Duo MFA

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Flows
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 21, 2018 10:05 pm

Duo MFA

Post by Flows » Wed Feb 21, 2018 10:15 pm

Hi folks,

Any thoughts as to what I am missing here?

I can configure it to prompt for a pass word with auth-user-pass but when I enter push1 I don't get a push to the phone.
I have auth-user-pass-optional configured on the server side and I still don't get an automatic push.
The VPN works fine without the Duo tweaks...
Duo support are saying they cannot see requests to my account.
Chmoded 755 on the /opt/duo files built on the same version of freeBSD
Using the latest version of pfsence and the OpenVPN Client Export Utility package.

These are the guides I have been following:
https://duo.com/docs/openvpn
https://duo.com/docs/openvpn-faq
https://www.reddit.com/r/PFSENSE/commen ... no_radius/


This is what I am seeing from the OpenVPN logs... HELP!

Thu Feb 22 08:54:55 2018 No reply from server after sending 12 push requests
Thu Feb 22 08:54:55 2018 SIGUSR1[soft,no-push-reply] received, process restarting

Client side config:
[oconf=]dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx xxxx udp
verify-x509-name "xxx" name
pkcs12 pfSense-udp-xxxx-xxx.p12
tls-crypt pfSense-udp-xxxx-xxx-tls.key
remote-cert-tls server
redirect-gateway def1
reneg-sec 0
!auth-user-pass !!@@ tried with and without[/oconf]

Server side config:
[oconf=]dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
engine cryptodev
tls-server
server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'xxx' 1"
lport xxxx
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "block-outside-dns"
push "register-dns"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-crypt /var/etc/openvpn/server1.tls-crypt
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
plugin /opt/duo/duo_openvpn.so 'xxx xxx api-xxx.duosecurity.com'
auth-user-pass-optional
reneg-sec 0
push "reneg-sec 0"
!push "auth-user-pass" !!@@ tried with and without[/oconf]
Last edited by Flows on Thu Feb 22, 2018 9:31 pm, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Duo MFA

Post by TinCanTech » Thu Feb 22, 2018 12:55 pm

See your server log.

See --log & --verb in The Manual v24x

Flows
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 21, 2018 10:05 pm

Re: Duo MFA

Post by Flows » Thu Feb 22, 2018 9:46 pm

Thanks Tin,

I am seeing control messages PUSH REQUEST but not seeing them come through on the phone. I have pointed this thread out to the Duo Security team as well. I have also confirmed I can telnet to the API on 443.

Is there anything obvious in the below sequence?

Fail_auth-user-pass:

Code: Select all

Thu Feb 22 20:58:59 2018 us=551206 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
Thu Feb 22 20:58:59 2018 us=551479 PO_CTL rwflags=0x0002 ev=6 arg=0x006a6ea0
Thu Feb 22 20:58:59 2018 us=551499 PO_CTL rwflags=0x0000 ev=5 arg=0x006a5d04
Thu Feb 22 20:58:59 2018 us=551518 PO_CTL rwflags=0x0001 ev=3 arg=0x006a5d08
Thu Feb 22 20:58:59 2018 us=551540 I/O WAIT Tr|Tw|Sr|SW [1/53698]
Thu Feb 22 20:58:59 2018 us=551577 PO_WAIT[0,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x006a6ea0 
Thu Feb 22 20:58:59 2018 us=551597  event_wait returned 1
Thu Feb 22 20:58:59 2018 us=551614 I/O WAIT status=0x0002
Thu Feb 22 20:58:59 2018 us=551677 PEER.IP.ADD.CLIENT UDPv6 WRITE [62] to [AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0): P_ACK_V1 kid=0 sid=886c555d c7f4266f [ ]
Thu Feb 22 20:58:59 2018 us=551732 PEER.IP.ADD.CLIENT UDPv6 write returned 62
Thu Feb 22 20:58:59 2018 us=551879 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=0 state=S_ACTIVE, mysid=886c555d c7f4266f, stored-sid=41c96afc ab54e69f, stored-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:58:59 2018 us=551903 PEER.IP.ADD.CLIENT TLS: tls_process: chg=0 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Thu Feb 22 20:58:59 2018 us=551937 PEER.IP.ADD.CLIENT ACK reliable_can_send active=0 current=0 : [6]
Thu Feb 22 20:58:59 2018 us=551964 PEER.IP.ADD.CLIENT ACK reliable_send_timeout 604800 [6]
Thu Feb 22 20:58:59 2018 us=551984 PEER.IP.ADD.CLIENT TLS: tls_process: timeout set to 58
Thu Feb 22 20:58:59 2018 us=552012 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8e86e348 ce8461b3, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:58:59 2018 us=552039 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:58:59 2018 us=552091 PO_CTL rwflags=0x0001 ev=6 arg=0x006a6ea0
Thu Feb 22 20:58:59 2018 us=552110 PO_CTL rwflags=0x0001 ev=5 arg=0x006a5d04
Thu Feb 22 20:58:59 2018 us=552127 PO_CTL rwflags=0x0001 ev=3 arg=0x006a5d08
Thu Feb 22 20:58:59 2018 us=552160 I/O WAIT TR|Tw|SR|Sw [1/53698]
Thu Feb 22 20:59:00 2018 us=656648  event_wait returned 0
Thu Feb 22 20:59:00 2018 us=656847 I/O WAIT status=0x0020
Thu Feb 22 20:59:00 2018 us=656874 MULTI: REAP range 176 -> 192
Thu Feb 22 20:59:00 2018 us=656904 PEER.IP.ADD.CLIENT TIMER: coarse timer wakeup 9 seconds
Thu Feb 22 20:59:00 2018 us=657075 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=0 state=S_ACTIVE, mysid=886c555d c7f4266f, stored-sid=41c96afc ab54e69f, stored-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:59:00 2018 us=657105 PEER.IP.ADD.CLIENT TLS: tls_process: chg=0 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Thu Feb 22 20:59:00 2018 us=657167 PEER.IP.ADD.CLIENT ACK reliable_can_send active=0 current=0 : [6]
Thu Feb 22 20:59:00 2018 us=657219 PEER.IP.ADD.CLIENT ACK reliable_send_timeout 604800 [6]
Thu Feb 22 20:59:00 2018 us=657248 PEER.IP.ADD.CLIENT TLS: tls_process: timeout set to 57
Thu Feb 22 20:59:00 2018 us=657285 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8e86e348 ce8461b3, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:59:00 2018 us=657320 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:59:00 2018 us=657431 PEER.IP.ADD.CLIENT SCHEDULE: schedule_add_modify wakeup=[Thu Feb 22 20:59:10 2018 us=26776] pri=1511058017
Thu Feb 22 20:59:00 2018 us=657463 SCHEDULE: schedule_find_least wakeup=[Thu Feb 22 20:59:10 2018 us=26776] pri=914772274
Thu Feb 22 20:59:00 2018 us=657493 PO_CTL rwflags=0x0001 ev=6 arg=0x006a6ea0
Thu Feb 22 20:59:00 2018 us=657529 PO_CTL rwflags=0x0001 ev=5 arg=0x006a5d04
Thu Feb 22 20:59:00 2018 us=657552 PO_CTL rwflags=0x0001 ev=3 arg=0x006a5d08
Thu Feb 22 20:59:00 2018 us=657581 I/O WAIT TR|Tw|SR|Sw [9/53698]
Thu Feb 22 20:59:04 2018 us=898954 PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x006a6ea0 
Thu Feb 22 20:59:04 2018 us=899043  event_wait returned 1
Thu Feb 22 20:59:04 2018 us=899068 I/O WAIT status=0x0001
Thu Feb 22 20:59:04 2018 us=899093 MULTI: REAP range 192 -> 208
Thu Feb 22 20:59:04 2018 us=899136 UDPv6 read returned 96
Thu Feb 22 20:59:04 2018 us=899181 GET INST BY REAL: PEER.IP.ADD.CLIENT [ok]
Thu Feb 22 20:59:04 2018 us=899370 PEER.IP.ADD.CLIENT UDPv6 READ [96] from [AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0): P_CONTROL_V1 kid=0 sid=41c96afc ab54e69f [ ] pid=3418 DATA 8f2f108c 9f715b58 d3f0aef6 801e5d03 f6c817ac 2aefa30b 2303383f 4048a7e[more...]
Thu Feb 22 20:59:04 2018 us=899463 PEER.IP.ADD.CLIENT TLS: control channel, op=P_CONTROL_V1, IP=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:59:04 2018 us=899586 PEER.IP.ADD.CLIENT TLS: initial packet test, i=0 state=S_ACTIVE, mysid=886c555d c7f4266f, rec-sid=41c96afc ab54e69f, rec-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0), stored-sid=41c96afc ab54e69f, stored-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:59:04 2018 us=899615 PEER.IP.ADD.CLIENT TLS: found match, session[0], sid=41c96afc ab54e69f
Thu Feb 22 20:59:04 2018 us=899836 PEER.IP.ADD.CLIENT TLS-CRYPT UNWRAP FROM: 2041c96a fcab54e6 9f000000 0d5a8f2f 108c9f71 5b58d3f0 aef6801e 5d03f6c[more...]
Thu Feb 22 20:59:04 2018 us=899886 PEER.IP.ADD.CLIENT TLS-CRYPT UNWRAP AD: 2041c96a fcab54e6 9f000000 0d5a8f2f 10
Thu Feb 22 20:59:04 2018 us=899949 PEER.IP.ADD.CLIENT TLS-CRYPT UNWRAP TO: 00000000 08170303 0025f760 5b458ca4 fcbe4879 af79f354 23e154f6 fc4e08a[more...]
Thu Feb 22 20:59:04 2018 us=900008 PEER.IP.ADD.CLIENT PID_TEST [0] [TLS_WRAP-0] [566666666667] 1519333136:12 1519333136:13 t=1519333144[0] r=[0,64,15,0,1] sl=[52,12,64,528]
Thu Feb 22 20:59:04 2018 us=900038 PEER.IP.ADD.CLIENT TLS: received control channel packet s#=0 sid=41c96afc ab54e69f
Thu Feb 22 20:59:04 2018 us=900063 PEER.IP.ADD.CLIENT ACK read ID 8 (buf->len=42)
Thu Feb 22 20:59:04 2018 us=900087 PEER.IP.ADD.CLIENT ACK RWBS rel->size=8 rel->packet_id=00000008 id=00000008 ret=1

