Page 1 of 1

[Solved] Tunnels "freeze" when other clients connects

Posted: Mon Feb 11, 2019 11:13 am
by Enimbos
Hi Team

First of all, I'm newbie here and I didn't can found solution to my problem, searching before writing this :)
My server runs fine and my clients can connect without problems.
I am using PAM module in server side to authenticate clients with Google authenticator. I mix this PAM module with SSSD to authenticate users using Active Directory credentials.
So, security clients is based in Certificate + AD User + AD Credentials + MFA.

Well, when some users are connected to VPN and other agent wants connect to, the VPN tunnels of the all others clients (previously connected and their tunnels stablished) freezes. I can see how ping to server throught VPN lose atleast 3 -4 packets. It's weird.

Attach server conf:

Code: Select all

[oconf=Server Config]
mode server
tls-server

#change with your port
port 443

#You can use udp or tcp
proto tcp

# Topology Type
#topology subnet

# "dev tun" will create a routed IP tunnel.
dev tun

###Certificate Configuration
cipher AES-256-CBC

#ca certificate
ca ca.crt

#Server Certificate
cert server.crt

#Server Key and keep this is secret
key server.key

#See the size a dh key in /etc/openvpn/keys/
dh dh2048.pem

#TLS Auth
tls-auth ta.key 0

#Internal IP will get when already connect
server 192.168.www.0 255.255.240.0

# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist server-ipp.txt

#this line will redirect all traffic through our OpenVPN
#push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 192.168.yyy.10"

#Publicate Routes
#Backend
push "route 192.168.xxx.0 255.255.255.0"
#Frontend
push "route 192.168.yyy.0 255.255.255.0"

# MFA
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

#username-as-common-name
#client-cert-not-required

# Variables
keepalive 10 120
comp-lzo
persist-key
persist-tun
auth-nocache
reneg-sec 0

# Daemon Loggin
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
verb 3

Attach cient conf:

Code: Select all

[oconf=Client Config]
client
tls-client
key-direction 1
dev tun11
proto tcp
comp-lzo
remote URL  443
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
script-security 3
reneg-sec 0
verb 3
ns-cert-type server
auth-user-pass
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>

PAM module config

Code: Select all

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required /lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass debug
auth include system-auth
account include system-auth
password include system-auth
SSSD confing

Code: Select all


[sssd]
domains = testdomain.local
config_file_version = 2
services = nss, pam

[domain/testdomain.local]
ad_domain = testdomain.local
krb5_realm = TESTDOMAIN.local
realmd_tags = manages-system joined-with-adcli
#Cache credentials to false
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#Qualified names to false
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad

Realm join is success, kinit is success.... Allright, how I said before, the server runs fine and clients can connect with their AD user + MFA. :D

As you can see, I have verbose level 3 on server side now. (Also I readed with higher levels but nothing found).
When I reading log and the issue occurs, I can see the following:

Client Log:

