Duo MFA
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 21, 2018 10:05 pm
Duo MFA
Hi folks,
Any thoughts as to what I am missing here?
I can configure it to prompt for a pass word with auth-user-pass but when I enter push1 I don't get a push to the phone.
I have auth-user-pass-optional configured on the server side and I still don't get an automatic push.
The VPN works fine without the Duo tweaks...
Duo support are saying they cannot see requests to my account.
Chmoded 755 on the /opt/duo files built on the same version of freeBSD
Using the latest version of pfsence and the OpenVPN Client Export Utility package.
These are the guides I have been following:
https://duo.com/docs/openvpn
https://duo.com/docs/openvpn-faq
https://www.reddit.com/r/PFSENSE/commen ... no_radius/
This is what I am seeing from the OpenVPN logs... HELP!
Thu Feb 22 08:54:55 2018 No reply from server after sending 12 push requests
Thu Feb 22 08:54:55 2018 SIGUSR1[soft,no-push-reply] received, process restarting
Client side config:
[oconf=]dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx xxxx udp
verify-x509-name "xxx" name
pkcs12 pfSense-udp-xxxx-xxx.p12
tls-crypt pfSense-udp-xxxx-xxx-tls.key
remote-cert-tls server
redirect-gateway def1
reneg-sec 0
!auth-user-pass !!@@ tried with and without[/oconf]
Server side config:
[oconf=]dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
engine cryptodev
tls-server
server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'xxx' 1"
lport xxxx
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "block-outside-dns"
push "register-dns"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-crypt /var/etc/openvpn/server1.tls-crypt
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
plugin /opt/duo/duo_openvpn.so 'xxx xxx api-xxx.duosecurity.com'
auth-user-pass-optional
reneg-sec 0
push "reneg-sec 0"
!push "auth-user-pass" !!@@ tried with and without[/oconf]
Any thoughts as to what I am missing here?
I can configure it to prompt for a pass word with auth-user-pass but when I enter push1 I don't get a push to the phone.
I have auth-user-pass-optional configured on the server side and I still don't get an automatic push.
The VPN works fine without the Duo tweaks...
Duo support are saying they cannot see requests to my account.
Chmoded 755 on the /opt/duo files built on the same version of freeBSD
Using the latest version of pfsence and the OpenVPN Client Export Utility package.
These are the guides I have been following:
https://duo.com/docs/openvpn
https://duo.com/docs/openvpn-faq
https://www.reddit.com/r/PFSENSE/commen ... no_radius/
This is what I am seeing from the OpenVPN logs... HELP!
Thu Feb 22 08:54:55 2018 No reply from server after sending 12 push requests
Thu Feb 22 08:54:55 2018 SIGUSR1[soft,no-push-reply] received, process restarting
Client side config:
[oconf=]dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx xxxx udp
verify-x509-name "xxx" name
pkcs12 pfSense-udp-xxxx-xxx.p12
tls-crypt pfSense-udp-xxxx-xxx-tls.key
remote-cert-tls server
redirect-gateway def1
reneg-sec 0
!auth-user-pass !!@@ tried with and without[/oconf]
Server side config:
[oconf=]dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
engine cryptodev
tls-server
server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'xxx' 1"
lport xxxx
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "block-outside-dns"
push "register-dns"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-crypt /var/etc/openvpn/server1.tls-crypt
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
plugin /opt/duo/duo_openvpn.so 'xxx xxx api-xxx.duosecurity.com'
auth-user-pass-optional
reneg-sec 0
push "reneg-sec 0"
!push "auth-user-pass" !!@@ tried with and without[/oconf]
Last edited by Flows on Thu Feb 22, 2018 9:31 pm, edited 1 time in total.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 21, 2018 10:05 pm
Re: Duo MFA
Thanks Tin,
I am seeing control messages PUSH REQUEST but not seeing them come through on the phone. I have pointed this thread out to the Duo Security team as well. I have also confirmed I can telnet to the API on 443.
Is there anything obvious in the below sequence?
Fail_auth-user-pass:
I am seeing control messages PUSH REQUEST but not seeing them come through on the phone. I have pointed this thread out to the Duo Security team as well. I have also confirmed I can telnet to the API on 443.
Is there anything obvious in the below sequence?
