First of all, I'm newbie here and I didn't can found solution to my problem, searching before writing this
My server runs fine and my clients can connect without problems.
I am using PAM module in server side to authenticate clients with Google authenticator. I mix this PAM module with SSSD to authenticate users using Active Directory credentials.
So, security clients is based in Certificate + AD User + AD Credentials + MFA.
Well, when some users are connected to VPN and other agent wants connect to, the VPN tunnels of the all others clients (previously connected and their tunnels stablished) freezes. I can see how ping to server throught VPN lose atleast 3 -4 packets. It's weird.
Attach server conf:
Code: Select all
[oconf=Server Config]
mode server
tls-server
#change with your port
port 443
#You can use udp or tcp
proto tcp
# Topology Type
#topology subnet
# "dev tun" will create a routed IP tunnel.
dev tun
###Certificate Configuration
cipher AES-256-CBC
#ca certificate
ca ca.crt
#Server Certificate
cert server.crt
#Server Key and keep this is secret
key server.key
#See the size a dh key in /etc/openvpn/keys/
dh dh2048.pem
#TLS Auth
tls-auth ta.key 0
#Internal IP will get when already connect
server 192.168.www.0 255.255.240.0
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist server-ipp.txt
#this line will redirect all traffic through our OpenVPN
#push "redirect-gateway def1"
#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 192.168.yyy.10"
#Publicate Routes
#Backend
push "route 192.168.xxx.0 255.255.255.0"
#Frontend
push "route 192.168.yyy.0 255.255.255.0"
# MFA
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
#username-as-common-name
#client-cert-not-required
# Variables
keepalive 10 120
comp-lzo
persist-key
persist-tun
auth-nocache
reneg-sec 0
# Daemon Loggin
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
verb 3
Attach cient conf:
Code: Select all
[oconf=Client Config]
client
tls-client
key-direction 1
dev tun11
proto tcp
comp-lzo
remote URL 443
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
script-security 3
reneg-sec 0
verb 3
ns-cert-type server
auth-user-pass
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>
PAM module config
Code: Select all
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required /lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass debug
auth include system-auth
account include system-auth
password include system-auth
Code: Select all
[sssd]
domains = testdomain.local
config_file_version = 2
services = nss, pam
[domain/testdomain.local]
ad_domain = testdomain.local
krb5_realm = TESTDOMAIN.local
realmd_tags = manages-system joined-with-adcli
#Cache credentials to false
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#Qualified names to false
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
Realm join is success, kinit is success.... Allright, how I said before, the server runs fine and clients can connect with their AD user + MFA.
As you can see, I have verbose level 3 on server side now. (Also I readed with higher levels but nothing found).
When I reading log and the issue occurs, I can see the following:
Client Log:
Code: Select all
Mon Feb 11 10:44:11 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jun 23 2017
Mon Feb 11 10:44:11 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
Enter Management Password:
Mon Feb 11 10:44:11 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25344
Mon Feb 11 10:44:11 2019 Need hold release from management interface, waiting...
Mon Feb 11 10:44:11 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25344
Mon Feb 11 10:44:11 2019 MANAGEMENT: CMD 'state on'
Mon Feb 11 10:44:11 2019 MANAGEMENT: CMD 'log all on'
Mon Feb 11 10:44:11 2019 MANAGEMENT: CMD 'hold off'
Mon Feb 11 10:44:11 2019 MANAGEMENT: CMD 'hold release'
Mon Feb 11 10:44:28 2019 MANAGEMENT: CMD 'username "Auth" "user"'
Mon Feb 11 10:44:28 2019 MANAGEMENT: CMD 'password [...]'
