Switching from WiFi to Cellular: Google Authenticator Token not Cached

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
erres8
OpenVpn Newbie
Posts: 1
Joined: Thu Jul 29, 2021 7:47 am

Switching from WiFi to Cellular: Google Authenticator Token not Cached

Post by erres8 » Thu Jul 29, 2021 10:41 am

Im having issues with OpenVPN not caching the MFA token from Google Authenticator when using a Mobile Phone.

When connected to the OpenVPN server via WiFi and switching to Cellular a new authentication request is started which fails on the MFA token. If im doing the exact same thing without MFA it does reconnect automatically.

Switching from WiFi to Cellular with MFA - Server Log

Code: Select all

Thu Jul 29 11:49:29 2021 us=709971 pelican/109.38.147.118:15275 Connection reset, restarting [0]
Thu Jul 29 11:49:29 2021 us=710163 pelican/109.38.147.118:15275 SIGUSR1[soft,connection-reset] received, client-instance restarting
Thu Jul 29 11:49:29 2021 us=710310 TCP/UDP: Closing socket

Thu Jul 29 11:49:34 2021 us=595571 MULTI: multi_create_instance called
Thu Jul 29 11:49:34 2021 us=595776 Re-using SSL/TLS context
Thu Jul 29 11:49:34 2021 us=596058 Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Thu Jul 29 11:49:34 2021 us=596146 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Thu Jul 29 11:49:34 2021 us=596231 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Thu Jul 29 11:49:34 2021 us=596276 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Thu Jul 29 11:49:34 2021 us=596348 TCP connection established with [AF_INET]109.38.147.118:15284
Thu Jul 29 11:49:34 2021 us=596393 Socket flags: TCP_NODELAY=1 succeeded
Thu Jul 29 11:49:34 2021 us=596421 TCPv4_SERVER link local: (not bound)
Thu Jul 29 11:49:34 2021 us=596447 TCPv4_SERVER link remote: [AF_INET]109.38.147.118:15284
Thu Jul 29 11:49:34 2021 us=603505 109.38.147.118:15284 TLS: Initial packet from [AF_INET]109.38.147.118:15284, sid=8e427785 7acb1ca6
Thu Jul 29 11:49:34 2021 us=706778 109.38.147.118:15284 VERIFY OK: depth=1, CN=server
Thu Jul 29 11:49:34 2021 us=707109 109.38.147.118:15284 VERIFY OK: depth=0, CN=pelican
Thu Jul 29 11:49:34 2021 us=737840 109.38.147.118:15284 peer info: IV_VER=3.git::58b92569
Thu Jul 29 11:49:34 2021 us=737959 109.38.147.118:15284 peer info: IV_PLAT=ios
Thu Jul 29 11:49:34 2021 us=737989 109.38.147.118:15284 peer info: IV_NCP=2
Thu Jul 29 11:49:34 2021 us=738013 109.38.147.118:15284 peer info: IV_TCPNL=1
Thu Jul 29 11:49:34 2021 us=738075 109.38.147.118:15284 peer info: IV_PROTO=2
Thu Jul 29 11:49:34 2021 us=738102 109.38.147.118:15284 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
Thu Jul 29 11:49:34 2021 us=738124 109.38.147.118:15284 peer info: IV_SSO=openurl
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: pelican
AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
AUTH-PAM: BACKGROUND: my_conv[0] query='Password & verification code: ' style=1
AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password & verification code: ', 'password'] = 'PASSWORD'
AUTH-PAM: BACKGROUND: user 'pelican' failed to authenticate: Authentication failure
Thu Jul 29 11:49:34 2021 us=745326 109.38.147.118:15284 PLUGIN_CALL: POST /etc/openvpn-nl/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Thu Jul 29 11:49:34 2021 us=745421 109.38.147.118:15284 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn-nl/openvpn-plugin-auth-pam.so
Thu Jul 29 11:49:34 2021 us=745509 109.38.147.118:15284 TLS Auth Error: Auth Username/Password verification failed for peer
Thu Jul 29 11:49:34 2021 us=745576 109.38.147.118:15284 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1523'
Thu Jul 29 11:49:34 2021 us=769556 109.38.147.118:15284 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key
Thu Jul 29 11:49:34 2021 us=769750 109.38.147.118:15284 [pelican] Peer Connection Initiated with [AF_INET]109.38.147.118:15284
Thu Jul 29 11:49:34 2021 us=777380 109.38.147.118:15284 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jul 29 11:49:34 2021 us=777476 109.38.147.118:15284 Delayed exit in 5 seconds
Thu Jul 29 11:49:34 2021 us=777522 109.38.147.118:15284 SENT CONTROL [pelican]: 'AUTH_FAILED' (status=1)
Thu Jul 29 11:49:34 2021 us=819596 109.38.147.118:15284 Connection reset, restarting [0]
Thu Jul 29 11:49:34 2021 us=819735 109.38.147.118:15284 SIGUSR1[soft,connection-reset] received, client-instance restarting
Thu Jul 29 11:49:34 2021 us=819847 TCP/UDP: Closing socket
Switching from WiFi to Cellular without MFA - Server Log