Fail_auth-user-pass:
Code: Select all
Thu Feb 22 20:58:59 2018 us=551206 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
Thu Feb 22 20:58:59 2018 us=551479 PO_CTL rwflags=0x0002 ev=6 arg=0x006a6ea0
Thu Feb 22 20:58:59 2018 us=551499 PO_CTL rwflags=0x0000 ev=5 arg=0x006a5d04
Thu Feb 22 20:58:59 2018 us=551518 PO_CTL rwflags=0x0001 ev=3 arg=0x006a5d08
Thu Feb 22 20:58:59 2018 us=551540 I/O WAIT Tr|Tw|Sr|SW [1/53698]
Thu Feb 22 20:58:59 2018 us=551577 PO_WAIT[0,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x006a6ea0
Thu Feb 22 20:58:59 2018 us=551597 event_wait returned 1
Thu Feb 22 20:58:59 2018 us=551614 I/O WAIT status=0x0002
Thu Feb 22 20:58:59 2018 us=551677 PEER.IP.ADD.CLIENT UDPv6 WRITE [62] to [AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0): P_ACK_V1 kid=0 sid=886c555d c7f4266f [ ]
Thu Feb 22 20:58:59 2018 us=551732 PEER.IP.ADD.CLIENT UDPv6 write returned 62
Thu Feb 22 20:58:59 2018 us=551879 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=0 state=S_ACTIVE, mysid=886c555d c7f4266f, stored-sid=41c96afc ab54e69f, stored-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:58:59 2018 us=551903 PEER.IP.ADD.CLIENT TLS: tls_process: chg=0 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Thu Feb 22 20:58:59 2018 us=551937 PEER.IP.ADD.CLIENT ACK reliable_can_send active=0 current=0 : [6]
Thu Feb 22 20:58:59 2018 us=551964 PEER.IP.ADD.CLIENT ACK reliable_send_timeout 604800 [6]
Thu Feb 22 20:58:59 2018 us=551984 PEER.IP.ADD.CLIENT TLS: tls_process: timeout set to 58
Thu Feb 22 20:58:59 2018 us=552012 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8e86e348 ce8461b3, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:58:59 2018 us=552039 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:58:59 2018 us=552091 PO_CTL rwflags=0x0001 ev=6 arg=0x006a6ea0
Thu Feb 22 20:58:59 2018 us=552110 PO_CTL rwflags=0x0001 ev=5 arg=0x006a5d04
Thu Feb 22 20:58:59 2018 us=552127 PO_CTL rwflags=0x0001 ev=3 arg=0x006a5d08
Thu Feb 22 20:58:59 2018 us=552160 I/O WAIT TR|Tw|SR|Sw [1/53698]
Thu Feb 22 20:59:00 2018 us=656648 event_wait returned 0
Thu Feb 22 20:59:00 2018 us=656847 I/O WAIT status=0x0020
Thu Feb 22 20:59:00 2018 us=656874 MULTI: REAP range 176 -> 192
Thu Feb 22 20:59:00 2018 us=656904 PEER.IP.ADD.CLIENT TIMER: coarse timer wakeup 9 seconds
Thu Feb 22 20:59:00 2018 us=657075 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=0 state=S_ACTIVE, mysid=886c555d c7f4266f, stored-sid=41c96afc ab54e69f, stored-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:59:00 2018 us=657105 PEER.IP.ADD.CLIENT TLS: tls_process: chg=0 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Thu Feb 22 20:59:00 2018 us=657167 PEER.IP.ADD.CLIENT ACK reliable_can_send active=0 current=0 : [6]
Thu Feb 22 20:59:00 2018 us=657219 PEER.IP.ADD.CLIENT ACK reliable_send_timeout 604800 [6]
Thu Feb 22 20:59:00 2018 us=657248 PEER.IP.ADD.CLIENT TLS: tls_process: timeout set to 57
Thu Feb 22 20:59:00 2018 us=657285 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8e86e348 ce8461b3, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:59:00 2018 us=657320 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:59:00 2018 us=657431 PEER.IP.ADD.CLIENT SCHEDULE: schedule_add_modify wakeup=[Thu Feb 22 20:59:10 2018 us=26776] pri=1511058017
Thu Feb 22 20:59:00 2018 us=657463 SCHEDULE: schedule_find_least wakeup=[Thu Feb 22 20:59:10 2018 us=26776] pri=914772274
Thu Feb 22 20:59:00 2018 us=657493 PO_CTL rwflags=0x0001 ev=6 arg=0x006a6ea0
Thu Feb 22 20:59:00 2018 us=657529 PO_CTL rwflags=0x0001 ev=5 arg=0x006a5d04
Thu Feb 22 20:59:00 2018 us=657552 PO_CTL rwflags=0x0001 ev=3 arg=0x006a5d08
Thu Feb 22 20:59:00 2018 us=657581 I/O WAIT TR|Tw|SR|Sw [9/53698]
Thu Feb 22 20:59:04 2018 us=898954 PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x006a6ea0
Thu Feb 22 20:59:04 2018 us=899043 event_wait returned 1
Thu Feb 22 20:59:04 2018 us=899068 I/O WAIT status=0x0001
Thu Feb 22 20:59:04 2018 us=899093 MULTI: REAP range 192 -> 208
Thu Feb 22 20:59:04 2018 us=899136 UDPv6 read returned 96
Thu Feb 22 20:59:04 2018 us=899181 GET INST BY REAL: PEER.IP.ADD.CLIENT [ok]
Thu Feb 22 20:59:04 2018 us=899370 PEER.IP.ADD.CLIENT UDPv6 READ [96] from [AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0): P_CONTROL_V1 kid=0 sid=41c96afc ab54e69f [ ] pid=3418 DATA 8f2f108c 9f715b58 d3f0aef6 801e5d03 f6c817ac 2aefa30b 2303383f 4048a7e[more...]