Mon Feb 11 10:44:29 2019 Control Channel Authentication: tls-auth using INLINE static key file
Mon Feb 11 10:44:29 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 10:44:29 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 10:44:29 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Feb 11 10:44:29 2019 MANAGEMENT: >STATE:1549878269,RESOLVE,,,,,,
Mon Feb 11 10:44:29 2019 Attempting to establish TCP connection with [AF_INET]SERVERPUBLICIP:443 [nonblock]
Mon Feb 11 10:44:29 2019 MANAGEMENT: >STATE:1549878269,TCP_CONNECT,,,,,,
Mon Feb 11 10:44:30 2019 TCP connection established with [AF_INET]SERVERPUBLICIP:443
Mon Feb 11 10:44:30 2019 TCPv4_CLIENT link local: [undef]
Mon Feb 11 10:44:30 2019 TCPv4_CLIENT link remote: [AF_INET]SERVERPUBLICIP:443
Mon Feb 11 10:44:30 2019 MANAGEMENT: >STATE:1549878270,WAIT,,,,,,
Mon Feb 11 10:44:30 2019 MANAGEMENT: >STATE:1549878270,AUTH,,,,,,
Mon Feb 11 10:44:30 2019 TLS: Initial packet from [AF_INET]SERVERPUBLICIP:443, sid=6b3d49bb 02815c8a
Mon Feb 11 10:44:30 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Feb 11 10:44:30 2019 VERIFY OK: depth=1, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=Enimbos CA, name=server, emailAddress=contact@email.com
Mon Feb 11 10:44:30 2019 VERIFY OK: nsCertType=SERVER
Mon Feb 11 10:44:30 2019 VERIFY OK: depth=0, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=server, name=server, emailAddress=contact@email.com
Mon Feb 11 10:44:37 2019 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Feb 11 10:44:37 2019 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 10:44:37 2019 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Feb 11 10:44:37 2019 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 11 10:44:37 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Feb 11 10:44:37 2019 [server] Peer Connection Initiated with [AF_INET]SERVERPUBLICIP:443
Mon Feb 11 10:44:38 2019 MANAGEMENT: >STATE:1549878278,GET_CONFIG,,,,,,
Mon Feb 11 10:44:39 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Feb 11 10:44:39 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.yyy.10,route 192.168.xxx.0 255.255.255.0,route 192.168.yyy.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.www.42 192.168.www.41,peer-id 0'
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: route options modified
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: peer-id set
Mon Feb 11 10:44:39 2019 OPTIONS IMPORT: adjusting link_mtu to 1563
Mon Feb 11 10:44:39 2019 ROUTE_GATEWAY PRIVATEIP/255.255.255.0 I=2 HWADDR=84:7b:eb:50:aa:62
Mon Feb 11 10:44:39 2019 open_tun, tt->ipv6=0
Mon Feb 11 10:44:39 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{A82CC18D-B88D-4262-AD0A-ED151656D80D}.tap
Mon Feb 11 10:44:39 2019 TAP-Windows Driver Version 9.21
Mon Feb 11 10:44:39 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.www.42/255.255.255.252 on interface {A82CC18D-B88D-4262-AD0A-ED151656D80D} [DHCP-serv: 192.168.www.41, lease-time: 31536000]
Mon Feb 11 10:44:39 2019 Successful ARP Flush on interface [27] {A82CC18D-B88D-4262-AD0A-ED151656D80D}
Mon Feb 11 10:44:39 2019 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Feb 11 10:44:39 2019 MANAGEMENT: >STATE:1549878279,ASSIGN_IP,,192.168.www.42,,,,
Mon Feb 11 10:44:44 2019 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Mon Feb 11 10:44:44 2019 MANAGEMENT: >STATE:1549878284,ADD_ROUTES,,,,,,
Mon Feb 11 10:44:44 2019 C:\WINDOWS\system32\route.exe ADD 192.168.yyy.0 MASK 255.255.255.0 192.168.www.41
Mon Feb 11 10:44:44 2019 Route addition via service succeeded
Mon Feb 11 10:44:44 2019 C:\WINDOWS\system32\route.exe ADD 192.168.xxx.0 MASK 255.255.255.0 192.168.www.41
Mon Feb 11 10:44:44 2019 Route addition via service succeeded
Mon Feb 11 10:44:44 2019 C:\WINDOWS\system32\route.exe ADD 192.168.www.1 MASK 255.255.255.255 192.168.www.41
Mon Feb 11 10:44:44 2019 Route addition via service succeeded
Mon Feb 11 10:44:44 2019 Initialization Sequence Completed
Mon Feb 11 10:44:44 2019 MANAGEMENT: >STATE:1549878284,CONNECTED,SUCCESS,192.168.www.42,SERVERPUBLICIP,443,PRIVATEIP,43251
