DUO plugin loads/runs even if previous plugin fails

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
zauwn
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 07, 2021 6:55 pm

DUO plugin loads/runs even if previous plugin fails

Post by zauwn » Wed Jul 28, 2021 1:51 pm

Hi,

I'm loading the openvpn-auth-ldap.so for user validation and then
loading the duo plugin for 2FA. It works, except it has an unwanted
behaviour if a user is not on the allowed groups in LDAP or the passwords is wrong the
openvpn-auth-ldap.so will fail but openvpn will still trigger the push
notification. Shouldn't the 2nd plugin not be called if the previous
ends with error? I've since upgraded openvpn the version to 2.5.3 but the behavior is the same.

log

:36654 TLS: Initial packet from [AF_INET]5.249.74.39:36654,
sid=4f441add b9132837
:36654 peer info: IV_VER=2.4.7
:36654 peer info: IV_PLAT=linux
:36654 peer info: IV_PROTO=2
:36654 peer info: IV_NCP=2
:36654 peer info: IV_LZ4=1
:36654 peer info: IV_LZ4v2=1
:36654 peer info: IV_LZO=1
:36654 peer info: IV_COMP_STUB=1
:36654 peer info: IV_COMP_STUBv2=1
:36654 peer info: IV_TCPNL=1
LDAP user "duarte.rocha@gmail.com" was not found.
:36654 PLUGIN_CALL: POST
/usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=1
:36654 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY
failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
:36654 PLUGIN_CALL: POST
/opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
:36654 TLS Auth Error: Auth Username/Password verification failed for peer
:36654 WARNING: 'link-mtu' is used inconsistently, local='link-mtu
1570', remote='link-mtu 1569'
:36654 WARNING: 'comp-lzo' is present in local config but missing in
remote config, local='comp-lzo'
:36654 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
:36654 Peer Connection Initiated with [AF_INET] 1.2.3.4:36654
:36654 PUSH: Received control message: 'PUSH_REQUEST'
:36654 Delayed exit in 5 seconds
:36654 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
:36654 SIGTERM[soft,delayed-exit] received, client-instance exiting



server.conf

port 1194
mode server
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.0.90.0 255.255.255.0
keepalive 10 120
reneg-sec 0
auth SHA256
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
persist-key
persist-tun
management localhost 7505
status /var/log/openvpn/openvpn-status.log
user nobody
group nogroup
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
tls-exit
tls-version-min 1.2
verify-client-cert none
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth-ldap.conf"
plugin /opt/duo/duo_openvpn.so '*********** ********************
api-***********.duosecurity.com'
tmp-dir "/etc/openvpn/tmp"

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: DUO plugin loads/runs even if previous plugin fails

Post by TinCanTech » Wed Jul 28, 2021 3:07 pm

That is how it currently works .. but as you can see, the connection attempt was rejected in the end.

zauwn
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 07, 2021 6:55 pm

Re: DUO plugin loads/runs even if previous plugin fails

Post by zauwn » Fri Jul 30, 2021 2:13 pm

Yes, it works as intended, but the second plugin call could be avoid I think.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: DUO plugin loads/runs even if previous plugin fails

Post by TinCanTech » Fri Jul 30, 2021 2:36 pm

It could be avoided but that is not how the code is written .. patches welcome, if you feel adventurous ..

Post Reply