Thu Feb 22 20:59:04 2018 us=900109 PEER.IP.ADD.CLIENT ACK mark active incoming ID 8
Thu Feb 22 20:59:04 2018 us=900142 PEER.IP.ADD.CLIENT ACK acknowledge ID 8 (ack->len=1)
Thu Feb 22 20:59:04 2018 us=900233 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=0 state=S_ACTIVE, mysid=886c555d c7f4266f, stored-sid=41c96afc ab54e69f, stored-ip=[AF_INET6]::ffff:PEER.IP.ADD.CLIENT:8931 (via ::ffff:LAN.IP.ADD.SERVER%em0)
Thu Feb 22 20:59:04 2018 us=900262 PEER.IP.ADD.CLIENT TLS: tls_process: chg=0 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Thu Feb 22 20:59:04 2018 us=900287 PEER.IP.ADD.CLIENT ACK reliable_can_send active=0 current=0 : [6]
Thu Feb 22 20:59:04 2018 us=900313 PEER.IP.ADD.CLIENT BIO write tls_write_ciphertext 42 bytes
Thu Feb 22 20:59:04 2018 us=900336 PEER.IP.ADD.CLIENT Incoming Ciphertext -> TLS
Thu Feb 22 20:59:04 2018 us=900431 PEER.IP.ADD.CLIENT BIO read tls_read_plaintext 13 bytes
Thu Feb 22 20:59:04 2018 us=900456 PEER.IP.ADD.CLIENT TLS -> Incoming Plaintext
Thu Feb 22 20:59:04 2018 us=900482 PEER.IP.ADD.CLIENT TLS: tls_process: chg=1 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Thu Feb 22 20:59:04 2018 us=900505 PEER.IP.ADD.CLIENT ACK reliable_can_send active=0 current=0 : [6]
Thu Feb 22 20:59:04 2018 us=900531 PEER.IP.ADD.CLIENT ACK write ID 8 (ack->len=1, n=1)
Thu Feb 22 20:59:04 2018 us=900562 PEER.IP.ADD.CLIENT TLS-CRYPT WRAP FROM: 01000000 0841c96a fcab54e6 9f
Thu Feb 22 20:59:04 2018 us=900594 PEER.IP.ADD.CLIENT TLS-CRYPT WRAP AD: 28886c55 5dc7f426 6f000000 0b5a8f2f 11
Thu Feb 22 20:59:04 2018 us=900651 PEER.IP.ADD.CLIENT TLS-CRYPT WRAP TAG: abc680a6 829d44ac 2d800cc0 d0209d1f 51d9465c 9cb9fc3a c9abc0d9 ae0bf9f6
Thu Feb 22 20:59:04 2018 us=900711 PEER.IP.ADD.CLIENT TLS-CRYPT WRAP TO: 28886c55 5dc7f426 6f000000 0b5a8f2f 11abc680 a6829d44 ac2d800c c0d0209[more...]
Thu Feb 22 20:59:04 2018 us=900725 PEER.IP.ADD.CLIENT Dedicated ACK -> TCP/UDP
Thu Feb 22 20:59:04 2018 us=900798 PEER.IP.ADD.CLIENT ACK reliable_send_timeout 604800 [6]
Thu Feb 22 20:59:04 2018 us=900832 PEER.IP.ADD.CLIENT TLS: tls_process: timeout set to 53
Thu Feb 22 20:59:04 2018 us=900867 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8e86e348 ce8461b3, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:59:04 2018 us=900901 PEER.IP.ADD.CLIENT TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Thu Feb 22 20:59:04 2018 us=900934 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
Last edited by Flows on Thu Feb 22, 2018 11:54 pm, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Duo MFA