Code: Select all

Mon Feb 11 10:44:11 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jun 23 2017
Mon Feb 11 10:44:11 2019 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.09
Enter Management Password:
Mon Feb 11 10:44:11 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25344
Mon Feb 11 10:44:11 2019 Need hold release from management interface, waiting...
Mon Feb 11 10:44:11 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25344
Mon Feb 11 10:44:11 2019 MANAGEMENT: CMD 'state on'
Mon Feb 11 10:44:11 2019 MANAGEMENT: CMD 'log all on'
Mon Feb 11 10:44:11 2019 MANAGEMENT: CMD 'hold off'
Mon Feb 11 10:44:11 2019 MANAGEMENT: CMD 'hold release'
Mon Feb 11 10:44:28 2019 MANAGEMENT: CMD 'username "Auth" "user"'
Mon Feb 11 10:44:28 2019 MANAGEMENT: CMD 'password [...]'
Mon Feb 11 10:44:29 2019 Control Channel Authentication: tls-auth using INLINE static key file
Mon Feb 11 10:44:29 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 10:44:29 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 10:44:29 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Feb 11 10:44:29 2019 MANAGEMENT: >STATE:1549878269,RESOLVE,,,,,,
Mon Feb 11 10:44:29 2019 Attempting to establish TCP connection with [AF_INET]SERVERPUBLICIP:443 [nonblock]
Mon Feb 11 10:44:29 2019 MANAGEMENT: >STATE:1549878269,TCP_CONNECT,,,,,,
Mon Feb 11 10:44:30 2019 TCP connection established with [AF_INET]SERVERPUBLICIP:443
Mon Feb 11 10:44:30 2019 TCPv4_CLIENT link local: [undef]
Mon Feb 11 10:44:30 2019 TCPv4_CLIENT link remote: [AF_INET]SERVERPUBLICIP:443
Mon Feb 11 10:44:30 2019 MANAGEMENT: >STATE:1549878270,WAIT,,,,,,
Mon Feb 11 10:44:30 2019 MANAGEMENT: >STATE:1549878270,AUTH,,,,,,
Mon Feb 11 10:44:30 2019 TLS: Initial packet from [AF_INET]SERVERPUBLICIP:443, sid=6b3d49bb 02815c8a
Mon Feb 11 10:44:30 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Feb 11 10:44:30 2019 VERIFY OK: depth=1, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=Enimbos CA, name=server, emailAddress=contact@email.com
Mon Feb 11 10:44:30 2019 VERIFY OK: nsCertType=SERVER
Mon Feb 11 10:44:30 2019 VERIFY OK: depth=0, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=server, name=server, emailAddress=contact@email.com
Mon Feb 11 10:44:37 2019 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Feb 11 10:44:37 2019 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 10:44:37 2019 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Feb 11 10:44:37 2019 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 10:44:37 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Feb 11 10:44:37 2019 [server] Peer Connection Initiated with [AF_INET]SERVERPUBLICIP:443
Mon Feb 11 10:44:38 2019 MANAGEMENT: >STATE:1549878278,GET_CONFIG,,,,,,
Mon Feb 11 10:44:39 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Feb 11 10:44:39 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.yyy.10,route 192.168.xxx.0 255.255.255.0,route 192.168.yyy.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.www.42 192.168.www.41,peer-id 0'
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: route options modified
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: peer-id set
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: adjusting link_mtu to 1563
Mon Feb 11 10:44:39 2019 ROUTE_GATEWAY PRIVATEIP/255.255.255.0 I=2 HWADDR=84:7b:eb:50:aa:62
Mon Feb 11 10:44:39 2019 open_tun, tt->ipv6=0
Mon Feb 11 10:44:39 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{A82CC18D-B88D-4262-AD0A-ED151656D80D}.tap
Mon Feb 11 10:44:39 2019 TAP-Windows Driver Version 9.21 
Mon Feb 11 10:44:39 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.www.42/255.255.255.252 on interface {A82CC18D-B88D-4262-AD0A-ED151656D80D} [DHCP-serv: 192.168.www.41, lease-time: 31536000]
Mon Feb 11 10:44:39 2019 Successful ARP Flush on interface [27] {A82CC18D-B88D-4262-AD0A-ED151656D80D}
Mon Feb 11 10:44:39 2019 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Feb 11 10:44:39 2019 MANAGEMENT: >STATE:1549878279,ASSIGN_IP,,192.168.www.42,,,,
Mon Feb 11 10:44:44 2019 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Mon Feb 11 10:44:44 2019 MANAGEMENT: >STATE:1549878284,ADD_ROUTES,,,,,,
Mon Feb 11 10:44:44 2019 C:\WINDOWS\system32\route.exe ADD 192.168.yyy.0 MASK 255.255.255.0 192.168.www.41
Mon Feb 11 10:44:44 2019 Route addition via service succeeded
Mon Feb 11 10:44:44 2019 C:\WINDOWS\system32\route.exe ADD 192.168.xxx.0 MASK 255.255.255.0 192.168.www.41
Mon Feb 11 10:44:44 2019 Route addition via service succeeded
Mon Feb 11 10:44:44 2019 C:\WINDOWS\system32\route.exe ADD 192.168.www.1 MASK 255.255.255.255 192.168.www.41
Mon Feb 11 10:44:44 2019 Route addition via service succeeded
Mon Feb 11 10:44:44 2019 Initialization Sequence Completed
Mon Feb 11 10:44:44 2019 MANAGEMENT: >STATE:1549878284,CONNECTED,SUCCESS,192.168.www.42,SERVERPUBLICIP,443,PRIVATEIP,43251
When freeze, the inbound client log stops after the line:
Mon Feb 11 10:44:30 2019 VERIFY OK: depth=0, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=server, name=server, emailAddress=contact@email.com

