5.1 ? > > > > 2021-04-14 17:24:36 us=284747 SSL state (connect): TLSv1.3 read server > certificate verify > 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS read finished > 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS write > change cipher spec > 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS write > client certificate > 2021-04-14 17:24:36 us=284747 PKCS#11: __pkcs11h_openssl_rsa_enc entered > - flen=256, from=007968E0, to=00795B10, > rsa=0075EEE0, padding=3 > 2021-04-14 17:24:36 us=284747 PKCS#11: Performing signature > 2021-04-14 17:24:36 us=284747 PKCS#11: pkcs11h_certificate_signAny entry > certificate=007586B0, mech_type=3, source=007968E0, > source_size=0100, target=00795B10, > *p_target_size=0100 > 2021-04-14 17:24:36 us=284747 PKCS#11: Getting key attributes > 2021-04-14 17:24:36 us=284747 PKCS#11: > __pkcs11h_certificate_getKeyAttributes entry certificate=007586B0 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes entry attrs=0072E140, count=4 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes return > 2021-04-14 17:24:36 us=284747 PKCS#11: Get private key attributes > failed: 130:'CKR_OBJECT_HANDLE_INVALID' > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_certificate_resetSession > entry certificate=007586B0, public_only=0, session_mutex_locked=1 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_getObjectById > entry session=00759C40, class=3, id=0075F4A0, > id_size=0008, p_handle=007586C8 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate entry > session=00759C40 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate > session->pin_expire_time=0, time=1618435476 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate return > rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_findObjects > entry session=00759C40, filter=0072E0C0, filter_attrs=2, > p_objects=0072E0B8, p_objects_found=0072E0B4 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_findObjects > return rv=0-'CKR_OK', *p_objects_found=1 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_getObjectById > return rv=0-'CKR_OK', *p_handle=02970005 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_certificate_resetSession > return rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: Key attributes enforced by > provider (0002) > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes entry attrs=0072E140, count=4 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes return > 2021-04-14 17:24:36 us=284747 PKCS#11: > __pkcs11h_certificate_getKeyAttributes return rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: pkcs11h_certificate_signRecover > entry certificate=007586B0, mech_type=3, > source=007968E0, source_size=0100, > target=00795B10, *p_target_size=0100 >
Re: [Openvpn-users] Kill stale session at the server
Hi On Thu, Apr 8, 2021 at 6:53 PM Mason Walters via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > I've ran into this issue with 2.5 clients. Adding 'explicit-exit-notify' > to the client's config resolved it for me. > > > –explicit-exit-notify [n] > I have always felt that this (with say n=1) should have been on by default in UDP clients. And ignored byTCP clients instead of flagging a FATAL error. Wonder why keep this as an optional option. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Scripts initiated by Windows GUI DO pass data over VPN
Hi, > If I distribute my VPN client as a Zip file then what ever name I give the > VPN config file, I will obviously make the batch file the same. > * provider.ovpn > * provider_up.bat > This is certainly not a difficult hurdle to side-step. > > > It's easy for an unsuspecting user to "import" a config file downloaded > from somewhere, but to get the batch file into the right location they > have to deliberately copy it there. One can say that we treat that > action as equivalent to "--script-security 2". > > See Zip above.. > Unsuspecting users is exactly who I thought the OpenVPN wanted to protect. What I meant was the import menu in the GUI will not import a zip file, only the .ovpn. When we add a smarter import option we'll have to warn the user about such scripts. Also, I'm all for patches to improve --script-security handling as well as for controlling scripts run by the GUI. I had tried but found it to be beyond my foo to come with a decent way to do this. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Scripts initiated by Windows GUI DO pass data over VPN
Hi, On Fri, Apr 2, 2021 at 3:21 PM tincantech via Openvpn-users wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > I have had to test this myself because I am a little shocked .. > > Using the Windows GUI and an up script named like so: > 'my_vpn_01_up.bat' > which is kept in the openvpn\config folder of the users home, > DOES allow data to be passed over the newly established VPN. > And does NOT require explicit '--script-security 2' to be set. > > Where as, a script configured inside the config with --up > does NOT allow data to be passed over the newly established VPN. > And it also requires that '--script-security 2' be explicitly set. I can only say that: --up foo and similar scripts allow arbitrary commands to be executed while scripts executed by the GUI is hard-coded to "_up.bat" etc. Of course the content of the batch script could be anything but it doesn't have the same threat like a command embedded in a config file. It's easy for an unsuspecting user to "import" a config file downloaded from somewhere, but to get the batch file into the right location they have to deliberately copy it there. One can say that we treat that action as equivalent to "--script-security 2". That said, anyone using configs and associated files received from an untrusted party is taking a risk. At the very least do not run the GUI as admin. As for sending data over the link, not sure I follow. Anything run with user's privileges after the tunnel is established can potentially use the tunnel. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] connecting to management interface from client-connect script?
Hi, On Wed, Mar 31, 2021 at 3:54 PM Aleksandar Ivanisevic < aleksan...@ivanisevic.de> wrote: > Hi, > > are there any restrictions on contacting the management interface from a > client-connect script? > OpenVPN is single threaded. The client-connect script blocks and the management interface cannot not be serviced until the script returns. In 2.5 you can get around this by using the deferred client-connect feature. See the man page for details. Not supported in 2.4.9. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] ERROR: setrlimit() failed: Operation not permitted (errno=1)
HI, On Sat, Mar 20, 2021 at 4:57 PM Gert Doering wrote: > Hi, > > On Sat, Mar 20, 2021 at 12:20:45PM -0400, Selva Nair wrote: > > We should have probably made this not a FATAL error. > > The rules could be twisted a bit ("if uid == 0 then not fatal"), but > generally speaking, we setrlimit() to avoid running into memory issues > later on - and if that fails, someone else is imposing restrictions > on us. So better fail right away than in malloc() later on. > With that patch we increased the capability requirements when using --mlock. mlockall() only requires CAP_IPC_LOCK, it's the added setrlimit() that needs CAP_SYS_RESOURCE. So, someone who has carefully set the mlock limit to, say, 50MB based on their needs, and using an existing systemd unit file will get an unnecessary error exit. Anyway let's document the new capability need for using mlock when started with RLIMIT_MEMLOCK < 100MB. And update the included systemd unit file. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] ERROR: setrlimit() failed: Operation not permitted (errno=1)