Post by TinCanTech » Thu Feb 22, 2018 11:46 pm


Flows
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 21, 2018 10:05 pm

Re: Duo MFA

Post by Flows » Fri Feb 23, 2018 12:52 am

Server

Code: Select all

FreeBSD pfSense.localdomain 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6 #8 r313908+a5b33c9d1c4(RELENG_2_4): Tue Dec 12 13:51:24 CST 2017     root@buildbot2.netgate.com:/builder/ce-242/tmp/obj/builder/ce-242/tmp/FreeBSD-src/sys/pfSense  amd64
SERVER
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
engine cryptodev
tls-server
server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'XXX' 1"
lport xxxx
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "block-outside-dns"
push "register-dns"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-crypt /var/etc/openvpn/server1.tls-crypt
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
verb 4
log-append /var/log/openvpn_duo_autopush.log
plugin /opt/duo/duo_openvpn.so 'xxx xxx api-xxx.duosecurity.com'
auth-user-pass-optional
reneg-sec 0
push "reneg-sec 0"


Server logs:

Code: Select all

us=747430 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=958737 MANAGEMENT: CMD 'status 2'
us=174677 MANAGEMENT: CMD 'quit'
us=174792 MANAGEMENT: Client disconnected
us=834139 MULTI: multi_create_instance called
us=834250 PEER.IP.ADD.CLIENT Re-using SSL/TLS context
us=834461 PEER.IP.ADD.CLIENT Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
us=834487 PEER.IP.ADD.CLIENT Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
us=834553 PEER.IP.ADD.CLIENT Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
us=834573 PEER.IP.ADD.CLIENT Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
us=834707 PEER.IP.ADD.CLIENT TLS: Initial packet from [AF_INET6]::ffff:PEER.IP.ADD.CLIENT:10910 (via ::ffff:192.168.255.5%em0), sid=688fab06 baaa1223
us=10196 PEER.IP.ADD.CLIENT VERIFY SCRIPT OK: depth=1, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=10253 PEER.IP.ADD.CLIENT VERIFY OK: depth=1, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=18463 PEER.IP.ADD.CLIENT VERIFY SCRIPT OK: depth=0, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=username
us=18547 PEER.IP.ADD.CLIENT VERIFY OK: depth=0, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=username
us=79749 PEER.IP.ADD.CLIENT peer info: IV_VER=2.4.4
us=79809 PEER.IP.ADD.CLIENT peer info: IV_PLAT=win
us=79826 PEER.IP.ADD.CLIENT peer info: IV_PROTO=2
us=79836 PEER.IP.ADD.CLIENT peer info: IV_NCP=2
us=79846 PEER.IP.ADD.CLIENT peer info: IV_LZ4=1
us=79856 PEER.IP.ADD.CLIENT peer info: IV_LZ4v2=1
us=79867 PEER.IP.ADD.CLIENT peer info: IV_LZO=1
us=79879 PEER.IP.ADD.CLIENT peer info: IV_COMP_STUB=1
us=79895 PEER.IP.ADD.CLIENT peer info: IV_COMP_STUBv2=1
us=79952 PEER.IP.ADD.CLIENT peer info: IV_TCPNL=1
us=79962 PEER.IP.ADD.CLIENT peer info: IV_GUI_VER=OpenVPN_GUI_11
us=81958 PEER.IP.ADD.CLIENT PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
us=82314 PEER.IP.ADD.CLIENT TLS: Username/Password authentication deferred for username '' 
us=130357 PEER.IP.ADD.CLIENT Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
us=130495 PEER.IP.ADD.CLIENT [username] Peer Connection Initiated with [AF_INET6]::ffff:PEER.IP.ADD.CLIENT:10910 (via ::ffff:192.168.255.5%em0)
us=324404 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=674189 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=787340 PEER.IP.ADD.CLIENT [username] Inactivity timeout (--ping-restart), restarting
us=787416 PEER.IP.ADD.CLIENT SIGUSR1[soft,ping-restart] received, client-instance restarting
us=75154 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=473776 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=903919 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=313620 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=684814 PEER.IP.ADD.CLIENT PUSH: Received control message: 'PUSH_REQUEST'
us=695961 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=911356 MANAGEMENT: CMD 'status 2'
us=126497 MANAGEMENT: CMD 'quit'
us=126564 MANAGEMENT: Client disconnected
us=52730 PEER.IP.ADD.CLIENT SIGTERM[soft,auth-control-exit] received, client-instance exiting
us=664313 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=871306 MANAGEMENT: CMD 'status 2'
us=88096 MANAGEMENT: CMD 'quit'
us=88211 MANAGEMENT: Client disconnected
us=677085 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=888112 MANAGEMENT: CMD 'status 2'
us=102489 MANAGEMENT: CMD 'quit'
us=102603 MANAGEMENT: Client disconnected
us=658410 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=872290 MANAGEMENT: CMD 'status 2'
us=88601 MANAGEMENT: CMD 'quit'
us=88691 MANAGEMENT: Client disconnected
us=690919 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=907821 MANAGEMENT: CMD 'status 2'
us=124397 MANAGEMENT: CMD 'quit'
us=124507 MANAGEMENT: Client disconnected
us=679181 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=894170 MANAGEMENT: CMD 'status 2'
us=109671 MANAGEMENT: CMD 'quit'
us=109764 MANAGEMENT: Client disconnected
us=636652 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=850444 MANAGEMENT: CMD 'status 2'
us=53404 MANAGEMENT: CMD 'quit'
us=53521 MANAGEMENT: Client disconnected
us=699976 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=914165 MANAGEMENT: CMD 'status 2'
us=128730 MANAGEMENT: CMD 'quit'
us=128807 MANAGEMENT: Client disconnected
us=638702 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=848733 MANAGEMENT: CMD 'status 2'
us=63249 MANAGEMENT: CMD 'quit'
us=63328 MANAGEMENT: Client disconnected
us=640769 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=854156 MANAGEMENT: CMD 'status 2'
us=68447 MANAGEMENT: CMD 'quit'
us=68775 MANAGEMENT: Client disconnected
us=571326 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=782998 MANAGEMENT: CMD 'status 2'
us=997806 MANAGEMENT: CMD 'quit'
us=998014 MANAGEMENT: Client disconnected
us=624660 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
us=836678 MANAGEMENT: CMD 'status 2'
us=58324 MANAGEMENT: CMD 'quit'
us=58383 MANAGEMENT: Client disconnected