Server log (verb 3):

Code: Select all

Mon Feb 11 11:42:22 2019 TCP connection established with [AF_INET]CLIENTPUBLICIP:38331
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 TLS: Initial packet from [AF_INET]CLIENTPUBLICIP:38331, sid=5c3f5eed fc711080
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 VERIFY OK: depth=1, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=Enimbos CA, name=server, emailAddress=contact@email.com
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 VERIFY OK: depth=0, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=mbermudez, name=server, emailAddress=contact@email.com
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_VER=2.4.6
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_PLAT=win
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_PROTO=2
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_NCP=2
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_LZ4=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_LZ4v2=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_LZO=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_COMP_STUB=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_COMP_STUBv2=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_TCPNL=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_GUI_VER=OpenVPN_GUI_11
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 TLS: Username/Password authentication succeeded for username 'mbermudez' 
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 [mbermudez] Peer Connection Initiated with [AF_INET]CLIENTPUBLICIP:38331
Mon Feb 11 11:42:23 2019 mbermudez/CLIENTPUBLICIP:38331 MULTI_sva: pool returned IPv4=192.168.www.58, IPv6=(Not enabled)
Mon Feb 11 11:42:23 2019 mbermudez/CLIENTPUBLICIP:38331 MULTI: Learn: 192.168.www.58 -> mbermudez/CLIENTPUBLICIP:38331
Mon Feb 11 11:42:23 2019 mbermudez/CLIENTPUBLICIP:38331 MULTI: primary virtual IP for mbermudez/CLIENTPUBLICIP:38331: 192.168.www.58
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 PUSH: Received control message: 'PUSH_REQUEST'
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 SENT CONTROL [mbermudez]: 'PUSH_REPLY,dhcp-option DNS 192.168.yyy.10,route 192.168.yyy.0 255.255.255.0,route 192.168.xxx.0 255.255.255.0,route 192.168.www.1,topology net30,ping 10,ping-
restart 120,ifconfig 192.168.www.58 192.168.www.57,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
When freeze, the inbound server log stops after the line:
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=

Service sssd status

Code: Select all

Redirecting to /bin/systemctl status sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2019-01-23 18:51:55 CET; 2 weeks 4 days ago
 Main PID: 744 (sssd)
   CGroup: /system.slice/sssd.service
           ├─ 744 /usr/sbin/sssd -i --logger=files
           ├─ 812 /usr/libexec/sssd/sssd_be --domain enimbos.com --uid 0 --gid 0 --logger=files
           ├─1011 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           └─1012 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

feb 11 11:51:12 Openvpn sssd[be[enimbos.com]][812]: Backend is online
feb 11 11:51:22 Openvpn sssd_be[812]: GSSAPI client step 1
feb 11 11:51:22 Openvpn sssd_be[812]: GSSAPI client step 1
feb 11 11:51:22 Openvpn sssd_be[812]: GSSAPI client step 1
feb 11 11:51:22 Openvpn sssd_be[812]: GSSAPI client step 2
feb 11 11:51:42 Openvpn adcli[56417]: GSSAPI client step 1
feb 11 11:51:42 Openvpn adcli[56417]: GSSAPI client step 1
feb 11 11:51:42 Openvpn adcli[56417]: GSSAPI client step 1
feb 11 11:51:42 Openvpn adcli[56417]: GSSAPI client step 2
feb 11 11:52:15 Openvpn sssd[be[enimbos.com]][812]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.