Hi, If restricting capabilities, I think you will need to add CAP_SYS_RESOURCE to the bounding set in the systemd unit file. We should have probably made this not a FATAL error. Selva On Sat, Mar 20, 2021 at 12:00 PM tincanteksup wrote: > It should make no difference but I do not use --user/--group or --chroot > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can command line take multi parameter options? openvpn --remote "ip port" fails
Hi, On Thu, Mar 18, 2021 at 7:50 PM 8187--- via Openvpn-users < openvpn-users@lists.sourceforge.net> wrote: > Hello, list, > > This is probably obvious to the rest of you, but I am not able to give > openvpn multi parameter options on the command line: > > sudo openvpn --remote "127.0.0.1 10153" --route "162.245.206.244 > 255.255.255.255 net_gateway" --config=/etc/stunnel/vpn/openvpn.conf > Wrong use of quotes. The correct usage would be sudo openvpn --remote 127.0.0.1 10153 --route 162.245.206.244 255.255.255.255 net_gateway --config /etc/stunnel/vpn/openvpn.conf Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows ovpn server DHCP
Hi, On Sun, Feb 28, 2021 at 9:51 AM tincanteksup wrote: > Hi, > > Ref: https://forums.openvpn.net/viewtopic.php?f=6=31928 > > I recall that there is some `netsh` setting that can effect DHCP working > but I cannot remember what it is or where it was documented. > > I believe it is something to do with a `persistent` setting .. > The global setting for dhcp media sense? It can be checked and set by netsh interface ipv4 show global and netsh interface ipv4 set global dhcpmediasense=enabled Also, --dhcp-renew could force dhcp renewal even if automatic media sense is not working. I do not recall whether we made --dhcp-renew on by default. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [Openvpn-devel] [Openvpn-devel/users] Debugging Windows based server scripts
Hi, On Wed, Feb 17, 2021 at 5:38 PM tincanteksup wrote: > Hi, > > due to not being allowed to have scripts "echo data" to the log file > under Windows, debugging scripts is next to impossible. > > I presume there are no compile time options to enable "echo" under Windows > ? > > Could anybody provide me with a patch to enable "echo" just for the > purpose of debugging ? > > I would like the patch to work for Openvpn 2.5 > > I understand the risks and I am not distributing OpenVPN binaries. > > As justification I make these points: > > * Any large distributor of Openvpn binaries could make the change to > enable "echo" under Windows. > > * That distributor could then abuse it as they please. > > * I am simply asking for help for the purpose of debugging Open Source > Software made for the community. If it's for debugging, why not redirect the output of the scripts? There are several ways of doing this like: (i) replace the script by a wrapper @echo off rem this wrapper calls the actual up_script_orig.bat call up_script_orig.bat >up_script.log 2>&1 exit /b (ii) move the script to a function and call it, redirecting o/p @echo off call :do_work >up_script.log 2>&1 exit /b :do_work @echo on @rem the original script follows.. @rem end of script @echo off exit /b Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows GUI user/pass time out
Hi, Happy to see more documentation. Looks good. Would suggest to replace the tail end "which is internally handled by making the timeout zero. Selva" by "if saved username and password are available." as the timeout = zero thingy is a matter of implementation which could change in future. And, my name is out of place in here.. -- Selva On Thu, Dec 24, 2020 at 3:20 PM tincanteksup wrote: > > On 24/12/2020 19:43, Selva Nair wrote: > > Hi, > > > > On Thu, Dec 24, 2020 at 1:10 PM tincanteksup > wrote: > > > >> Hi, > >> > >> there is a forum thread: > >> https://forums.openvpn.net/viewtopic.php?f=6=31529#p96550 > >> > >> Which wants to know if the "enter user/pass timeout" can be configured. > >> > > > > The way it works is like this: if username/password is available, the > > dialog window is prefilled and displayed for 6 seconds. If during that > time > > the user clicks on the window, the timeout is cancelled and the dialog > > stays on the screen until manually submitted. Otherwise it's > > auto-submitted after the 6 seconds timeout. > > > > I do not know if there is one or if it can be configured. > >> > > > > The 6 seconds value is not configurable. If silent-connection is enabled > > the dialog is not shown which is internally handled by making the timeout > > zero. > > > > Selva > > > > Thanks for the info. > > Added to > https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI-New#gui-userpass > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Windows GUI user/pass time out
Hi, On Thu, Dec 24, 2020 at 1:10 PM tincanteksup wrote: > Hi, > > there is a forum thread: > https://forums.openvpn.net/viewtopic.php?f=6=31529#p96550 > > Which wants to know if the "enter user/pass timeout" can be configured. > The way it works is like this: if username/password is available, the dialog window is prefilled and displayed for 6 seconds. If during that time the user clicks on the window, the timeout is cancelled and the dialog stays on the screen until manually submitted. Otherwise it's auto-submitted after the 6 seconds timeout. I do not know if there is one or if it can be configured. > The 6 seconds value is not configurable. If silent-connection is enabled the dialog is not shown which is internally handled by making the timeout zero. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] auth-pam plugin function failed on openvpn 2.5.0
Hi, On Tue, Nov 3, 2020 at 4:38 PM Jordan Borgner wrote: > Hello all. > > I just installed openvpn 2.5.0 on archlinux. However, I'm having > problems with the auth-pam plugin. Users are not able to authenticate > themselves. They will get an error indicating that the password is > incorrent although it definitely is correct. > > I have attached the logfile as well as my server configuration file to > this mail. > > The important message, I think, is: > "" > PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with > status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so > "" > > The mentioned file is existing on my filesystem and should have the > permissions set properly. > > "" > # ls -l /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so > -rwxr-xr-x 1 root root 18K Oct 27 22:03 > /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so > "" > > Can anyone help me to fix this? > The error does not mean the plugin file is missing -- indeed the server is loading the plugin and attempting authentication using the pam backend. As per the logs, the PAM module "login" is prompting for Password: with echo off and the plugin must be returning the user's password for that query. You can make that more explicit by specifying the expected prompts in the config instead of relying on echo-off means password. See the README file distributed with openvpn-plugin-auth-pam.so. But I see nothing wrong in the logs except that PAM returns authentication failure. Check that the pam module "login" expects nothing more than username and password and look for any errors PAM may be logging through syslog. You can troubleshoot further by capturing the password received by PAM using, say, pam_exec.so and a script[*]. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN GUI Windows, OpenVPN running as service