Code: Select all

Thu Jul 29 12:16:49 2021 us=900895 pelican/109.38.147.118:14310 Connection reset, restarting [0]
Thu Jul 29 12:16:49 2021 us=901089 pelican/109.38.147.118:14310 SIGUSR1[soft,connection-reset] received, client-instance restarting
Thu Jul 29 12:16:49 2021 us=901258 TCP/UDP: Closing socket

Thu Jul 29 12:16:54 2021 us=754665 MULTI: multi_create_instance called
Thu Jul 29 12:16:54 2021 us=754890 Re-using SSL/TLS context
Thu Jul 29 12:16:54 2021 us=755035 Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Thu Jul 29 12:16:54 2021 us=755096 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Thu Jul 29 12:16:54 2021 us=755152 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Thu Jul 29 12:16:54 2021 us=755186 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Thu Jul 29 12:16:54 2021 us=755275 TCP connection established with [AF_INET]109.38.147.118:14318
Thu Jul 29 12:16:54 2021 us=755335 Socket flags: TCP_NODELAY=1 succeeded
Thu Jul 29 12:16:54 2021 us=755377 TCPv4_SERVER link local: (not bound)
Thu Jul 29 12:16:54 2021 us=755414 TCPv4_SERVER link remote: [AF_INET]109.38.147.118:14318
Thu Jul 29 12:16:54 2021 us=762570 109.38.147.118:14318 TLS: Initial packet from [AF_INET]109.38.147.118:14318, sid=b6aad73b dca7c9bc
Thu Jul 29 12:16:54 2021 us=868358 109.38.147.118:14318 VERIFY OK: depth=1, CN=server
Thu Jul 29 12:16:54 2021 us=868705 109.38.147.118:14318 VERIFY OK: depth=0, CN=pelican
Thu Jul 29 12:16:54 2021 us=907282 109.38.147.118:14318 peer info: IV_VER=3.git::58b92569
Thu Jul 29 12:16:54 2021 us=907401 109.38.147.118:14318 peer info: IV_PLAT=ios
Thu Jul 29 12:16:54 2021 us=907432 109.38.147.118:14318 peer info: IV_NCP=2
Thu Jul 29 12:16:54 2021 us=907456 109.38.147.118:14318 peer info: IV_TCPNL=1
Thu Jul 29 12:16:54 2021 us=907479 109.38.147.118:14318 peer info: IV_PROTO=2
Thu Jul 29 12:16:54 2021 us=907503 109.38.147.118:14318 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
Thu Jul 29 12:16:54 2021 us=907525 109.38.147.118:14318 peer info: IV_SSO=openurl
Thu Jul 29 12:16:54 2021 us=907577 109.38.147.118:14318 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1523'
Thu Jul 29 12:16:54 2021 us=907906 109.38.147.118:14318 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 29 12:16:54 2021 us=907958 109.38.147.118:14318 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 29 12:16:54 2021 us=940743 109.38.147.118:14318 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key
Thu Jul 29 12:16:54 2021 us=940920 109.38.147.118:14318 [pelican] Peer Connection Initiated with [AF_INET]109.38.147.118:14318
Thu Jul 29 12:16:54 2021 us=941039 pelican/109.38.147.118:14318 OPTIONS IMPORT: reading client specific options from: ccd/pelican
Thu Jul 29 12:16:54 2021 us=941301 pelican/109.38.147.118:14318 MULTI: Learn: 10.21.6.254 -> pelican/109.38.147.118:14318
Thu Jul 29 12:16:54 2021 us=941400 pelican/109.38.147.118:14318 MULTI: primary virtual IP for pelican/109.38.147.118:14318: 10.21.6.254
Thu Jul 29 12:16:54 2021 us=948680 pelican/109.38.147.118:14318 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jul 29 12:16:54 2021 us=948789 pelican/109.38.147.118:14318 SENT CONTROL [pelican]: 'PUSH_REPLY,auth-token,dhcp-option DNS 10.133.67.1,dhcp-option DNS 1.1.1.1,route 10.133.67.0 255.255.255.0,route 172.10.0.0 255.255.255.0,auth-token,route-gateway 10.21.6.1,topology subnet,ping 60,ping-restart 86400,ifconfig 10.21.6.254 255.255.255.0,peer-id 0' (status=1)
server.conf