Client

Code: Select all

Microsoft Windows [Version 10.0.16299.248]
CLIENT
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote x.x.x.x udp
verify-x509-name "XXX" name
pkcs12 pfSense-udp-989-user.p12
tls-crypt pfSense-udp-989-user-tls.key
remote-cert-tls server
reneg-sec 0
verb 4


Client logs:

Code: Select all

us=325209 Current Parameter Settings:
us=325209   config = 'pfSense-udp-xxxx-username-config.ovpn'
us=325209   mode = 0
us=325209   show_ciphers = DISABLED
us=325209   show_digests = DISABLED
us=325209   show_engines = DISABLED
us=325209   genkey = DISABLED
us=325209   key_pass_file = '[UNDEF]'
us=325209   show_tls_ciphers = DISABLED
us=325209   connect_retry_max = 0
us=325209 Connection profiles [0]:
us=325209   proto = udp
us=326186   local = '[UNDEF]'
us=326186   local_port = '1194'
us=326186   remote = 'PEER.IP.ADD.SERVER'
us=326186   remote_port = 'xxxx'
us=326186   remote_float = DISABLED
us=326186   bind_defined = DISABLED
us=326186   bind_local = ENABLED
us=326186   bind_ipv6_only = DISABLED
us=326186   connect_retry_seconds = 5
us=326186   connect_timeout = 120
us=326186   socks_proxy_server = '[UNDEF]'
us=326186   socks_proxy_port = '[UNDEF]'
us=326186   tun_mtu = 1500
us=326186   tun_mtu_defined = ENABLED
us=326186   link_mtu = 1500
us=326186   link_mtu_defined = DISABLED
us=326186   tun_mtu_extra = 0
us=326186   tun_mtu_extra_defined = DISABLED
us=326186   mtu_discover_type = -1
us=326186   fragment = 0
us=326186   mssfix = 1450
us=326186   explicit_exit_notification = 0
us=326186 Connection profiles END
us=326186   remote_random = DISABLED
us=326186   ipchange = '[UNDEF]'
us=326186   dev = 'tun'
us=326186   dev_type = '[UNDEF]'
us=326186   dev_node = '[UNDEF]'
us=326186   lladdr = '[UNDEF]'
us=326186   topology = 1
us=326186   ifconfig_local = '[UNDEF]'
us=326186   ifconfig_remote_netmask = '[UNDEF]'
us=326186   ifconfig_noexec = DISABLED
us=326186   ifconfig_nowarn = DISABLED
us=326186   ifconfig_ipv6_local = '[UNDEF]'
us=326186   ifconfig_ipv6_netbits = 0
us=326186   ifconfig_ipv6_remote = '[UNDEF]'
us=326186   shaper = 0
us=326186   mtu_test = 0
us=326186   mlock = DISABLED
us=326186   keepalive_ping = 0
us=326186   keepalive_timeout = 0
us=326186   inactivity_timeout = 0
us=326186   ping_send_timeout = 0
us=326186   ping_rec_timeout = 0
us=326186   ping_rec_timeout_action = 0
us=326186   ping_timer_remote = DISABLED
us=326186   remap_sigusr1 = 0
us=326186   persist_tun = ENABLED
us=326186   persist_local_ip = DISABLED
us=326186   persist_remote_ip = DISABLED
us=326186   persist_key = ENABLED
us=326186   passtos = DISABLED
us=326186   resolve_retry_seconds = 1000000000
us=326186   resolve_in_advance = DISABLED
us=326186   username = '[UNDEF]'
us=326186   groupname = '[UNDEF]'
us=326186   chroot_dir = '[UNDEF]'
us=326186   cd_dir = '[UNDEF]'
us=326186   writepid = '[UNDEF]'
us=326186   up_script = '[UNDEF]'
us=326186   down_script = '[UNDEF]'
us=326186   down_pre = DISABLED
us=326186   up_restart = DISABLED
us=326186   up_delay = DISABLED
us=326186   daemon = DISABLED
us=326186   inetd = 0
us=326186   log = ENABLED
us=326186   suppress_timestamps = DISABLED
us=326186   machine_readable_output = DISABLED
us=326186   nice = 0
us=326186   verbosity = 4
us=326186   mute = 0
us=326186   gremlin = 0
us=326186   status_file = '[UNDEF]'
us=326186   status_file_version = 1
us=326186   status_file_update_freq = 60
us=326186   occ = ENABLED
us=326186   rcvbuf = 0
us=326186   sndbuf = 0
us=326186   sockflags = 0
us=326186   fast_io = DISABLED
us=326186   comp.alg = 0
us=326186   comp.flags = 0
us=326186   route_script = '[UNDEF]'
us=326186   route_default_gateway = '[UNDEF]'
us=326186   route_default_metric = 0
us=326186   route_noexec = DISABLED
us=326186   route_delay = 5
us=326186   route_delay_window = 30
us=326186   route_delay_defined = ENABLED
us=327162   route_nopull = DISABLED
us=327162   route_gateway_via_dhcp = DISABLED
us=327162   allow_pull_fqdn = DISABLED
us=327162   management_addr = '127.0.0.1'