The issue is very weird, it is like all compute threads are dedicated to verifying the certificate and the clients lose connection packets.
Can you throw me lights over that?
Many thanks in advance :D


Note:
Frontend ip range masked with "xxx"
Backend ip range masked with "yyy"
Client ip range when connected masked with "www"

Re: Tunnels "freeze" when other clients connects

Posted: Mon Feb 11, 2019 2:52 pm
by TinCanTech
Enimbos wrote:
Mon Feb 11, 2019 11:13 am
# MFA
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
This is why openvpn freezes when a client connects.

There is a deferred-auth-plugin which should resolve this:
https://github.com/OpenVPN/openvpn/tree ... gins/defer

I have not tried it myself so would be interested to know if it works for you.

Also, see
https://sourceforge.net/p/openvpn/mailm ... sg36540644

Re: Tunnels "freeze" when other clients connects

Posted: Tue Feb 12, 2019 9:24 am
by Enimbos
Thanks for your reply, Tincan!

I've been testing first option with defer plugin, and apparently it's OK. But, when I connected to the VPN, I have no communication with other side of the tunnel.
I see in the logs that the Packet Filter is dropping the packets:
Mon Feb 11 19:19:10 2019 us=85414 TCP connection established with [AF_INET]CLIENTPUBLICIP:31347
Mon Feb 11 19:19:10 2019 us=85427 TCPv4_SERVER link local: (not bound)
Mon Feb 11 19:19:10 2019 us=85436 TCPv4_SERVER link remote: [AF_INET]CLIENTPUBLICIP:31347
OPENVPN_PLUGIN_ENABLE_PF
Mon Feb 11 19:19:10 2019 us=85508 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/simple.so/PLUGIN_ENABLE_PF status=1
Mon Feb 11 19:19:10 2019 us=85548 PLUGIN_CALL: plugin function PLUGIN_ENABLE_PF failed with status 1: /usr/lib64/openvpn/plugins/simple.so
RMon Feb 11 19:19:11 2019 us=55806 CLIENTPUBLICIP:31347 TLS: Initial packet from [AF_INET]CLIENTPUBLICIP:31347, sid=2df6b23e 5224468d
Looks like can't start the Packet Filter itself..

And little down I can see:
Mon Feb 11 19:20:38 2019 us=232874 user/CLIENTPUBLICIP:31347 PF: client -> addr[192.168.yyy.10] packet dropped by TUN packet filter
Mon Feb 11 19:20:40 2019 us=248615 user/CLIENTPUBLICIP:31347 PF: client -> addr[192.168.yyy.10] packet dropped by TUN packet filter
Mon Feb 11 19:20:44 2019 us=249787 user/CLIENTPUBLICIP:31347 PF: client -> addr[192.168.yyy.10] packet dropped by TUN packet filter
Mon Feb 11 19:20:48 2019 us=265005 user/CLIENTPUBLICIP:31347 PF: client -> addr[192.168.yyy.10] packet dropped by TUN packet filter
Mon Feb 11 19:20:48 2019 us=803771 user/CLIENTPUBLICIP:31347 PF: client -> addr[192.168.xxx.10] packet dropped by TUN packet filter
Mon Feb 11 19:20:49 2019 us=279311 user/CLIENTPUBLICIP:31347 PF: client -> addr[192.168.yyy.10] packet dropped by TUN packet filter
Mon Feb 11 19:20:50 2019 us=295096 user/CLIENTPUBLICIP:31347 PF: client -> addr[192.168.yyy.10] packet dropped by TUN packet filter
Mon Feb 11 19:20:52 2019 us=310339 user/CLIENTPUBLICIP:31347 PF: client -> addr[192.168.yyy.10] packet dropped by TUN packet filter
Note that:
192.168.yyy.10: pings to AD in backend
192.168.xxx.10: pings to Openvpn server in DMZ

I'm investigating now.

Re: Tunnels "freeze" when other clients connects

Posted: Tue Feb 12, 2019 10:19 am
by Enimbos
Well, I success.
I can ping my DMZ and Backend, adding a /etc/openvpn/user.pf file, with my networks whitelisted.
I needed to read the simple.c and see how runs the plugin... LOL

I will still testing, but, is there any chance of disable PF?

