I'm loading the openvpn-auth-ldap.so for user validation and then
loading the duo plugin for 2FA. It works, except it has an unwanted
behaviour if a user is not on the allowed groups in LDAP or the passwords is wrong the
openvpn-auth-ldap.so will fail but openvpn will still trigger the push
notification. Shouldn't the 2nd plugin not be called if the previous
ends with error? I've since upgraded openvpn the version to 2.5.3 but the behavior is the same.
log
:36654 TLS: Initial packet from [AF_INET]5.249.74.39:36654,
sid=4f441add b9132837
:36654 peer info: IV_VER=2.4.7
:36654 peer info: IV_PLAT=linux
:36654 peer info: IV_PROTO=2
:36654 peer info: IV_NCP=2
:36654 peer info: IV_LZ4=1
:36654 peer info: IV_LZ4v2=1
:36654 peer info: IV_LZO=1
:36654 peer info: IV_COMP_STUB=1
:36654 peer info: IV_COMP_STUBv2=1
:36654 peer info: IV_TCPNL=1
LDAP user "duarte.rocha@gmail.com" was not found.
:36654 PLUGIN_CALL: POST
/usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=1
:36654 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY
failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
:36654 PLUGIN_CALL: POST
/opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
:36654 TLS Auth Error: Auth Username/Password verification failed for peer
:36654 WARNING: 'link-mtu' is used inconsistently, local='link-mtu
1570', remote='link-mtu 1569'
:36654 WARNING: 'comp-lzo' is present in local config but missing in
remote config, local='comp-lzo'
:36654 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
:36654 Peer Connection Initiated with [AF_INET] 1.2.3.4:36654
:36654 PUSH: Received control message: 'PUSH_REQUEST'
:36654 Delayed exit in 5 seconds
:36654 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
:36654 SIGTERM[soft,delayed-exit] received, client-instance exiting
server.conf
port 1194
mode server
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.0.90.0 255.255.255.0
keepalive 10 120
reneg-sec 0
auth SHA256
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
persist-key
persist-tun
management localhost 7505
status /var/log/openvpn/openvpn-status.log
user nobody
group nogroup
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
tls-exit
tls-version-min 1.2
verify-client-cert none
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth-ldap.conf"
plugin /opt/duo/duo_openvpn.so '*********** ********************
api-***********.duosecurity.com'
tmp-dir "/etc/openvpn/tmp"