Code: Select all

local 123.123.123.123
port 443
proto tcp
dev tun

tls-server
tls-cert-profile preferred

ca ca.crt
cert server.crt
key server.key
dh none
ecdh-curve secp384r1

socket-flags TCP_NODELAY
keepalive 60 86400

user nobody
group nogroup
persist-key
persist-tun

# TLS encryption settings
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
cipher AES-256-GCM
ncp-disable

client-config-dir ccd

topology subnet
server 10.21.6.0 255.255.255.0

push "route 10.111.67.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"

push "auth-token UNIQUE_TOKEN_VALUE"
auth-gen-token 43200

duplicate-cn # for mobile + notebook support
reneg-sec 120 # 120 seconds is for testting, normally this is 3600 to check the auth-token.

status     openvpn-status.log
log         /var/log/openvpn.log
verb 4

plugin /etc/openvpn-nl/openvpn-plugin-auth-pam.so "openvpn-nl login USERNAME password PASSWORD"

# TLS Crypt
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
.....................
-----END OpenVPN Static key V1-----
</tls-crypt>
client.conf

Code: Select all

client
dev tun
proto tcp
remote 123.123.123.123 443

auth-retry nointeract

ns-cert-type server
auth-user-pass

cipher AES-256-GCM
ncp-disable

tls-cert-profile preferred
tls-version-min 1.2

# TLS 1.2 encryption settings
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ecdh-curve secp384r1

tls-client
tls-cert-profile preferred

verb 3
reneg-sec 0

<ca>
..................................
</ca>

<cert>
..................................
</cert>

<key>
..................................
</key>

<tls-crypt>
..................................
</tls-crypt>
SERVER:
Ubuntu 20.04.1 LTS
OpenVPN 2.4.9

PHONE:
iOS 14.7
OpenVPN Connect 3.2.3.(3760)

I think there is a logical explanation for re-entering the MFA token when reconnecting as those will expire/renew every 30 seconds, but it also happens when i connect via WiFi and switch to Cellular within the 30 seconds.

chilinux
OpenVPN Power User
Posts: 122
Joined: Thu Mar 28, 2013 8:31 am

Re: Switching from WiFi to Cellular: Google Authenticator Token not Cached

Post by chilinux » Thu Jul 29, 2021 10:40 pm

This was originally posted to the OpenVPN *Access Server* section of the forum. There was no AS v2.4.9. You are using the Community Edition.

Please consider upgrading to Ubuntu 20.04.2 and either OpenVPN v2.4.11 or v2.5.2 so you get the benefit of the fix for CVE-2020-15078.

The MFA token method you are talking about is TOTP (Time-based One Time Password) such as implemented by Google Authenticator. As the name implies, it should be restricted to *one time* use. A good TOTP server should cache recent successful authentications and reject attempts to perform a replay attack of the same MFA/TOTP token. As such, the client should not expect to be able to reuse the MFA token and will not cache it.

Instead, OpenVPN uses a method of pushing an "auth-token" which can be cached and use for renegotiation. This can either be specified by the plugin or generated by the OpenVPN server itself. In the case of using PAM, it is probably easier to have the OpenVPN server do it.

You would do this by adding to the server configuration the "auth-gen-token" option with the number of seconds for it to last. If you want it to be 30 seconds then use:

Code: Select all

auth-gen-token 30
This is all explained in the documentation for OpenVPN Community Edition here:
https://openvpn.net/community-resources ... envpn-2-4/

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: Switching from WiFi to Cellular: Google Authenticator Token not Cached

Post by TinCanTech » Fri Jul 30, 2021 12:16 am

chilinux wrote:
Thu Jul 29, 2021 10:40 pm
This was originally posted to the OpenVPN *Access Server* section of the forum. There was no AS v2.4.9. You are using the Community Edition.
Moved - Thanks for spotting that 8-)

Post Reply