Re: Tunnels "freeze" when other clients connects

Posted: Tue Feb 12, 2019 1:53 pm
by TinCanTech
In fact, I did not realise that the simple.c plugin also tested the packet filter .. :oops:

How about the second version on my post ?

Other than that, you may need to contact the devs yourself because I have no other info.

Re: Tunnels "freeze" when other clients connects

Posted: Wed Feb 13, 2019 10:16 am
by Enimbos
Hi!
Bad news... freezes persists even using simple.so plugin :(

I attach server log (verb5) where you can see all plugins loading via simple.so:
Wed Feb 13 11:02:55 2019 us=542546 MULTI: multi_create_instance called
FUNC: openvpn_plugin_client_constructor_v1
Wed Feb 13 11:02:55 2019 us=542628 CLIENTPUBLICIP:29640 Re-using SSL/TLS context
Wed Feb 13 11:02:55 2019 us=542644 CLIENTPUBLICIP:29640 LZO compression initializing
Wed Feb 13 11:02:55 2019 us=542743 CLIENTPUBLICIP:29640 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Wed Feb 13 11:02:55 2019 us=542786 CLIENTPUBLICIP:29640 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed Feb 13 11:02:55 2019 us=542818 CLIENTPUBLICIP:29640 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Wed Feb 13 11:02:55 2019 us=542828 CLIENTPUBLICIP:29640 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
OPENVPN_PLUGIN_ENABLE_PF
Wed Feb 13 11:02:55 2019 us=542917 CLIENTPUBLICIP:29640 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/simple.so/PLUGIN_ENABLE_PF status=0
Wed Feb 13 11:02:55 2019 us=542966 CLIENTPUBLICIP:29640 TLS: Initial packet from [AF_INET]CLIENTPUBLICIP:29640, sid=c97f99ae 20f0866d
OPENVPN_PLUGIN_TLS_VERIFY
Wed Feb 13 11:02:55 2019 us=626854 CLIENTPUBLICIP:29640 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/simple.so/PLUGIN_TLS_VERIFY status=0
Wed Feb 13 11:02:55 2019 us=626925 CLIENTPUBLICIP:29640 VERIFY PLUGIN OK: depth=1, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=Enimbos CA, name=server, emailAddress=contact@email.com
Wed Feb 13 11:02:55 2019 us=626939 CLIENTPUBLICIP:29640 VERIFY OK: depth=1, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=Enimbos CA, name=server, emailAddress=contact@email.com
OPENVPN_PLUGIN_TLS_VERIFY
Wed Feb 13 11:02:55 2019 us=627089 CLIENTPUBLICIP:29640 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/simple.so/PLUGIN_TLS_VERIFY status=0
Wed Feb 13 11:02:55 2019 us=627104 CLIENTPUBLICIP:29640 VERIFY PLUGIN OK: depth=0, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=testuser, name=server, emailAddress=contact@email.com
Wed Feb 13 11:02:55 2019 us=627113 CLIENTPUBLICIP:29640 VERIFY OK: depth=0, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=testuser, name=server, emailAddress=contact@email.com
Wed Feb 13 11:02:55 2019 us=665771 CLIENTPUBLICIP:29640 peer info: IV_VER=2.3.18
Wed Feb 13 11:02:55 2019 us=665790 CLIENTPUBLICIP:29640 peer info: IV_PLAT=win
Wed Feb 13 11:02:55 2019 us=665804 CLIENTPUBLICIP:29640 peer info: IV_PROTO=2
Wed Feb 13 11:02:55 2019 us=665813 CLIENTPUBLICIP:29640 peer info: IV_GUI_VER=OpenVPN_GUI_10
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
DEFER u='testuser' p='CLEAR_PASS_WTF!!!!+MFA' acf='/tmp/openvpn_acf_140f43874973635a5134fa682d466cc7.tmp'
( sleep 20 ; echo AUTH /tmp/openvpn_acf_140f43874973635a5134fa682d466cc7.tmp 2 ; echo 1 >/tmp/openvpn_acf_140f43874973635a5134fa682d466cc7.tmp ) &
Wed Feb 13 11:02:55 2019 us=668512 CLIENTPUBLICIP:29640 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/simple.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: testuser
AUTH-PAM: BACKGROUND: my_conv[0] query='Password & verification code: ' style=1
