How to disconnect a client when rejecting the connection using tls-verify

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).
Post Reply
jpknz
OpenVpn Newbie
Posts: 5
Joined: Mon Aug 13, 2018 3:26 pm

How to disconnect a client when rejecting the connection using tls-verify

Post by jpknz » Mon Apr 15, 2019 2:43 pm

Hi

I currently have a working VPN and use a tls-verify script to stop temporarily suspended clients from connecting. This works however there is an issue in that the client just appears to hang, timeout and then attempt reconnection every 60 seconds.

The tls-verify script is essentially the same one from https://github.com/OpenVPN/openvpn/blob ... /verify-cn except that instead of allowing clients who are in the list it rejects them.

1. How to I force the client to disconnect and not retry connecting?

The use case is the end user has service temporarily suspended because their payment failed and they need to take action to reinstate it.

Thanks in advance.

The log from the suspended client attempting to connect is below.

Client Log
Tue Apr 09 15:19:06 2019 OpenVPN 2.4.7 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
Tue Apr 09 15:19:06 2019 Windows version 6.1 (Windows 7) 32bit
Tue Apr 09 15:19:06 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Tue Apr 09 15:19:06 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Apr 09 15:19:06 2019 Need hold release from management interface, waiting...
Tue Apr 09 15:19:06 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'state on'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'log all on'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'echo all on'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'bytecount 5'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'hold off'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'hold release'
Tue Apr 09 15:19:06 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Apr 09 15:19:06 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Apr 09 15:19:06 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Apr 09 15:19:06 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Apr 09 15:19:06 2019 MANAGEMENT: >STATE:1554819546,RESOLVE,,,,,,
Tue Apr 09 15:19:07 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]****REMOVED****:443
Tue Apr 09 15:19:07 2019 Socket Buffers: R=[8192->8192] S=[64512->64512]
Tue Apr 09 15:19:07 2019 UDP link local: (not bound)
Tue Apr 09 15:19:07 2019 UDP link remote: [AF_INET]****REMOVED****:443
Tue Apr 09 15:19:07 2019 MANAGEMENT: >STATE:1554819547,WAIT,,,,,,
Tue Apr 09 15:19:07 2019 MANAGEMENT: >STATE:1554819547,AUTH,,,,,,
Tue Apr 09 15:19:07 2019 TLS: Initial packet from [AF_INET]****REMOVED****:443, sid=6d76cf0c 482ab743
Tue Apr 09 15:19:07 2019 VERIFY OK: depth=1, CN=****REMOVED****
Tue Apr 09 15:19:07 2019 VERIFY KU OK
Tue Apr 09 15:19:07 2019 Validating certificate extended key usage
Tue Apr 09 15:19:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr 09 15:19:07 2019 VERIFY EKU OK
Tue Apr 09 15:19:07 2019 VERIFY X509NAME OK: CN=****REMOVED****
Tue Apr 09 15:19:07 2019 VERIFY OK: depth=0, CN=****REMOVED****
Tue Apr 09 15:20:08 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Apr 09 15:20:08 2019 TLS Error: TLS handshake failed
Tue Apr 09 15:20:08 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 09 15:20:08 2019 MANAGEMENT: >STATE:1554819608,RECONNECTING,tls-error,,,,,
Tue Apr 09 15:20:08 2019 Restart pause, 5 second(s)
Tue Apr 09 15:20:13 2019 MANAGEMENT: >STATE:1554819613,RESOLVE,,,,,,
Tue Apr 09 15:20:13 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]****REMOVED****:443
Tue Apr 09 15:20:13 2019 Socket Buffers: R=[8192->8192] S=[64512->64512]
Tue Apr 09 15:20:13 2019 UDP link local: (not bound)
Tue Apr 09 15:20:13 2019 UDP link remote: [AF_INET]****REMOVED****:443
Tue Apr 09 15:20:13 2019 MANAGEMENT: >STATE:1554819613,WAIT,,,,,,
Tue Apr 09 15:20:13 2019 MANAGEMENT: >STATE:1554819613,AUTH,,,,,,
Tue Apr 09 15:20:13 2019 TLS: Initial packet from [AF_INET]3****REMOVED****:443, sid=5ee1e8a6 4d9ac213
Tue Apr 09 15:20:13 2019 VERIFY OK: depth=1, CN=****REMOVED****
Tue Apr 09 15:20:13 2019 VERIFY KU OK
Tue Apr 09 15:20:13 2019 Validating certificate extended key usage
Tue Apr 09 15:20:13 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr 09 15:20:13 2019 VERIFY EKU OK
Tue Apr 09 15:20:13 2019 VERIFY X509NAME OK: CN=****REMOVED****
Tue Apr 09 15:20:13 2019 VERIFY OK: depth=0, CN=****REMOVED****
Tue Apr 09 15:21:13 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Apr 09 15:21:13 2019 TLS Error: TLS handshake failed
Tue Apr 09 15:21:13 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 09 15:21:13 2019 MANAGEMENT: >STATE:1554819673,RECONNECTING,tls-error,,,,,
Tue Apr 09 15:21:13 2019 Restart pause, 5 second(s)
Tue Apr 09 15:21:18 2019 MANAGEMENT: >STATE:1554819678,RESOLVE,,,,,,
Tue Apr 09 15:21:18 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]****REMOVED****:443

Post Reply