Hi On Tue, Sep 22, 2020 at 6:51 AM Helmut Schneider wrote: > Am 21.09.2020 um 23:16 schrieb Selva Nair: > > > On Mon, Sep 21, 2020 at 9:11 AM Helmut Schneider > <mailto:jumpe...@gmx.de>> wrote: > > > > Hi, > > > > I'm running OpenVPN GUI as Service on Windows 10. > > > > > > I do not understand what that means. Are you referring to the OpenVPN > > Interactive Service? > > > https://openvpn.net/vpn-server-resources/use-openvpn-connect-v3-on-windows-in-service-daemon-mode/ > > And the GUI seems unavailable in this case unfortunately. > Okay, that's OpenVPN connect's version of what we call OpenVPNService (or automatic service) in the community edition. If started like that at boot, it's currently not possible to control it using OpenVPN GUI. You may be able to use a third party application named OpenVPN-MI-GUI provided you use the community OpenVPNService. It can control a prestarted instance whereas OpenVPN GUI can only control instances that it starts. With the commercial OpenVPN connect, I have no idea how it works, and this is not the right list to ask about it. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN GUI Windows, OpenVPN running as service
Hi On Mon, Sep 21, 2020 at 9:11 AM Helmut Schneider wrote: > Hi, > > I'm running OpenVPN GUI as Service on Windows 10. I do not understand what that means. Are you referring to the OpenVPN Interactive Service? > When I start the GUI > the status isn't diplayed (not green) allthough the service is running. > After starting the GUI, you have to right-click on the tray icon and select connect or (config-name->connect if you have multiple configs). Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Facetime bypassing the tunnel
Hi, I think it's a known "feature" that some apple services including facetime bypasses the VPN tunnel. See the link below which is for the connect client, but the community version should behave the same in this particular case. https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/ Selva On Wed, Aug 5, 2020 at 5:55 PM Aarti Anand wrote: > > Dajka, thank you for responding! I actually have been using an IPv6 over an > IPv4 tunnel. Do I need to setup an IPv6 tunnel? or IPv6 addresses over an > IPv4 tunnel should work? > > thanks, > > -- > > Aarti Anand, PhD > > Sr Software Engineer, Advanced Technology Group > > CableLabs, Inc > > Email:a.mun...@cablelabs.com > > Office: +1 303-661-3790 > > > > On Wed, Aug 5, 2020 at 3:50 PM Dajka Tamás wrote: >> >> Hi, >> >> >> >> without knowing your exact configuration it’s pretty hard to answer J My >> first guess would be, that your tunnel is IPv4 only, while facetime and >> hangouts uses IPv6 (and the client has an IPv6 address). >> >> >> >> Cheers, >> >> >> >>Tom >> >> >> >> From: Aarti Anand [mailto:aarti.mun...@gmail.com] >> Sent: Wednesday, August 5, 2020 11:40 PM >> To: Openvpn-users@lists.sourceforge.net >> Subject: [Openvpn-users] Facetime bypassing the tunnel >> >> >> >> Hi all, Facetime is bypassing the tunnel setup via openVPN. Is that >> expected? Is there any workaround for it? >> >> >> >> To be precise, I have set up an openVPN client on an iOS device and >> connected to the openVPN server running on an ubuntu machine. I notice that >> the Facetime from the iOS device is bypassing the vpn tunnel. Similar >> behavior with Google hangouts. And wonder if there is a known issue and >> something obvious that I might be missing. thanks for reading and taking the >> time to respond. >> >> >> >> >> >> -- >> >> Aarti Anand, > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Join PC with OpenVpn to Active Directory
Hi, If your VPN establishes a route to the domain controller(s) and the domain name resolves from the client, you can join the domain just as you would do while directly connected to the LAN. For example, if the domain name is example.local, "nslookup example.local" should return the IP addresses of domain controllers, and those IPs should be reachable from the client. In the most common scenario where the domain controllers are on the server-side LAN, this requires the VPN to set up a route to the server-side LAN, and push a dns server that resolves the domain name. Both of these are described in OpenVPN howto. See https://community.openvpn.net/openvpn/wiki/HOWTO#IncludingmultiplemachinesontheserversidewhenusingaroutedVPNdevtun and https://community.openvpn.net/openvpn/wiki/HOWTO#PushingDHCPoptionstoclients Selva On Sun, Jul 19, 2020 at 1:07 PM Fermin Francisco via Openvpn-users wrote: > > Good afternoon! > > How Can I join a PC with openVPN to the Active Directory, does exists a > manual, Video, something like that?? > > > > José Fermín Francisco Ferreras Registered User #579535 (LinuxCounter.net) > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN issues with Windows NLA
Hi On Thu, Jul 2, 2020 at 1:08 PM Marco De Vitis wrote: > Il 01/07/20 21:18, Selva Nair ha scritto: > > fwiw, try removing the pushed block-outside-dns by adding this to the > client config: > > pull-filter ignore block-outside-dns > > > Hi, > I tried this and indeed it fixes the issue, Windows detects internet > connectivity. > > But it introduces a different issue related to my company setup: we have > internal servers which we need to reach by internal hostname (e.g. > myhost.companyname) when using the VPN. But when I do not use > block-outside-dns Windows tries to resolve them using external DNS servers, > and this will fail. > Yes, removing block-outside-dns is not a real solution and could break resolution of internal names as you see. Though I have setups where it works fine with resolution via both interfaces and connection-specific suffix set on the TAP interface. > > I tried setting the interface metrics to give a higher priority to the > OpenVPN interface - and so hopefully to its DNS, but the behaviour did not > change. > > At the moment it all seems to be working with the original VPN config > (block-outside-dns) plus the following two additions by the network guys, > but it's far from ideal: > >1. The DNS of my LAN (i.e. my home router's IP) has been set as >default gateway for the OpenVPN interface. But I'll need to remember >changing it if I connect from elsewhere. > > That looks like a strange setting but probably doesn't hurt. > >1. The company firewall has been configured to allow traffic from the >VPN client range to Microsoft connectivity check IPs 131.107.255.255 and >13.107.4.52. But what if they change? (The firewall is usually configured >to block any traffic from VPN to external IPs, because the configured >routes should let this happen through the standard ethernet/wifi interface) > > Such weakening of the server-side firewall shouldn't be required as you are not sending any traffic to those IPs via the VPN. When you use block-outside DNS, the DNS server pushed must be ready to do all name resolutions for you. If it's doing that, and in particular resolving those dns.msftncsi.com etc involved in ncsi, you should be good. Probably Windows is doing something weird behind our backs. Have you tried setting a direct route via your router to those two IPs on your machine (instead of on the server-side firewall)? "route add 131.107.255.255 mask 255.255.255.255 192.168.1.1" etc. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN issues with Windows NLA
On Wed, Jul 1, 2020 at 3:18 PM Selva Nair wrote: > > Hi, > > On Wed, Jul 1, 2020 at 3:09 PM Marco De Vitis wrote: .. > > But why should this make NLA fail? DNS resolution using the VPN DNS > > server appears to work fine for every address, including the one which > > Microsoft uses for the connection check. But the failure is systematic > > instead. > > If the pushed DNS server works for all domains, I'm out of ideas. But > fwiw, try removing the pushed block-outside-dns by adding this to the > client config: > > pull-filter ignore block-outside-dns > > and check the logs to ensure it's ignored. This shouldn't be required, > and is not ideal, but worth a test. In case it was not obvious, for this test you also have to remove any block-outside-dns in the client config. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN issues with Windows NLA