us=327162   management_port = '25340'
us=327162   management_user_pass = 'stdin'
us=327162   management_log_history_cache = 250
us=327162   management_echo_buffer_size = 100
us=327162   management_write_peer_info_file = '[UNDEF]'
us=327162   management_client_user = '[UNDEF]'
us=327162   management_client_group = '[UNDEF]'
us=327162   management_flags = 6
us=327162   shared_secret_file = '[UNDEF]'
us=327162   key_direction = 0
us=327162   ciphername = 'AES-256-CBC'
us=327162   ncp_enabled = ENABLED
us=327162   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
us=327162   authname = 'SHA256'
us=327162   prng_hash = 'SHA1'
us=327162   prng_nonce_secret_len = 16
us=327162   keysize = 0
us=327162   engine = DISABLED
us=327162   replay = ENABLED
us=327162   mute_replay_warnings = DISABLED
us=327162   replay_window = 64
us=327162   replay_time = 15
us=327162   packet_id_file = '[UNDEF]'
us=327162   use_iv = ENABLED
us=327162   test_crypto = DISABLED
us=327162   tls_server = DISABLED
us=327162   tls_client = ENABLED
us=327162   key_method = 2
us=327162   ca_file = '[UNDEF]'
us=327162   ca_path = '[UNDEF]'
us=327162   dh_file = '[UNDEF]'
us=327162   cert_file = '[UNDEF]'
us=327162   extra_certs_file = '[UNDEF]'
us=327162   priv_key_file = '[UNDEF]'
us=327162   pkcs12_file = 'pfSense-udp-xxxx-username.p12'
us=327162   cryptoapi_cert = '[UNDEF]'
us=327162   cipher_list = '[UNDEF]'
us=327162   tls_verify = '[UNDEF]'
us=327162   tls_export_cert = '[UNDEF]'
us=327162   verify_x509_type = 2
us=327162   verify_x509_name = 'CN'
us=327162   crl_file = '[UNDEF]'
us=327162   ns_cert_type = 0
us=327162   remote_cert_ku[i] = 65535
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_ku[i] = 0
us=327162   remote_cert_eku = 'TLS Web Server Authentication'
us=327162   ssl_flags = 0
us=327162   tls_timeout = 2
us=327162   renegotiate_bytes = -1
us=327162   renegotiate_packets = 0
us=327162   renegotiate_seconds = 0
us=327162   handshake_window = 60
us=327162   transition_window = 3600
us=327162   single_session = DISABLED
us=327162   push_peer_info = DISABLED
us=327162   tls_exit = DISABLED
us=327162   tls_auth_file = '[UNDEF]'
us=327162   tls_crypt_file = 'pfSense-udp-xxxx-username-tls.key'
us=327162   pkcs11_protected_authentication = DISABLED
us=327162   pkcs11_protected_authentication = DISABLED
us=327162   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_protected_authentication = DISABLED
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_private_mode = 00000000
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_cert_private = DISABLED
us=328140   pkcs11_pin_cache_period = -1
us=328140   pkcs11_id = '[UNDEF]'
us=328140   pkcs11_id_management = DISABLED
us=328140   server_network = 0.0.0.0
us=328140   server_netmask = 0.0.0.0
us=328140   server_network_ipv6 = ::
us=328140   server_netbits_ipv6 = 0
us=328140   server_bridge_ip = 0.0.0.0
us=328140   server_bridge_netmask = 0.0.0.0
us=328140   server_bridge_pool_start = 0.0.0.0
us=328140   server_bridge_pool_end = 0.0.0.0
us=328140   ifconfig_pool_defined = DISABLED
us=328140   ifconfig_pool_start = 0.0.0.0
us=328140   ifconfig_pool_end = 0.0.0.0
us=328140   ifconfig_pool_netmask = 0.0.0.0
us=328140   ifconfig_pool_persist_filename = '[UNDEF]'
us=328140   ifconfig_pool_persist_refresh_freq = 600
us=328140   ifconfig_ipv6_pool_defined = DISABLED
us=328140   ifconfig_ipv6_pool_base = ::
us=328140   ifconfig_ipv6_pool_netbits = 0
us=328140   n_bcast_buf = 256
us=328140   tcp_queue_limit = 64
us=328140   real_hash_size = 256
us=328140   virtual_hash_size = 256
us=328140   client_connect_script = '[UNDEF]'
us=328140   learn_address_script = '[UNDEF]'
us=328140   client_disconnect_script = '[UNDEF]'
us=328140   client_config_dir = '[UNDEF]'
us=328140   ccd_exclusive = DISABLED
us=328140   tmp_dir = 'C:\Users\user\AppData\Local\Temp\'
us=328140   push_ifconfig_defined = DISABLED
us=328140   push_ifconfig_local = 0.0.0.0
us=328140   push_ifconfig_remote_netmask = 0.0.0.0
us=328140   push_ifconfig_ipv6_defined = DISABLED