Thu Feb 22 20:59:04 2018 us=899463 PEER.IP.ADD.CLIENT TLS: control channel, op=P_CONTROL_V1, IP=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:59:04 2018 us=899586 PEER.IP.ADD.CLIENT TLS: initial packet test, i=0 state=S_ACTIVE, mysid=886c555d c7f4266f, rec-sid=41c96afc ab54e69f, rec-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0), stored-sid=41c96afc ab54e69f, stored-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:59:04 2018 us=899615 PEER.IP.ADD.CLIENT TLS: found match, session[0], sid=41c96afc ab54e69f
Thu Feb 22 20:59:04 2018 us=899836 PEER.IP.ADD.CLIENT TLS-CRYPT UNWRAP FROM: 2041c96a fcab54e6 9f000000 0d5a8f2f 108c9f71 5b58d3f0 aef6801e 5d03f6c[more...]
Thu Feb 22 20:59:04 2018 us=899886 PEER.IP.ADD.CLIENT TLS-CRYPT UNWRAP AD: 2041c96a fcab54e6 9f000000 0d5a8f2f 10
Thu Feb 22 20:59:04 2018 us=899949 PEER.IP.ADD.CLIENT TLS-CRYPT UNWRAP TO: 00000000 08170303 0025f760 5b458ca4 fcbe4879 af79f354 23e154f6 fc4e08a[more...]
Thu Feb 22 20:59:04 2018 us=900008 PEER.IP.ADD.CLIENT PID_TEST [0] [TLS_WRAP-0] [566666666667] 1519333136:12 1519333136:13 t=1519333144[0] r=[0,64,15,0,1] sl=[52,12,64,528]
Thu Feb 22 20:59:04 2018 us=900038 PEER.IP.ADD.CLIENT TLS: received control channel packet s#=0 sid=41c96afc ab54e69f
Thu Feb 22 20:59:04 2018 us=900063 PEER.IP.ADD.CLIENT ACK read ID 8 (buf->len=42)
Thu Feb 22 20:59:04 2018 us=900087 PEER.IP.ADD.CLIENT ACK RWBS rel->size=8 rel->packet_id=00000008 id=00000008 ret=1
Thu Feb 22 20:59:04 2018 us=900109 PEER.IP.ADD.CLIENT ACK mark active incoming ID 8
Thu Feb 22 20:59:04 2018 us=900142 PEER.IP.ADD.CLIENT ACK acknowledge ID 8 (ack->len=1)
Thu Feb 22 20:59:04 2018 us=900233 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=0 state=S_ACTIVE, mysid=886c555d c7f4266f, stored-sid=41c96afc ab54e69f, stored-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:59:04 2018 us=900262 PEER.IP.ADD.CLIENT TLS: tls_process: chg=0 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Thu Feb 22 20:59:04 2018 us=900287 PEER.IP.ADD.CLIENT ACK reliable_can_send active=0 current=0 : [6]
Thu Feb 22 20:59:04 2018 us=900313 PEER.IP.ADD.CLIENT BIO write tls_write_ciphertext 42 bytes
Thu Feb 22 20:59:04 2018 us=900336 PEER.IP.ADD.CLIENT Incoming Ciphertext -> TLS
Thu Feb 22 20:59:04 2018 us=900431 PEER.IP.ADD.CLIENT BIO read tls_read_plaintext 13 bytes
Thu Feb 22 20:59:04 2018 us=900456 PEER.IP.ADD.CLIENT TLS -> Incoming Plaintext
Thu Feb 22 20:59:04 2018 us=900482 PEER.IP.ADD.CLIENT TLS: tls_process: chg=1 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Thu Feb 22 20:59:04 2018 us=900505 PEER.IP.ADD.CLIENT ACK reliable_can_send active=0 current=0 : [6]
Thu Feb 22 20:59:04 2018 us=900531 PEER.IP.ADD.CLIENT ACK write ID 8 (ack->len=1, n=1)
Thu Feb 22 20:59:04 2018 us=900562 PEER.IP.ADD.CLIENT TLS-CRYPT WRAP FROM: 01000000 0841c96a fcab54e6 9f
Thu Feb 22 20:59:04 2018 us=900594 PEER.IP.ADD.CLIENT TLS-CRYPT WRAP AD: 28886c55 5dc7f426 6f000000 0b5a8f2f 11
Thu Feb 22 20:59:04 2018 us=900651 PEER.IP.ADD.CLIENT TLS-CRYPT WRAP TAG: abc680a6 829d44ac 2d800cc0 d0209d1f 51d9465c 9cb9fc3a c9abc0d9 ae0bf9f6
Thu Feb 22 20:59:04 2018 us=900711 PEER.IP.ADD.CLIENT TLS-CRYPT WRAP TO: 28886c55 5dc7f426 6f000000 0b5a8f2f 11abc680 a6829d44 ac2d800c c0d0209[more...]