Hi, On Wed, Jul 1, 2020 at 3:09 PM Marco De Vitis wrote: > > Il 01/07/20 20:21, tincanteksup ha scritto: > > The post you made on the forum suggests that you have set a default > > gateway on the TAP adapter .. > > Do not do that. > Well yes, it's an attempt I made because I saw everyone in that thread > telling that this fixed the issue. But it didn't for me (and I did not > expect it, actually), so I rolled back to the original configuration. > > We do not have your client config or logs so this is just a guess but > > do not use --block-outside-dns (if you are). > At this point, this is most probably the reason: the block-outside-dns > option is in use. Even if I remove it from the client config, it's > pushed from the server. > > But why should this make NLA fail? DNS resolution using the VPN DNS > server appears to work fine for every address, including the one which > Microsoft uses for the connection check. But the failure is systematic > instead. If the pushed DNS server works for all domains, I'm out of ideas. But fwiw, try removing the pushed block-outside-dns by adding this to the client config: pull-filter ignore block-outside-dns and check the logs to ensure it's ignored. This shouldn't be required, and is not ideal, but worth a test. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN issues with Windows NLA
Hi On Wed, Jul 1, 2020 at 12:45 PM Jan Just Keijser wrote: > > Hi, > > On 01/07/20 14:51, Marco De Vitis wrote: > > Hi, > I use OpenVPN client 2.4.9 on Windows 10 (v2004), and I have issues with the > Network Location Awareness (NLA) Windows service. > > The issue is essentially described here, even though it dates back to Windows > 7: > https://docs.microsoft.com/it-it/archive/blogs/the_microsoft_excel_support_team_blog/office-2013-reports-no-internet-connectivity-with-vpn-connection > > My symptoms are the same: when I connect to my company VPN using OpenVPN, > soon or later (maybe after minutes, maybe hours) the NLA service decides that > no internet access is available, I get the "no internet access" tray icon, > and some applications do not work as they should, notably Spotify and Office > 365 in my case. Nevertheless, all other applications work fine and I can > successfully access the web and my company LAN. But those apps refusing to > connect are very annoying. > > When this happens, this script actually finds no failed checks: > https://community.spiceworks.com/scripts/show/4340-network-connection-status-indicator-ncsi-test > > > what happens if you add to your config > > route 0.0.0.0 0.0.0.0 vpn_gateway > > (or push "route 0.0.0.0 0.0.0.0 vpn_gateway " from the server) ? > > that sometimes helps Windows NLA to allow traffic over the VPN. In this case not all traffic is being sent via the VPN and there is no redirect-gateway def1 in use. Almost all traffic continues to go via the LAN and the default gateway is maintained on that interface. So all those links about broken ncsi don't apply. I suspect DNS through VPN is broken. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN issues with Windows NLA
Hi On Wed, Jul 1, 2020 at 11:21 AM Marco De Vitis wrote: > > Hi, > I use OpenVPN client 2.4.9 on Windows 10 (v2004), and I have issues with the > Network Location Awareness (NLA) Windows service. > > The issue is essentially described here, even though it dates back to Windows > 7: > https://docs.microsoft.com/it-it/archive/blogs/the_microsoft_excel_support_team_blog/office-2013-reports-no-internet-connectivity-with-vpn-connection > > My symptoms are the same: when I connect to my company VPN using OpenVPN, > soon or later (maybe after minutes, maybe hours) the NLA service decides that > no internet access is available, I get the "no internet access" tray icon, > and some applications do not work as they should, notably Spotify and Office > 365 in my case. Nevertheless, all other applications work fine and I can > successfully access the web and my company LAN. But those apps refusing to > connect are very annoying. This is surprising as the routing table shows you are not using redirect-gateway and, except for some server side internal networks and one or two external addresses, all targets are routed in clear via the LAN gateway. > > This is the "ipconfig /all" output when connected to the VPN: > > Configurazione IP di Windows > >Nome host . . . . . . . . . . . . . . : >Suffisso DNS primario . . . . . . . . : .local >Tipo nodo . . . . . . . . . . . . . . : Ibrido >Routing IP abilitato. . . . . . . . . : No >Proxy WINS abilitato . . . . . . . . : No >Elenco di ricerca suffissi DNS. . . . : > > Scheda Ethernet Ethernet: > >Stato supporto. . . . . . . . . . . . : Supporto disconnesso >Suffisso DNS specifico per connessione: >Descrizione . . . . . . . . . . . . . : Realtek PCIe GbE Family Controller >Indirizzo fisico. . . . . . . . . . . : 3C-2C-30-E6-30-91 >DHCP abilitato. . . . . . . . . . . . : Sì >Configurazione automatica abilitata : Sì > > Scheda sconosciuta OpenVPN: > >Suffisso DNS specifico per connessione: >Descrizione . . . . . . . . . . . . . : TAP-Windows Adapter V9 >Indirizzo fisico. . . . . . . . . . . : 00-FF-98-72-CE-0F >DHCP abilitato. . . . . . . . . . . . : Sì >Configurazione automatica abilitata : Sì >Indirizzo IPv6 locale rispetto al collegamento . : > fe80::94e8:b4ce:f66f:19ab%20(Preferenziale) >Indirizzo IPv4. . . . . . . . . . . . : 172.28.254.241(Preferenziale) >Subnet mask . . . . . . . . . . . . . : 255.255.255.0 >Lease ottenuto. . . . . . . . . . . . : mercoledì 1 luglio 2020 13:07:27 >Scadenza lease . . . . . . . . . . . : giovedì 1 luglio 2021 13:07:26 >Gateway predefinito . . . . . . . . . : >Server DHCP . . . . . . . . . . . . . : 172.28.254.254 >IAID DHCPv6 . . . . . . . . . . . : 268500888 >DUID Client DHCPv6. . . . . . . . : > 00-01-00-01-24-FE-F3-1A-3C-2C-30-E6-30-91 >Server DNS . . . . . . . . . . . . . : 172.28.254.1 That is the DNS server set on the TAP interface by the VPN. Check whether it's capable of resolving external addresses. Probably what you see is due to inconsistent DNS resolution. I can't say why it works for a while and only some services are affected, but it could happen if 172.28.254.1 gives bogus results for some domains. In particular, see whether "nslookup dns.msftncsi.com 172.28.254.1" resolves to 131.107.255.255 although that may not be conclusive. > And here it the output of "route print": > > === > Elenco interfacce > 16...3c 2c 30 e6 30 91 ..Realtek PCIe GbE Family Controller > 20...00 ff 98 72 ce 0f ..TAP-Windows Adapter V9 > 4...4a 5f 99 1a 44 c7 ..Microsoft Wi-Fi Direct Virtual Adapter > 21...5a 5f 99 1a 44 c7 ..Microsoft Wi-Fi Direct Virtual Adapter #2 > 17...48 5f 99 1a 44 c7 ..Qualcomm QCA9377 802.11ac Wireless Adapter > 1...Software Loopback Interface 1 > 61...00 15 5d 9c 2e 02 ..Hyper-V Virtual Ethernet Adapter > === > > IPv4 Tabella route > === > Route attive: > Indirizzo rete Mask Gateway Interfaccia Metrica > 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.27 35 > 10.3.64.0255.255.192.0 172.28.254.1 172.28.254.241259 > 10.3.66.0255.255.255.0 172.28.254.1 172.28.254.241259 > 10.3.67.0255.255.255.0 172.28.254.1 172.28.254.241259 > 10.3.68.0255.255.252.0 172.28.254.1 172.28.254.241259 > 10.3.72.0 255.255.255.128 172.28.254.1 172.28.254.241259 > 90.84.191.96 255.255.255.255 172.28.254.1 172.28.254.241259 > > 127.0.0.0255.0.0.0 On-link 127.0.0.1331 > 127.0.0.1 255.255.255.255 On-link 127.0.0.1331 >
Re: [Openvpn-users] graceful client disconnect
> Thanks, Almost perfect! ;) Now, is there a way to send RESTART control > message only to the specific client, or at least decide in runtime what the > n parameter will be, as I don’t know in advance whether the server will be > restarted to rebalance the clients or to change the configuration. > client-kill CID RESTART from management interface will do that. RESTART is the default, another option being HALT. Where CID is the actual cid of the client. I am not sure whether this can be used to force move the client to the next remote. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] syslog, drop Port Sharing Messages