Wed Feb 13 11:02:55 2019 us=844675 CLIENTPUBLICIP:29640 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Feb 13 11:02:55 2019 us=844714 CLIENTPUBLICIP:29640 TLS: Username/Password authentication deferred for username 'testuser'
OPENVPN_PLUGIN_TLS_FINAL
( sleep 5 ; echo PF testuser//tmp/openvpn_pf_4406644d2a57512c4441efa9bbf020e2.tmp ; cp "testuser.pf" "/tmp/openvpn_pf_4406644d2a57512c4441efa9bbf020e2.tmp" ) &
Wed Feb 13 11:02:55 2019 us=846853 CLIENTPUBLICIP:29640 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/simple.so/PLUGIN_TLS_FINAL status=0
Wed Feb 13 11:02:55 2019 us=847019 CLIENTPUBLICIP:29640 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Feb 13 11:02:55 2019 us=847039 CLIENTPUBLICIP:29640 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 13 11:02:55 2019 us=847054 CLIENTPUBLICIP:29640 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Feb 13 11:02:55 2019 us=847066 CLIENTPUBLICIP:29640 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 13 11:02:55 2019 us=885704 CLIENTPUBLICIP:29640 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Feb 13 11:02:55 2019 us=885732 CLIENTPUBLICIP:29640 [testuser] Peer Connection Initiated with [AF_INET]CLIENTPUBLICIP:29640
OPENVPN_PLUGIN_IPCHANGE
Wed Feb 13 11:02:55 2019 us=885765 CLIENTPUBLICIP:29640 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/simple.so/PLUGIN_IPCHANGE status=0
Wed Feb 13 11:02:56 2019 us=895957 CLIENTPUBLICIP:29640 PF: /tmp/openvpn_pf_4406644d2a57512c4441efa9bbf020e2.tmp: missing [end]
Wed Feb 13 11:02:56 2019 us=896006 CLIENTPUBLICIP:29640 PF: /tmp/openvpn_pf_4406644d2a57512c4441efa9bbf020e2.tmp rejected due to 1 error(s)
Wed Feb 13 11:02:58 2019 us=274172 CLIENTPUBLICIP:29640 PUSH: Received control message: 'PUSH_REQUEST'
PF testuser//tmp/openvpn_pf_4406644d2a57512c4441efa9bbf020e2.tmp
Wed Feb 13 11:03:03 2019 us=508114 CLIENTPUBLICIP:29640 PUSH: Received control message: 'PUSH_REQUEST'
Wed Feb 13 11:03:08 2019 us=740730 CLIENTPUBLICIP:29640 PUSH: Received control message: 'PUSH_REQUEST'
Wed Feb 13 11:03:13 2019 us=994918 CLIENTPUBLICIP:29640 PUSH: Received control message: 'PUSH_REQUEST'
AUTH /tmp/openvpn_acf_140f43874973635a5134fa682d466cc7.tmp 2
Wed Feb 13 11:03:17 2019 us=28431 testuser/CLIENTPUBLICIP:29640 MULTI_sva: pool returned IPv4=192.168.www.10, IPv6=(Not enabled)
OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Wed Feb 13 11:03:17 2019 us=28510 testuser/CLIENTPUBLICIP:29640 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/simple.so/PLUGIN_CLIENT_CONNECT status=0
OPENVPN_PLUGIN_LEARN_ADDRESS
Wed Feb 13 11:03:17 2019 us=28534 testuser/CLIENTPUBLICIP:29640 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/simple.so/PLUGIN_LEARN_ADDRESS status=0
Wed Feb 13 11:03:17 2019 us=28549 testuser/CLIENTPUBLICIP:29640 MULTI: Learn: 192.168.www.10 -> testuser/CLIENTPUBLICIP:29640
Wed Feb 13 11:03:17 2019 us=28560 testuser/CLIENTPUBLICIP:29640 MULTI: primary virtual IP for testuser/CLIENTPUBLICIP:29640: 192.168.www.10
RWed Feb 13 11:03:19 2019 us=249613 testuser/CLIENTPUBLICIP:29640 PUSH: Received control message: 'PUSH_REQUEST'
Wed Feb 13 11:03:19 2019 us=249752 testuser/CLIENTPUBLICIP:29640 SENT CONTROL [testuser]: 'PUSH_REPLY,dhcp-option DNS 192.168.yyy.10,route 192.168.yyy.0 255.255.255.0,route 192.168.xxx.0 255.255.255.0,route 192.168.www.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.www.10 192.168.www.9,peer-id 0' (status=1)
Wed Feb 13 11:03:19 2019 us=490096 testuser/CLIENTPUBLICIP:29640 MULTI: bad source address from client [::], packet dropped