us=328140   push_ifconfig_ipv6_local = ::/0
us=328140   push_ifconfig_ipv6_remote = ::
us=328140   enable_c2c = DISABLED
us=328140   duplicate_cn = DISABLED
us=328140   cf_max = 0
us=328140   cf_per = 0
us=328140   max_clients = 1024
us=328140   max_routes_per_client = 256
us=328140   auth_user_pass_verify_script = '[UNDEF]'
us=328140   auth_user_pass_verify_script_via_file = DISABLED
us=328140   auth_token_generate = DISABLED
us=328140   auth_token_lifetime = 0
us=328140   client = ENABLED
us=328140   pull = ENABLED
us=328140   auth_user_pass_file = '[UNDEF]'
us=328140   show_net_up = DISABLED
us=328140   route_method = 3
us=328140   block_outside_dns = DISABLED
us=328140   ip_win32_defined = DISABLED
us=328140   ip_win32_type = 3
us=329119   dhcp_masq_offset = 0
us=329119   dhcp_lease_time = 31536000
us=329119   tap_sleep = 0
us=329119   dhcp_options = DISABLED
us=329119   dhcp_renew = DISABLED
us=329119   dhcp_pre_release = DISABLED
us=329119   domain = '[UNDEF]'
us=329119   netbios_scope = '[UNDEF]'
us=329119   netbios_node_type = 0
us=329119   disable_nbt = DISABLED
us=329119 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
us=329119 Windows version 6.2 (Windows 8 or greater) 64bit
us=329119 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
us=330094 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
us=330094 Need hold release from management interface, waiting...
us=798196 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
us=900809 MANAGEMENT: CMD 'state on'
us=903733 MANAGEMENT: CMD 'log all on'
us=145110 MANAGEMENT: CMD 'echo all on'
us=147064 MANAGEMENT: CMD 'hold off'
us=149019 MANAGEMENT: CMD 'hold release'
us=325899 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
us=325899 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
us=325899 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
us=325899 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
us=326877 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
us=326877 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
us=326877 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
us=326877 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
us=326877 TCP/UDP: Preserving recently used remote address: [AF_INET]PEER.IP.ADD.SERVER:xxxx
us=326877 Socket Buffers: R=[65536->65536] S=[65536->65536]
us=326877 UDP link local (bound): [AF_INET][undef]:1194
us=326877 UDP link remote: [AF_INET]PEER.IP.ADD.SERVER:xxxx
us=326877 MANAGEMENT: >STATE:1519345865,WAIT,,,,,,
us=389419 MANAGEMENT: >STATE:1519345865,AUTH,,,,,,
us=389419 TLS: Initial packet from [AF_INET]PEER.IP.ADD.SERVER:xxxx, sid=93c5cc7f e6a9f3de
us=450988 VERIFY OK: depth=1, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=450988 VERIFY KU OK
us=450988 Validating certificate extended key usage
us=450988 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
us=450988 VERIFY EKU OK
us=450988 VERIFY X509NAME OK: C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=450988 VERIFY OK: depth=0, C=Country, ST=Location, L=Location, O=Organization, emailAddress=email@domain.com, CN=CN
us=636675 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
us=636675 [CN] Peer Connection Initiated with [AF_INET]PEER.IP.ADD.SERVER:xxxx
us=822061 MANAGEMENT: >STATE:1519345866,GET_CONFIG,,,,,,
us=822061 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=65929 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=411431 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=970947 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=255171 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=808817 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=80050 SENT CONTROL [CN]: 'PUSH_REQUEST' (status=1)
us=888912 TCP/UDP: Closing socket
us=888912 SIGTERM[hard,] received, process exiting
us=888912 MANAGEMENT: >STATE:1519345899,EXITING,SIGTERM,,,,,
No pushes received on phone. Duo saying they are not seeing any hits.
Thanks for your help. (And guidance on format!)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Duo MFA