Hi, Try this: from a command line run $ /usr/bin/logger -t test some message If that generates two messages you know its not openvpn but the syslog setup. May be something not right in (r)syslog.conf, rsyslog.conf.d/* etc? logger defaults to user.notice so you may want to try it with -p option to test other priorities as well. That may give a clue. Selva On Tue, May 26, 2020 at 8:33 PM Morris, Russell wrote: > You may be on to something ... . I'm not running journald though (I > don't think ... just checked via ps, not seeing it a least). > > I did try something, based on your comments. I created a short script > (below), configured OpenVPN up to call it (on client-connect), > #!/bin/sh > echo "`date` OpenVPN connect ... " >> /root/openvpn.txt > logger -t ovpn-conn-change "$script_type - $common_name / > $ifconfig_pool_remote_ip" > > Then, I watched two things, > 1) tail -f openvpn.txt => only a single entry here on connect, as expected! > 2) tcpdump -nnAs0 -i alc0.5 host (ip addr) and port 514 | grep > ovpn-conn-change => shows up twice here! > > So it seems the call is happening once, but 2x the entries to syslog. > Actually, I see that for all (OpenVPN) messages. Hmmm. > > Will keep digging, thanks! > > ... Russell > > > > -Original Message- > From: Selva Nair > Sent: Tuesday, May 26, 2020 1:56 PM > To: Morris, Russell > Cc: David Sommerseth ; openvpn users > list (openvpn-users@lists.sourceforge.net) < > openvpn-users@lists.sourceforge.net> > Subject: Re: [Openvpn-users] syslog, drop Port Sharing Messages > > Hi > > On Tue, May 26, 2020 at 2:28 PM Morris, Russell > wrote: > > > > It's possible, I won't say it's not ... LOL. FYI, all I did was add > > this to the server config file (for testing for now), client-connect > "/usr/bin/logger -t openvpn client connect successful" > > > > And then I monitored network traffic ... tcpdump on the (syslog) sender > and receiver end. I see the double messages both places (I started looking > because of seeing them on the receiver, didn't believe it initially ... > LMAO). > > This could be systemd (I like to blame it :) duplicating the logger > message -- do you have journald running? > > Selva > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] syslog, drop Port Sharing Messages
Hi On Tue, May 26, 2020 at 2:28 PM Morris, Russell wrote: > > It's possible, I won't say it's not ... LOL. FYI, all I did was add this to > the server config file (for testing for now), > client-connect "/usr/bin/logger -t openvpn client connect successful" > > And then I monitored network traffic ... tcpdump on the (syslog) sender and > receiver end. I see the double messages both places (I started looking > because of seeing them on the receiver, didn't believe it initially ... LMAO). This could be systemd (I like to blame it :) duplicating the logger message -- do you have journald running? Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] weird floating requests when restarting server
Hi On Mon, May 25, 2020 at 1:28 PM Aleksandar Ivanisevic wrote: > > Hi, > > every time I restart the server (2.4.7 from debian 10.4) i see weird floating > requests, e.g. > > May 22 19:27:52 qbs01 openvpn[16384]: Float requested for peer 1 to > 1.2.3.4:5002 > > followed immediately by > > May 22 19:27:52 server openvpn[16384]: TLS Error: local/remote TLS keys are > out of sync: [AF_INET]5.6.7.8:9249 (via [AF_INET]192.168.2.3%vdsl) [6] > > it is physically impossible that anything floats to the IP above as this is a > fixed IP that never floats and always belongs to the client YYY > > i thought nothing of it, as it everything would eventually resolve, until > yesterday... > > May 22 19:28:06 server openvpn[16384]: XXX/1.2.3.4:5002 TLS Auth Error: TLS > object CN attempted to change from ‘XXX' to ‘YYY' -- tunnel disabled > > remote client got > > May 22 19:28:07 YYY openvpn[492871]: AUTH: Received control message: > AUTH_FAILED > May 22 19:28:08 YYY openvpn[492871]: SIGTERM[soft,exit-with-notification] > received, process exiting > > and that was it, game over, my VPN was down the whole night until someone > woke me up az 5:30am Saturday morning and I restarted the client. > > how is this possible? YYY always has the same IP and port 1.2.3.4:5002, the > float requests to it are from random other clients, different every time. Probably related to Trac 1272? See https://community.openvpn.net/openvpn/ticket/1272 if so, this was recently fixed in 2.4 and master -- should be in the 2.4.9 release. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] syslog, drop Port Sharing Messages
Hi Russel, All good here though still in lockdown.. In my limited experience, sslh works fine. That said, OpenVPN --port-share also works well for me, though I've seen reports that its "slow" in passing the connection over to the alternate service. In the rare occasions where I have to use port sharing, I prefer sslh as its meant to do just that (port multiplexing) and can also support multiple services. But haven't done any customized logging from it as that's your main concern. Best, Selva On Sun, May 24, 2020 at 9:18 PM Morris, Russell wrote: > > Hi Selva! > > Good to hear from you. Hope all is going well there - and hope you and your > family are staying safe. > > Thanks for the info - will give this a try. Have you used it BTW? And do you > see it as faster / lower CPU load? > > Thanks again, > ... Russell > > > > -Original Message- > From: Selva Nair > Sent: Sunday, May 24, 2020 4:35 PM > To: Morris, Russell > Cc: openvpn users list (openvpn-users@lists.sourceforge.net) > > Subject: Re: [Openvpn-users] syslog, drop Port Sharing Messages > > Hi Russel, > > Greetings! > > > > > Perhaps a dumb question, but I’m setting up a Graylog (syslog) server, and > > finding that I see a lot of records like the one below – I believe because > > I’m port sharing (and have to, not really an option there). Just to make > > sure though … I think it’s pretty safe to just dump these, is that right? > > And really, to avoid the extra processing – is there a way to not even have > > the OpenVPN server generate them (as I know I’m port sharing … LOL). > > > > ip.ip.ip.ip:port Non-OpenVPN client protocol detected > > I don't think it can be suppressed short of using verb 0. Not sure why its > printed even at low verb levels. Another option may be to use something like > sslh to do the port redirection -- supposedly faster than OpenVPN's > --port-share and supports ssh as well. > https://github.com/yrutschle/sslh/ > > Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] syslog, drop Port Sharing Messages
Hi Russel, Greetings! > > Perhaps a dumb question, but I’m setting up a Graylog (syslog) server, and > finding that I see a lot of records like the one below – I believe because > I’m port sharing (and have to, not really an option there). Just to make sure > though … I think it’s pretty safe to just dump these, is that right? And > really, to avoid the extra processing – is there a way to not even have the > OpenVPN server generate them (as I know I’m port sharing … LOL). > > ip.ip.ip.ip:port Non-OpenVPN client protocol detected I don't think it can be suppressed short of using verb 0. Not sure why its printed even at low verb levels. Another option may be to use something like sslh to do the port redirection -- supposedly faster than OpenVPN's --port-share and supports ssh as well. https://github.com/yrutschle/sslh/ Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] disable "auth-nocache" by push?