Attach new server.conf:

Code: Select all

mode server
tls-server

#change with your port
port 443

#You can use udp or tcp
proto udp

# Topology Type
#topology subnet

# "dev tun" will create a routed IP tunnel.
dev tun

###Certificate Configuration
cipher AES-256-CBC

#ca certificate
ca ca.crt

#Server Certificate
cert server.crt

#Server Key and keep this is secret
key server.key

#See the size a dh key in /etc/openvpn/keys/
dh dh2048.pem

#TLS Auth
tls-auth ta.key 0

#Internal IP will get when already connect
server 192.168.www.0 255.255.240.0

# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist server-ipp.txt

#this line will redirect all traffic through our OpenVPN
#push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 192.168.yyy.10"

#Publicate Routes
#Backend
push "route 192.168.xxx.0 255.255.255.0"
#Frontend
push "route 192.168.yyy.0 255.255.255.0"

#ENV
#Defer external authentication for 5 seconds after TLS
setenv test_deferred_auth 1
#Packet Filter file will be generated 5 seconds after TLS
setenv test_packet_filter 5

#PLUGINS
#SIMPLE - Allow defer authentication and PF
plugin /usr/lib64/openvpn/plugins/simple.so
#MFA - Allow PAM authentication to use with Google Auth
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

#username-as-common-name
#client-cert-not-required

# Variables
keepalive 10 120
comp-lzo
persist-key
persist-tun
auth-nocache
reneg-sec 0

# Daemon Loggin
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
verb 5
Note that, I changed the proto to udp just for chance.
Note that, I still using PAM plugin, but, reading the logs, it is passing thorught simple.so thread.

I'm going to try the version 2 (with external script) but I will need to pass user, pass and MFA as parameters and it does not convince me much :D :D

[SOLVED] Tunnels "freeze" when other clients connects

Posted: Wed Feb 20, 2019 9:23 am
by Enimbos
Hi all

Very good news! :mrgreen:
Finally I have managed to run this without freezes, hangs or other interrupts.

Well, Thanks Tincan, I followed your second option (https://engineering.freeagent.com/2017/ ... right-way/) and I needed to compile the plugin to use external script (I have needed to modify the c source code (https://github.com/fac/auth-script-openvpn) to point the correct openvpn_plugin.h).

Allright, then I tried to use a bash script, but I didn't know how to use PAM authentication from here. I would have to open the coded password to extract MFA and pass it to Google-authenticator, and send User/Password to AD, collect the tokens and return 1/0 depending auth failled/success.
It was over me :(

So, I found a Perl library to interact with Linux PAM authentication (https://fossies.org/linux/openvpn/sampl ... uth-pam.pl).
I installed the "perl-Authen-PAM-0.16-16.el7.x86_64" and "perl-Env-1.04-2.el7.noarch".

With all this, I made a custom Perl script, where I can collect all data from enviorment variables and send to PAM module.

Thanks for the help!

Re: Tunnels "freeze" when other clients connects

Posted: Wed Feb 20, 2019 2:11 pm
by TinCanTech
Thank you for letting us know that something works ! 8-)