Thu Feb 22 20:59:04 2018 us=900725 PEER.IP.ADD.CLIENT Dedicated ACK -> TCP/UDP
Thu Feb 22 20:59:04 2018 us=900798 PEER.IP.ADD.CLIENT ACK reliable_send_timeout 604800 [6]
Thu Feb 22 20:59:04 2018 us=900832 PEER.IP.ADD.CLIENT TLS: tls_process: timeout set to 53
Thu Feb 22 20:59:04 2018 us=900867 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8e86e348 ce8461b3, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:59:04 2018 us=900901 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:59:04 2018 us=900934 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
Last edited by Flows on Thu Feb 22, 2018 11:54 pm, edited 1 time in total.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 21, 2018 10:05 pm
Re: Duo MFA
Server
Server logs:
Client
Client logs:
No pushes received on phone. Duo saying they are not seeing any hits.
Thanks for your help. (And guidance on format!)
Code: Select all
FreeBSD pfSense.localdomain 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6 #8 r313908+a5b33c9d1c4(RELENG_2_4): Tue Dec 12 13:51:24 CST 2017 root@buildbot2.netgate.com:/builder/ce-242/tmp/obj/builder/ce-242/tmp/FreeBSD-src/sys/pfSense amd64
SERVER
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
engine cryptodev
tls-server
server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'XXX' 1"
lport xxxx
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "block-outside-dns"
push "register-dns"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-crypt /var/etc/openvpn/server1.tls-crypt
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
verb 4
log-append /var/log/openvpn_duo_autopush.log
plugin /opt/duo/duo_openvpn.so 'xxx xxx api-xxx.duosecurity.com'
auth-user-pass-optional
reneg-sec 0
push "reneg-sec 0"
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
engine cryptodev
tls-server
server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'XXX' 1"
lport xxxx
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "block-outside-dns"
push "register-dns"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-crypt /var/etc/openvpn/server1.tls-crypt
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
verb 4
log-append /var/log/openvpn_duo_autopush.log
plugin /opt/duo/duo_openvpn.so 'xxx xxx api-xxx.duosecurity.com'
auth-user-pass-optional
reneg-sec 0
push "reneg-sec 0"
Server logs:
Code: Select all
us=747430 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=958737 MANAGEMENT: CMD 'status 2'
us=174677 MANAGEMENT: CMD 'quit'
us=174792 MANAGEMENT: Client disconnected
us=834139 MULTI: multi_create_instance called
us=834250 PEER.IP.ADD.CLIENT Re-using SSL/TLS context
us=834461 PEER.IP.ADD.CLIENT Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
us=834487 PEER.IP.ADD.CLIENT Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
us=834553 PEER.IP.ADD.CLIENT Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
us=834573 PEER.IP.ADD.CLIENT Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
us=834707 PEER.IP.ADD.CLIENT TLS: Initial packet from [AF_INET6]::ffff:PEER.IP.ADD.CLIENT:10910 (via ::ffff:192.168.255.5%em0), sid=688fab06 baaa1223
us=10196 PEER.IP.ADD.CLIENT VERIFY SCRIPT OK: depth=1, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=10253 PEER.IP.ADD.CLIENT VERIFY OK: depth=1, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=18463 PEER.IP.ADD.CLIENT VERIFY SCRIPT OK: depth=0, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=username
us=18547 PEER.IP.ADD.CLIENT VERIFY OK: depth=0, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=username
us=79749 PEER.IP.ADD.CLIENT peer info: IV_VER=2.4.4
us=79809 PEER.IP.ADD.CLIENT peer info: IV_PLAT=win
us=79826 PEER.IP.ADD.CLIENT peer info: IV_PROTO=2
us=79836 PEER.IP.ADD.CLIENT peer info: IV_NCP=2
us=79846 PEER.IP.ADD.CLIENT peer info: IV_LZ4=1
us=79856 PEER.IP.ADD.CLIENT peer info: IV_LZ4v2=1
us=79867 PEER.IP.ADD.CLIENT peer info: IV_LZO=1
us=79879 PEER.IP.ADD.CLIENT peer info: IV_COMP_STUB=1
us=79895 PEER.IP.ADD.CLIENT peer info: IV_COMP_STUBv2=1
us=79952 PEER.IP.ADD.CLIENT peer info: IV_TCPNL=1
us=79962 PEER.IP.ADD.CLIENT peer info: IV_GUI_VER=OpenVPN_GUI_11