Mon Feb 11 10:44:30 2019 VERIFY OK: depth=0, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=server, name=server, emailAddress=contact@email.com
Server log (verb 3):
Code: Select all
Mon Feb 11 11:42:22 2019 TCP connection established with [AF_INET]CLIENTPUBLICIP:38331
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 TLS: Initial packet from [AF_INET]CLIENTPUBLICIP:38331, sid=5c3f5eed fc711080
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 VERIFY OK: depth=1, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=Enimbos CA, name=server, emailAddress=contact@email.com
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 VERIFY OK: depth=0, C=ES, ST=MAD, L=Madrid, O=Enimbos, OU=IT, CN=mbermudez, name=server, emailAddress=contact@email.com
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_VER=2.4.6
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_PLAT=win
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_PROTO=2
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_NCP=2
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_LZ4=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_LZ4v2=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_LZO=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_COMP_STUB=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_COMP_STUBv2=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_TCPNL=1
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 peer info: IV_GUI_VER=OpenVPN_GUI_11
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 TLS: Username/Password authentication succeeded for username 'mbermudez'
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 [mbermudez] Peer Connection Initiated with [AF_INET]CLIENTPUBLICIP:38331
Mon Feb 11 11:42:23 2019 mbermudez/CLIENTPUBLICIP:38331 MULTI_sva: pool returned IPv4=192.168.www.58, IPv6=(Not enabled)
Mon Feb 11 11:42:23 2019 mbermudez/CLIENTPUBLICIP:38331 MULTI: Learn: 192.168.www.58 -> mbermudez/CLIENTPUBLICIP:38331
Mon Feb 11 11:42:23 2019 mbermudez/CLIENTPUBLICIP:38331 MULTI: primary virtual IP for mbermudez/CLIENTPUBLICIP:38331: 192.168.www.58
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 PUSH: Received control message: 'PUSH_REQUEST'
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 SENT CONTROL [mbermudez]: 'PUSH_REPLY,dhcp-option DNS 192.168.yyy.10,route 192.168.yyy.0 255.255.255.0,route 192.168.xxx.0 255.255.255.0,route 192.168.www.1,topology net30,ping 10,ping-
restart 120,ifconfig 192.168.www.58 192.168.www.57,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 11 11:42:24 2019 mbermudez/CLIENTPUBLICIP:38331 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 11 11:42:23 2019 CLIENTPUBLICIP:38331 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=
Service sssd status
Code: Select all
Redirecting to /bin/systemctl status sssd.service
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since mié 2019-01-23 18:51:55 CET; 2 weeks 4 days ago
Main PID: 744 (sssd)
CGroup: /system.slice/sssd.service
├─ 744 /usr/sbin/sssd -i --logger=files
├─ 812 /usr/libexec/sssd/sssd_be --domain enimbos.com --uid 0 --gid 0 --logger=files
├─1011 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─1012 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
feb 11 11:51:12 Openvpn sssd[be[enimbos.com]][812]: Backend is online
feb 11 11:51:22 Openvpn sssd_be[812]: GSSAPI client step 1
feb 11 11:51:22 Openvpn sssd_be[812]: GSSAPI client step 1
feb 11 11:51:22 Openvpn sssd_be[812]: GSSAPI client step 1
feb 11 11:51:22 Openvpn sssd_be[812]: GSSAPI client step 2
feb 11 11:51:42 Openvpn adcli[56417]: GSSAPI client step 1
feb 11 11:51:42 Openvpn adcli[56417]: GSSAPI client step 1
feb 11 11:51:42 Openvpn adcli[56417]: GSSAPI client step 1
feb 11 11:51:42 Openvpn adcli[56417]: GSSAPI client step 2
feb 11 11:52:15 Openvpn sssd[be[enimbos.com]][812]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
The issue is very weird, it is like all compute threads are dedicated to verifying the certificate and the clients lose connection packets.
Can you throw me lights over that?
Many thanks in advance
Note:
Frontend ip range masked with "xxx"
Backend ip range masked with "yyy"
Client ip range when connected masked with "www"