Hi On Mon, May 4, 2020 at 8:51 AM Dajka Tamás wrote: > Hi, > > > > is it possible to disable „auth-nocache” in the client by a PUSH message? > I mean, if the „auth-nocache” is SET in the client.conf to „reenable” > credentials caching. What’s the logic behind? When we deployed the clients > we did set ’auth-nocache’ as a security measurement. However, we want to > use auth-token now beside OTP, but changing all the clients will take some > (unneeded) time. > A patch that automatically removes auth-nocache when an auth-token is pushed has been merged to 2.4 and master a long while ago. It should be in recent 2.4 releases. > > > Secondly, is it allowed/possible to set „reneg-sec” by a PUSH message? > (reneg-sec is not set currently in the client.conf, has the default value > of 3600) > I think its not pushable. What I do is to set reneg-sec 0 on client so that the value on server gets used. Effective reneg-sec is determined by the lowest value in server and client with zero meaning "infinity" allowing the server to control the actual value. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OTP + auth-token
Hi, On Thu, Apr 30, 2020 at 2:41 PM Dajka Tamás wrote: > Hi Selva, > > > > thank you for your reply. Please help me, how can I set a token from > management-client? Should I generate a token, store it and use > ’client-auth’ + ’auth-toke $token’ + ’END’ simply? (and verify it upon > REAUTH) > Essentially yes -- see management docs on how to pass client specific options using multi-line client-auth... END directive. You will also need to implement logic for token expiry etc. But first get it to work without any token by assuming REAUTH with a previously authorized client id means already authenticated and sending alient-auth-nt. In that case you can force a full auth when needed by sending a "client-deny reason" which will trigger a new auth dialog at the client side. Selva > > > Thanks, > > > >Tom > > > > *From:* Selva Nair [mailto:selva.n...@gmail.com] > *Sent:* Thursday, April 30, 2020 8:10 PM > *To:* Dajka Tamás > *Cc:* openvpn users list (openvpn-users@lists.sourceforge.net) < > openvpn-users@lists.sourceforge.net> > *Subject:* Re: [Openvpn-users] OTP + auth-token > > > > Hi, > > > > On Thu, Apr 30, 2020 at 11:16 AM Dajka Tamás wrote: > > Hi All, > > > > I assume the issue from 2017 with auth-nocache + auth-token still exists. > However, I’ve bumped into something, which I cannot understand. Same setup > with OTP, but removed the ’auth-nocache’ from the client.conf. > > > > I would suggest not to use auth-gen-token along with > management-client-auth. It has never been tested and in my experience > auth-gen-token is just too buggy. A number of bugs/misbehaviours have been > fixed in later patches but I have lost track of what is fixed and what > remains, let alone what is yet unknown > > > > With management client-auth you can handle REAUTH in your management > client, set a token from there, so auth-gen-token is not really necessary. > > > > > > In server.conf the following is set: > > > > reneg-sec 18000 > > auth-gen-token 39600 > > > > In the client.conf: > > > > reneg-sec 18000 > > (auth-nocache is NOT set) > > > > This is a TAP setup with external DHCP server (needed for client proxy > setting push). Management-client-auth is used with ’client-auth-nt’ on > server side (works ok, but I don’t see any ’REAUTH’ message in logs – I > assuem this is due to the token auth) > > > > I’ve connected to the server at 10:30: > > > > Thu Apr 30 10:30:43 2020 us=121829 MANAGEMENT: > >STATE:1588235443,CONNECTED,SUCCESS,,SERVER_IP,443,192.168.0.52,54937 > > > Next messages in client log (these should be the DHCP periodic messages, > dhcp-lease-time 14400; max-lease-time 43200): > > > > Thu Apr 30 12:30:39 2020 us=429095 Extracted DHCP router address: > 10.14.12.1 > > Thu Apr 30 14:30:39 2020 us=62016 Extracted DHCP router address: 10.14.12.1 > > > > At 15:30 the key expired (18000s = 5 hours), data-connetion reinitiated > (’TLS: soft reset’ + ’TLS: Username/auth-token authentication succeeded for > username’ in server.log ) : > > > > Thu Apr 30 15:30:33 2020 us=405908 Outgoing Data Channel: Cipher > 'AES-256-GCM' initialized with 256 bit key > > Thu Apr 30 15:30:33 2020 us=405908 Incoming Data Channel: Cipher > 'AES-256-GCM' initialized with 256 bit key > > Thu Apr 30 15:30:33 2020 us=406908 Control Channel: TLSv1.2, cipher > TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1 > > > > However, at 16:30 I got disconnected, which I did not understand (same > message in client.log and server.log): > > > > Thu Apr 30 16:30:31 2020 us=11284 TLS: tls_process: killed expiring key > > Thu Apr 30 16:30:31 2020 us=876533 Connection reset, restarting [0] > > > > The disconnection 1 hour after reneg appears to indicate the session did > not get replaced by the newly negotiated one and the connection continued > with the old session key. I think the previous session key is only kept for > 1 hour after a reneg is triggered (this 1 hour is unrelated to reneg-sec), > that would explain why the connection dies at that point. This is just a > guess, not sure how to confirm this or why this happens. > > > > I would first test the setup without auth-gen-token and use REAUTH to > identify when to re-authenticate the user. > > > > Selva > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OTP + auth-token
Hi, On Thu, Apr 30, 2020 at 11:16 AM Dajka Tamás wrote: > Hi All, > > > > I assume the issue from 2017 with auth-nocache + auth-token still exists. > However, I’ve bumped into something, which I cannot understand. Same setup > with OTP, but removed the ’auth-nocache’ from the client.conf. > I would suggest not to use auth-gen-token along with management-client-auth. It has never been tested and in my experience auth-gen-token is just too buggy. A number of bugs/misbehaviours have been fixed in later patches but I have lost track of what is fixed and what remains, let alone what is yet unknown With management client-auth you can handle REAUTH in your management client, set a token from there, so auth-gen-token is not really necessary. > > In server.conf the following is set: > > > > reneg-sec 18000 > > auth-gen-token 39600 > > > > In the client.conf: > > > > reneg-sec 18000 > > (auth-nocache is NOT set) > > > > This is a TAP setup with external DHCP server (needed for client proxy > setting push). Management-client-auth is used with ’client-auth-nt’ on > server side (works ok, but I don’t see any ’REAUTH’ message in logs – I > assuem this is due to the token auth) > > > > I’ve connected to the server at 10:30: > > > > Thu Apr 30 10:30:43 2020 us=121829 MANAGEMENT: > >STATE:1588235443,CONNECTED,SUCCESS,,SERVER_IP,443,192.168.0.52,54937 > > > Next messages in client log (these should be the DHCP periodic messages, > dhcp-lease-time 14400; max-lease-time 43200): > > > > Thu Apr 30 12:30:39 2020 us=429095 Extracted DHCP router address: > 10.14.12.1 > > Thu Apr 30 14:30:39 2020 us=62016 Extracted DHCP router address: 10.14.12.1 > > > > At 15:30 the key expired (18000s = 5 hours), data-connetion reinitiated > (’TLS: soft reset’ + ’TLS: Username/auth-token authentication succeeded for > username’ in server.log ) : > > > > Thu Apr 30 15:30:33 2020 us=405908 Outgoing Data Channel: Cipher > 'AES-256-GCM' initialized with 256 bit key > > Thu Apr 30 15:30:33 2020 us=405908 Incoming Data Channel: Cipher > 'AES-256-GCM' initialized with 256 bit key > > Thu Apr 30 15:30:33 2020 us=406908 Control Channel: TLSv1.2, cipher > TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1 > > > > However, at 16:30 I got disconnected, which I did not understand (same > message in client.log and server.log): > > > > Thu Apr 30 16:30:31 2020 us=11284 TLS: tls_process: killed expiring key > > Thu Apr 30 16:30:31 2020 us=876533 Connection reset, restarting [0] > The disconnection 1 hour after reneg appears to indicate the session did not get replaced by the newly negotiated one and the connection continued with the old session key. I think the previous session key is only kept for 1 hour after a reneg is triggered (this 1 hour is unrelated to reneg-sec), that would explain why the connection dies at that point. This is just a guess, not sure how to confirm this or why this happens. I would first test the setup without auth-gen-token and use REAUTH to identify when to re-authenticate the user. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Google OTP With auth-user-pass-verify (2FA)