us=81958 PEER.IP.ADD.CLIENT PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
us=82314 PEER.IP.ADD.CLIENT TLS: Username/Password authentication deferred for username ''
us=130357 PEER.IP.ADD.CLIENT Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
us=130495 PEER.IP.ADD.CLIENT [username] Peer Connection Initiated with [AF_INET6]::ffff:PEER.IP.ADD.CLIENT:10910 (via ::ffff:192.168.255.5%em0)
us=324404 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=674189 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=787340 PEER.IP.ADD.CLIENT [username] Inactivity timeout (--ping-restart), restarting
us=787416 PEER.IP.ADD.CLIENT SIGUSR1[soft,ping-restart] received, client-instance restarting
us=75154 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=473776 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=903919 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=313620 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=684814 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=695961 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=911356 MANAGEMENT: CMD 'status 2'
us=126497 MANAGEMENT: CMD 'quit'
us=126564 MANAGEMENT: Client disconnected
us=52730 PEER.IP.ADD.CLIENT SIGTERM[soft,auth-control-exit] received, client-instance exiting
us=664313 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=871306 MANAGEMENT: CMD 'status 2'
us=88096 MANAGEMENT: CMD 'quit'
us=88211 MANAGEMENT: Client disconnected
us=677085 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=888112 MANAGEMENT: CMD 'status 2'
us=102489 MANAGEMENT: CMD 'quit'
us=102603 MANAGEMENT: Client disconnected
us=658410 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=872290 MANAGEMENT: CMD 'status 2'
us=88601 MANAGEMENT: CMD 'quit'
us=88691 MANAGEMENT: Client disconnected
us=690919 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=907821 MANAGEMENT: CMD 'status 2'
us=124397 MANAGEMENT: CMD 'quit'
us=124507 MANAGEMENT: Client disconnected
us=679181 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=894170 MANAGEMENT: CMD 'status 2'
us=109671 MANAGEMENT: CMD 'quit'
us=109764 MANAGEMENT: Client disconnected
us=636652 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=850444 MANAGEMENT: CMD 'status 2'
us=53404 MANAGEMENT: CMD 'quit'
us=53521 MANAGEMENT: Client disconnected
us=699976 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=914165 MANAGEMENT: CMD 'status 2'
us=128730 MANAGEMENT: CMD 'quit'
us=128807 MANAGEMENT: Client disconnected
us=638702 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=848733 MANAGEMENT: CMD 'status 2'
us=63249 MANAGEMENT: CMD 'quit'
us=63328 MANAGEMENT: Client disconnected
us=640769 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=854156 MANAGEMENT: CMD 'status 2'
us=68447 MANAGEMENT: CMD 'quit'
us=68775 MANAGEMENT: Client disconnected
us=571326 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=782998 MANAGEMENT: CMD 'status 2'
us=997806 MANAGEMENT: CMD 'quit'
us=998014 MANAGEMENT: Client disconnected
us=624660 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=836678 MANAGEMENT: CMD 'status 2'
us=58324 MANAGEMENT: CMD 'quit'
us=58383 MANAGEMENT: Client disconnected
Client
Code: Select all
Microsoft Windows [Version 10.0.16299.248]
CLIENT
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote x.x.x.x udp
verify-x509-name "XXX" name
pkcs12 pfSense-udp-989-user.p12
tls-crypt pfSense-udp-989-user-tls.key
remote-cert-tls server
reneg-sec 0
verb 4
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote x.x.x.x udp
verify-x509-name "XXX" name
pkcs12 pfSense-udp-989-user.p12
tls-crypt pfSense-udp-989-user-tls.key
remote-cert-tls server
reneg-sec 0
verb 4
Client logs:
Code: Select all
us=325209 Current Parameter Settings:
us=325209 config = 'pfSense-udp-xxxx-username-config.ovpn'
us=325209 mode = 0
us=325209 show_ciphers = DISABLED
us=325209 show_digests = DISABLED
us=325209 show_engines = DISABLED
us=325209 genkey = DISABLED
us=325209 key_pass_file = '[UNDEF]'
us=325209 show_tls_ciphers = DISABLED
us=325209 connect_retry_max = 0
us=325209 Connection profiles [0]:
us=325209 proto = udp
us=326186 local = '[UNDEF]'