Post by TinCanTech » Fri Feb 23, 2018 1:18 am

I can not see any specifically Opwnvpn errors .. but this
Flows wrote:
Fri Feb 23, 2018 12:52 am
Duo saying they are not seeing any hits
I do not understand .. you call Duo plugin so it must see hits ?

Flows
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 21, 2018 10:05 pm

Re: Duo MFA

Post by Flows » Fri Feb 23, 2018 1:32 am

Yes indeed,

I just tried adding another user to Duo with the CN in the logs, no joy.
I have confirmed that firewall is allowing access to the API on 443...
Time to fire up a packet capture.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Duo MFA

Post by TinCanTech » Fri Feb 23, 2018 1:39 am

Flows wrote:
Fri Feb 23, 2018 1:32 am
I just tried adding another user to Duo with the CN in the logs, no joy.
Many Many processes require a full restart.

Flows
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 21, 2018 10:05 pm

Re: Duo MFA

Post by Flows » Fri Feb 23, 2018 7:58 pm

After a restart, I am seeing the same results. Nothing from or to the DUO.API.IP.ADD

Packet capture results from server.

Code: Select all

ip.addr==CLIENT.PEER.IP.ADD|DUO.API.IP.ADD

Code: Select all

12.044833 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 96
12.045414 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
20.570965 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 54
20.571808 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 66
20.744460 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 62
20.751882 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 227
20.754478 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 1128
20.754580 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 1116
20.754669 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 960
20.804358 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 62
20.804433 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 62
20.841708 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 1128
20.841767 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 1116
20.842571 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
20.843032 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
20.843170 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 1116
20.843196 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 180
20.863281 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
20.864125 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 117
20.951061 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 486
20.956446 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 294
21.014536 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 62
22.254599 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 96
22.255725 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62
27.613394 IP CLIENT.PEER.IP.ADD.14728 > SERVER.WAN.IP.ADD.989: UDP, length 96
27.614079 IP SERVER.WAN.IP.ADD.989 > CLIENT.PEER.IP.ADD.14728: UDP, length 62

kmdelta
OpenVpn Newbie
Posts: 1
Joined: Sun May 12, 2019 10:50 pm

Re: Duo MFA

Post by kmdelta » Sun May 12, 2019 10:51 pm

Hey I know this is a rather old post but I'm experiencing the exact same problem. Did you ever figure out how to make this work?

Post Reply