On Fri, Apr 24, 2020 at 7:10 AM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 21/04/2020 20:34, Selva Nair wrote: > > Hi, > > > > On Tue, Apr 21, 2020 at 12:44 PM Vertigo Altair < > vertigo.alt...@gmail.com > > <mailto:vertigo.alt...@gmail.com>> wrote: > > > > Hi OpenVPN People, > > I have a OpenVPN server, in this server, I'm authenticating users > with my > > external program (via --auth-user-pass-verify option). There is no > problem > > in this situation. > > I want to add Two Factor Auth. with google-authenticator. > > I guess the process be like; > > A client enters these creds; > > username > > password + [OTP] > > Firstly, my external program checks if username password combination > is > > true and after google-authenticator checks if one-time-password is > true. > > How can I achieve this? I tried some cases with Google-Authenticator > but I > > could only authenticate with adding user to system.) > > > > > > I prefer to prompt for password and OTP separately using static-challenge > > instead of using some custom way of combining the two. This is how that > would > > work. > > > > In client configs add > > --auth-user-pass > > --static-challenge "Enter the authentication code (OTP) : " 1 > > > > Change the static challenge prompt to suit your needs. Then the client > will > > prompt the user for username, password and OTP in that order. If using a > GUI > > like the OpenVPN-Windows-GUI this will happen through a dialog, else on > the > > command line. > > > > On server, have a pam config file, say, /etc/pam/ovpn with appropriate > stacked > > auth entries -- as you would do for using google-authenticator for local > > logins. Assuming your pam set up will prompt for login:, password: and > pin:, > > on the server config file you will need > > > > plugin "ovpn login: USERNAME > password: > > PASSWORD pin: OTP" > > > > For PAM, that will be more tricky than you would expect. > > FreeIPA supports enabling OTP on only some accounts (or the reverse, > disabling > it on specific accounts). But it does the split between password ("First > Factor:") and the OTP ("Second Factor:") where the second factor can even > be > set to be optional. An example: > >$ su - user >Passord: > >$ su - otpuser >First Factor: >Second Factor: > >$ su - otpoptional >First Factor: >Second Factor (optional): > > So in this case, it would be needed to use the dynamic challenge-response > protocol, where it gets a bit more complicated for the auth-pam module. > Should we do it? We probably should. > > IIRC, the PAM module as it is today should support getting the OTP token > as an > extension to the password. If it is optional, it would pass on just a > correct > password or a correct password with a correct OTP added at the end - as you > would expect. > Not sure what you mean by that. The PAM plugin in 2.5 perfectly supports static challenge protocol and password and otp are passed on to pam conversation separately, not as otp added to password. Stacked pam modules with one asking for username and password, followed by another asking for otp works with no further modifications. Pretty easy to set up for anyone familiar with PAM. But yes, we should extend the plugin to support dynamic challenge. We have to get the pending patch for sending auth-failure "reason" from plugins back to client first -- currently only management client-auth can do that. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Google OTP With auth-user-pass-verify (2FA)
Hi, On Tue, Apr 21, 2020 at 12:44 PM Vertigo Altair wrote: > Hi OpenVPN People, > I have a OpenVPN server, in this server, I'm authenticating users with my > external program (via --auth-user-pass-verify option). There is no problem > in this situation. > I want to add Two Factor Auth. with google-authenticator. > I guess the process be like; > A client enters these creds; > username > password + [OTP] > Firstly, my external program checks if username password combination is > true and after google-authenticator checks if one-time-password is true. > How can I achieve this? I tried some cases with Google-Authenticator but I > could only authenticate with adding user to system.) > I prefer to prompt for password and OTP separately using static-challenge instead of using some custom way of combining the two. This is how that would work. In client configs add --auth-user-pass --static-challenge "Enter the authentication code (OTP) : " 1 Change the static challenge prompt to suit your needs. Then the client will prompt the user for username, password and OTP in that order. If using a GUI like the OpenVPN-Windows-GUI this will happen through a dialog, else on the command line. On server, have a pam config file, say, /etc/pam/ovpn with appropriate stacked auth entries -- as you would do for using google-authenticator for local logins. Assuming your pam set up will prompt for login:, password: and pin:, on the server config file you will need plugin "ovpn login: USERNAME password: PASSWORD pin: OTP" That instructs the plugin to answer the prompts "login:" , "password:" and "pin:" by the username, password and static challenge response provided by the client. Replace the prompt text by the actual prompts that the pam setup will issue. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify [SOLVED]
Hi, On Thu, Apr 16, 2020 at 10:41 PM tincanteksup wrote: > > Missing the point completely. > > *Why* does openvpn expect a decimal value for something which is clearly > intended to be and is at source Hex. What the the ideal format should be is arguable, but the "source" is not in hex. Serial number is an "INTEGER" with no more than 20 octets and may be, say, DER encoded in the certificate. Decimal, hex etc are just string representations used for display. With hex there are multiple formats out there, like upper case, lower case, optionally separated by space or :, with a leading 0x etc. "openssl x509 -serial ..." prints it as hex in upper case with no spaces, "openssl x509 -text .." has it in decimal with hex in parenthesis if the number is small (< 4 bytes?), otherwise as a lower case hex string with bytes separated by ":". And, there is no guarantee that these will not change in future. I'm not saying decimal string is better. The representation is unambiguous as a set of digits with no spaces and no leading zeros. But it may not be easy for an end user to get the decimal value. If we consider supporting hex, we'll first need to agree on the format. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
Hi, > > If the optional dir flag is specified, enable a different mode where > crl is a directory containing files named as revoked serial numbers > (the files may be empty, the contents are never read). If a client > requests a connection, where the client certificate serial number > (decimal string) is the name of a file present in the directory, it > will be rejected. > > > Ok, here we go: > > # grep crl-verify /etc/openvpn/server.conf > crl-verify /etc/openvpn/crl dir > > I'd like to block cert with serial number 0B: > > # openssl x509 -noout -serial -in test.crt | \ > sed 's/.*=//g;s/../&:/g;s/:$//' > 0B > > AFAIU the manpage I only have to touch the file: > > # touch /etc/openvpn/crl/0B IIRC, you have to use the decimal representation of the serial. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Possible to PreSet the Users GUI Profile to Silent Connection