us=326186 local_port = '1194'
us=326186 remote = 'PEER.IP.ADD.SERVER'
us=326186 remote_port = 'xxxx'
us=326186 remote_float = DISABLED
us=326186 bind_defined = DISABLED
us=326186 bind_local = ENABLED
us=326186 bind_ipv6_only = DISABLED
us=326186 connect_retry_seconds = 5
us=326186 connect_timeout = 120
us=326186 socks_proxy_server = '[UNDEF]'
us=326186 socks_proxy_port = '[UNDEF]'
us=326186 tun_mtu = 1500
us=326186 tun_mtu_defined = ENABLED
us=326186 link_mtu = 1500
us=326186 link_mtu_defined = DISABLED
us=326186 tun_mtu_extra = 0
us=326186 tun_mtu_extra_defined = DISABLED
us=326186 mtu_discover_type = -1
us=326186 fragment = 0
us=326186 mssfix = 1450
us=326186 explicit_exit_notification = 0
us=326186 Connection profiles END
us=326186 remote_random = DISABLED
us=326186 ipchange = '[UNDEF]'
us=326186 dev = 'tun'
us=326186 dev_type = '[UNDEF]'
us=326186 dev_node = '[UNDEF]'
us=326186 lladdr = '[UNDEF]'
us=326186 topology = 1
us=326186 ifconfig_local = '[UNDEF]'
us=326186 ifconfig_remote_netmask = '[UNDEF]'
us=326186 ifconfig_noexec = DISABLED
us=326186 ifconfig_nowarn = DISABLED
us=326186 ifconfig_ipv6_local = '[UNDEF]'
us=326186 ifconfig_ipv6_netbits = 0
us=326186 ifconfig_ipv6_remote = '[UNDEF]'
us=326186 shaper = 0
us=326186 mtu_test = 0
us=326186 mlock = DISABLED
us=326186 keepalive_ping = 0
us=326186 keepalive_timeout = 0
us=326186 inactivity_timeout = 0
us=326186 ping_send_timeout = 0
us=326186 ping_rec_timeout = 0
us=326186 ping_rec_timeout_action = 0
us=326186 ping_timer_remote = DISABLED
us=326186 remap_sigusr1 = 0
us=326186 persist_tun = ENABLED
us=326186 persist_local_ip = DISABLED
us=326186 persist_remote_ip = DISABLED
us=326186 persist_key = ENABLED
us=326186 passtos = DISABLED
us=326186 resolve_retry_seconds = 1000000000
us=326186 resolve_in_advance = DISABLED
us=326186 username = '[UNDEF]'
us=326186 groupname = '[UNDEF]'
us=326186 chroot_dir = '[UNDEF]'
us=326186 cd_dir = '[UNDEF]'
us=326186 writepid = '[UNDEF]'
us=326186 up_script = '[UNDEF]'
us=326186 down_script = '[UNDEF]'
us=326186 down_pre = DISABLED
us=326186 up_restart = DISABLED
us=326186 up_delay = DISABLED
us=326186 daemon = DISABLED
us=326186 inetd = 0
us=326186 log = ENABLED
us=326186 suppress_timestamps = DISABLED
us=326186 machine_readable_output = DISABLED
us=326186 nice = 0
us=326186 verbosity = 4
us=326186 mute = 0
us=326186 gremlin = 0
us=326186 status_file = '[UNDEF]'
us=326186 status_file_version = 1
us=326186 status_file_update_freq = 60
us=326186 occ = ENABLED
us=326186 rcvbuf = 0
us=326186 sndbuf = 0
us=326186 sockflags = 0
us=326186 fast_io = DISABLED
us=326186 comp.alg = 0
us=326186 comp.flags = 0
us=326186 route_script = '[UNDEF]'
us=326186 route_default_gateway = '[UNDEF]'
us=326186 route_default_metric = 0
us=326186 route_noexec = DISABLED
us=326186 route_delay = 5
us=326186 route_delay_window = 30
us=326186 route_delay_defined = ENABLED
us=327162 route_nopull = DISABLED
us=327162 route_gateway_via_dhcp = DISABLED
us=327162 allow_pull_fqdn = DISABLED
us=327162 management_addr = '127.0.0.1'
us=327162 management_port = '25340'
us=327162 management_user_pass = 'stdin'
us=327162 management_log_history_cache = 250
us=327162 management_echo_buffer_size = 100
us=327162 management_write_peer_info_file = '[UNDEF]'
us=327162 management_client_user = '[UNDEF]'
us=327162 management_client_group = '[UNDEF]'
us=327162 management_flags = 6
us=327162 shared_secret_file = '[UNDEF]'
us=327162 key_direction = 0
us=327162 ciphername = 'AES-256-CBC'
us=327162 ncp_enabled = ENABLED
us=327162 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
us=327162 authname = 'SHA256'
us=327162 prng_hash = 'SHA1'
us=327162 prng_nonce_secret_len = 16
us=327162 keysize = 0
us=327162 engine = DISABLED
us=327162 replay = ENABLED
us=327162 mute_replay_warnings = DISABLED
us=327162 replay_window = 64
us=327162 replay_time = 15
us=327162 packet_id_file = '[UNDEF]'
us=327162 use_iv = ENABLED
us=327162 test_crypto = DISABLED
us=327162 tls_server = DISABLED
us=327162 tls_client = ENABLED
us=327162 key_method = 2
us=327162 ca_file = '[UNDEF]'
us=327162 ca_path = '[UNDEF]'
us=327162 dh_file = '[UNDEF]'
us=327162 cert_file = '[UNDEF]'
us=327162 extra_certs_file = '[UNDEF]'
us=327162 priv_key_file = '[UNDEF]'
us=327162 pkcs12_file = 'pfSense-udp-xxxx-username.p12'
us=327162 cryptoapi_cert = '[UNDEF]'
us=327162 cipher_list = '[UNDEF]'
us=327162 tls_verify = '[UNDEF]'
us=327162 tls_export_cert = '[UNDEF]'
us=327162 verify_x509_type = 2
us=327162 verify_x509_name = 'CN'
us=327162 crl_file = '[UNDEF]'
us=327162 ns_cert_type = 0
us=327162 remote_cert_ku[i] = 65535
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_ku[i] = 0
us=327162 remote_cert_eku = 'TLS Web Server Authentication'
us=327162 ssl_flags = 0
us=327162 tls_timeout = 2
us=327162 renegotiate_bytes = -1
us=327162 renegotiate_packets = 0
us=327162 renegotiate_seconds = 0
us=327162 handshake_window = 60
us=327162 transition_window = 3600
us=327162 single_session = DISABLED
us=327162 push_peer_info = DISABLED
us=327162 tls_exit = DISABLED
us=327162 tls_auth_file = '[UNDEF]'
us=327162 tls_crypt_file = 'pfSense-udp-xxxx-username-tls.key'
us=327162 pkcs11_protected_authentication = DISABLED
us=327162 pkcs11_protected_authentication = DISABLED
us=327162 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_protected_authentication = DISABLED
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_private_mode = 00000000
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_cert_private = DISABLED
us=328140 pkcs11_pin_cache_period = -1
us=328140 pkcs11_id = '[UNDEF]'
us=328140 pkcs11_id_management = DISABLED
us=328140 server_network = 0.0.0.0
us=328140 server_netmask = 0.0.0.0
us=328140 server_network_ipv6 = ::
us=328140 server_netbits_ipv6 = 0
us=328140 server_bridge_ip = 0.0.0.0
us=328140 server_bridge_netmask = 0.0.0.0
us=328140 server_bridge_pool_start = 0.0.0.0
us=328140 server_bridge_pool_end = 0.0.0.0
us=328140 ifconfig_pool_defined = DISABLED
us=328140 ifconfig_pool_start = 0.0.0.0
us=328140 ifconfig_pool_end = 0.0.0.0
us=328140 ifconfig_pool_netmask = 0.0.0.0
us=328140 ifconfig_pool_persist_filename = '[UNDEF]'
us=328140 ifconfig_pool_persist_refresh_freq = 600
us=328140 ifconfig_ipv6_pool_defined = DISABLED
us=328140 ifconfig_ipv6_pool_base = ::
us=328140 ifconfig_ipv6_pool_netbits = 0
us=328140 n_bcast_buf = 256
us=328140 tcp_queue_limit = 64
us=328140 real_hash_size = 256
us=328140 virtual_hash_size = 256
us=328140 client_connect_script = '[UNDEF]'
us=328140 learn_address_script = '[UNDEF]'
us=328140 client_disconnect_script = '[UNDEF]'
us=328140 client_config_dir = '[UNDEF]'
us=328140 ccd_exclusive = DISABLED
us=328140 tmp_dir = 'C:\Users\user\AppData\Local\Temp\'
us=328140 push_ifconfig_defined = DISABLED
us=328140 push_ifconfig_local = 0.0.0.0
us=328140 push_ifconfig_remote_netmask = 0.0.0.0
us=328140 push_ifconfig_ipv6_defined = DISABLED
us=328140 push_ifconfig_ipv6_local = ::/0
us=328140 push_ifconfig_ipv6_remote = ::
us=328140 enable_c2c = DISABLED
us=328140 duplicate_cn = DISABLED
us=328140 cf_max = 0
us=328140 cf_per = 0
us=328140 max_clients = 1024
us=328140 max_routes_per_client = 256
us=328140 auth_user_pass_verify_script = '[UNDEF]'
us=328140 auth_user_pass_verify_script_via_file = DISABLED
us=328140 auth_token_generate = DISABLED
us=328140 auth_token_lifetime = 0
us=328140 client = ENABLED
us=328140 pull = ENABLED
us=328140 auth_user_pass_file = '[UNDEF]'
us=328140 show_net_up = DISABLED
us=328140 route_method = 3
us=328140 block_outside_dns = DISABLED
us=328140 ip_win32_defined = DISABLED
us=328140 ip_win32_type = 3
us=329119 dhcp_masq_offset = 0
us=329119 dhcp_lease_time = 31536000
us=329119 tap_sleep = 0
us=329119 dhcp_options = DISABLED
us=329119 dhcp_renew = DISABLED
us=329119 dhcp_pre_release = DISABLED
us=329119 domain = '[UNDEF]'
us=329119 netbios_scope = '[UNDEF]'
us=329119 netbios_node_type = 0
us=329119 disable_nbt = DISABLED
us=329119 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
us=329119 Windows version 6.2 (Windows 8 or greater) 64bit
us=329119 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
us=330094 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
us=330094 Need hold release from management interface, waiting...