Hi, On Tue, Apr 7, 2020 at 2:15 PM Colin Ryan wrote: > Folks, > > I'm working with GUI-11 and all is fine. However I'd like to have the > default GUI configuration for my users be silent (i.e.not have the > status log window open up with the password dialog) > > > I realize there is the silent_connect registry entry that is in the HKCU > registry hive and If I write to this it works, when the installer is > also the admin account (i.e. most home user cases). > This option is meant to be set by the user from the settings menu. That's why its in HKCU. I have low priority TODO item to have some of these options in HKLM as well as a default that users can override. Not yet implemented. Some options you have are: (i) Add --silent_connection 1 as an option to the GUI shortcut. This shortcut is common for all users (in Users\Public\Publc Desktop on Windows 10). (ii) Use Active Setup to add the required registry entry in HKCU when the user logs in the next time. I do not recommend this as we want the flexibility for changing these entries in future releases, if required. So treat it as a place where the GUI persists user's settings to be changed only via the UI. Also, (i) is easier to do. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
Hi > > The sha1sums of the two versions of the file are: > > = > > $ sha1sum *{program,system32}*tap09* > > 42189b6a1b8c736397113bfc2283f5e1e1a44e8e > failed_program-files_tap0901.sys > > [the 39,920-byte file] > > 841a86f416a882b0743fd6d9c9f29baf3ed06b6a > failed_system32-drivers_tap0901.sys > > [the 30,720-byte file] > > = > > > > > > So.. do you recognize this 30,720-byte file at all, or have any ideas > > where it might have originated from? > > It occurred to me that even though we don't need to install OpenVPN on a > Windows 7 box I could go ahead and download the Win7 installer and > see if the embedded TAP driver files match the ones included there. > > Short answer: yes, the mystery files are exactly the same as the ones in > that installer. > So, that doesn't really tell us how those driver files got installed on > the box before OpenVPN was ever installed -- but at least it tells us > exactly which files were involved > Is it possible that the user might have mistakenly installed the windows 7 version of 2.4.8 on this machine before the reset? The fact that the offending .sys file and inf came back via the ~BT folder seems to indicate it was saved by the reset process and then copied back in. It could be that the process was not really a factory reset (not sure whether you already said otherwise) or the factory version has some program that distributes this driver with the same inf file. Though it would sound strange to distribute a a cross-signed driver with Windows 10, there are some old flavours of Windows 10 where such a driver works, iirc. Can you check whether the offending .sys is in use by any devices? driverquery utility may in windows 10 probably help. The two versions using identical inf file is what makes it hard to fix it by just reinstalling the correct Windows 10 release. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared
Hi, On Fri, Apr 3, 2020 at 5:06 PM Nathan Stratton Treadway wrote: > > As I mentioned in the previous email, the > emvista.inf_amd64_6d4bec28a2ef0cdf has a timestamp which coincides with > the moment that the OpenVPN installer was being run. > > However, I noticed that the oem43.inf file does have an earlier > timestamp: > > = > Directory of c:\windows\inf > 03/26/2020 04:03 PM 7,537 oem43.inf > 03/27/2020 11:09 AM 8,828 oem43.PNF > = > > ... though weirdly Windows on that box was reinstalled in the _morning_ of > 3/26, and 16:03 doesn't correspond to any entries at all in the > setupapi.dev.log file (which jumps from 2020/03/26 12:30:18 in one entry > to 2020/03/27 07:50:45 in the next). So it doesn't quite seem like > oem43.inf would have been created during the initial reinstall of > Windows, but I also don't know what would have created it later that > day... > > The c:\windows\inf\oem43.inf file is identical to the one in C:\Program > Files\TAP-Windows\driver: > > = > $ sha1sum failed_windows-inf_oem43.inf failed_program-files_OemVista.inf > d85f4e65fe10f13ded1780ddbd074edfc75f2d25 failed_windows-inf_oem43.inf > d85f4e65fe10f13ded1780ddbd074edfc75f2d25 failed_program-files_OemVista.inf > = > > ... but I suppose that might just indicate that the Win7 and Win10 > versions of that file are identical (if in fact the \windows\inf\ copy > came from the Win7 drivers somehow). > I can confirm that a previously installed cross-signed version of tap0901.sys does cause the behaviour reported here. I did the following: On a Win10 machine with openvpn 2.4.8 installed and working (i) Install the 2.4.8 Windows 7 release --> installation success, OpenVPN continues to work The tap driver properties show the attestation signed driver is still in use although that's not what is in the C:\Program Files\Tap-Windows\driver at this point. (ii) Delete all adapters, cleanup using samuli's powershell script (this is important) and run addtap.bat The run succeeds, but no new adapter is visible, device manager shows the dreaded code52 (signature) error. At this point the driver has changed to the cross-signed (win7) one. And here is the rub: (iii) Install the 2.4.8 Window 10 release on top: this does not fix the problem. setupapi log shows windows is picking the already installed tap0901.sys, not the new one. I don't think just uninstalling the old version first would have helped. At this point, deletalltap.bat, followed by cleanup and addtap.bat fixes the problem. So, it looks clear that, somehow, a cross-signed tap driver with inf file matching what we have in 2.4.8 was present in the system as Nathan has already concluded. As mistakenly installing Windows 7 version and trying to correct it without a thorough cleanup could easily happen, we need to do something to avoid such errors in the next release. Some possibilities (all untested) (i) In the inf file we have [Source Disk Files] tap0901.sys = 1 That line could include the file size as tap0901.sys = 1,,size-of-file Not very robust as it depends on just the size of the .sys file (assuming its different). (ii) Add an identifier to the inf file to make the two versions (win7/win10) different. (iii) Have the installer delete all tap adapters and do a cleanup before starting installation. This is very invasive and adversely affects those who have multiple adapters, removes customized adapter names etc. By the way, while the Remove-tapwindows.ps1 script is very handy, it works only if all adapters are first removed using deltapall.bat or something equivalent. Adding that functionality to the script would be very useful. Regards, Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] management-auth breaks data-channel?
Hi Tom, Your last log showed MANAGEMENT: CMD 'client-auth 0 0' but no MANAGEMENT: CMD 'END' That's what I meant. Anyway, I have not been able to reproduce this. If you privately send me the server and client configs (remove the certs and keys), server and client logs in full at verb=4, and your management client script, I can try again. If the plugin used for the working setup is a custom one, I will need that too. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users