us=798196 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
us=900809 MANAGEMENT: CMD 'state on'
us=903733 MANAGEMENT: CMD 'log all on'
us=145110 MANAGEMENT: CMD 'echo all on'
us=147064 MANAGEMENT: CMD 'hold off'
us=149019 MANAGEMENT: CMD 'hold release'
us=325899 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
us=325899 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
us=325899 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
us=325899 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
us=326877 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
us=326877 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
us=326877 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
us=326877 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
us=326877 TCP/UDP: Preserving recently used remote address: [AF_INET]PEER.IP.ADD.SERVER:xxxx
us=326877 Socket Buffers: R=[65536->65536] S=[65536->65536]
us=326877 UDP link local (bound): [AF_INET][undef]:1194
us=326877 UDP link remote: [AF_INET]PEER.IP.ADD.SERVER:xxxx
us=326877 MANAGEMENT: >STATE:1519345865,WAIT,,,,,,
us=389419 MANAGEMENT: >STATE:1519345865,AUTH,,,,,,
us=389419 TLS: Initial packet from [AF_INET]PEER.IP.ADD.SERVER:xxxx, sid=93c5cc7f e6a9f3de
us=450988 VERIFY OK: depth=1, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=450988 VERIFY KU OK
us=450988 Validating certificate extended key usage
us=450988 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
us=450988 VERIFY EKU OK
us=450988 VERIFY X509NAME OK: C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=450988 VERIFY OK: depth=0, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=636675 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
us=636675 [CN] Peer Connection Initiated with [AF_INET]PEER.IP.ADD.SERVER:xxxx
us=822061 MANAGEMENT: >STATE:1519345866,GET_CONFIG,,,,,,
us=822061 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=65929 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=411431 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=970947 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=255171 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=808817 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=80050 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=888912 TCP/UDP: Closing socket
us=888912 SIGTERM[hard,] received, process exiting
us=888912 MANAGEMENT: >STATE:1519345899,EXITING,SIGTERM,,,,,
Thanks for your help. (And guidance on format!)
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 21, 2018 10:05 pm
Re: Duo MFA
Yes indeed,
I just tried adding another user to Duo with the CN in the logs, no joy.
I have confirmed that firewall is allowing access to the API on 443...
Time to fire up a packet capture.
I just tried adding another user to Duo with the CN in the logs, no joy.
I have confirmed that firewall is allowing access to the API on 443...
Time to fire up a packet capture.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 21, 2018 10:05 pm
Re: Duo MFA
After a restart, I am seeing the same results. Nothing from or to the DUO.API.IP.ADD
Packet capture results from server.
Packet capture results from server.
Code: Select all
ip.addr==CLIENT.PEER.IP.ADD|DUO.API.IP.ADD
Code: Select all
12.044833 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 96
12.045414 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
20.570965 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 54
20.571808 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 66
20.744460 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 62
20.751882 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 227
20.754478 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 1128
20.754580 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 1116
20.754669 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 960
20.804358 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 62
20.804433 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 62
20.841708 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 1128
20.841767 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 1116
20.842571 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
20.843032 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
20.843170 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 1116
20.843196 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 180
20.863281 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
20.864125 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 117
20.951061 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 486
20.956446 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 294
21.014536 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 62
22.254599 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 96
22.255725 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
27.613394 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 96
27.614079 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sun May 12, 2019 10:50 pm
Re: Duo MFA
Hey I know this is a rather old post but I'm experiencing the exact same problem. Did you ever figure out how to make this work?