Username/password are not purged after receiving push_reply from server

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
teyuchang
OpenVpn Newbie
Posts: 1
Joined: Wed Aug 31, 2022 2:56 am

Username/password are not purged after receiving push_reply from server

Post by teyuchang » Wed Aug 31, 2022 6:55 pm

Hi openvpn forum,

I am creating a VPN with very short re-negotiation interval, say 10 secs, and want the client to enter username and password every re-negotiation.
So I set reneg-sec 10 on the server and auth-nocache on the client. Following are full configs:

server: openvpn 2.5.5
server config:

Code: Select all

proto tcp
port 443
dev tun
server 100.89.0.0 255.255.0.0
cert /server/pki/issued/server_cert.pem
ca /server/pki/ca.pem
key /server/pki/private/server_key.pem
dh /server/pki/private/dh_params.pem
topology subnet
ifconfig-pool-persist /openvpn-log/ipp.txt 600
keepalive 10 120
data-ciphers AES-256-GCM
verify-client-cert none
max-clients 1000
user nobody
group nobody
persist-key
persist-tun
status /openvpn-log/openvpn-status.log
log /openvpn-log/openvpn.log
writepid /openvpn-log/pid.log
verb 4
mute 20
machine-readable-output
reneg-sec 10
plugin /path/to/my/plugin
client config:

Code: Select all

client
dev tun
auth-retry interact
auth-nocache
nobind
connect-timeout 10
connect-retry-max 2
<connection>
remote 100.89.0.1 443 tcp
</connection>
route 10.0.0.0 255.255.255.0
reneg-sec 0
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
(omit cert here)
-----END CERTIFICATE-----
</ca>
data-ciphers AES-256-GCM
auth-user-pass
With client running openvpn v2.4.9, everything works as expected. The client is asked to enter username/password every re-negotiation.
However, when running openvpn v2.4.10 or later, the client caches the username and password even with auth-nocache specified.

After digging into the source code, I found the root cause might be this commit
Remove auth_user_pass.wait_for_push variable

It replaced auth_user_pass.wait_for_push with session->opt->pull in ssl.c. But session->opt->pull isn't set to false after the client receives push_reply from the server. So the purge operation is skipped during the entire connection.

Should I consider it a feature or a bug which will be fixed in future?
Thanks!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Username/password are not purged after receiving push_reply from server

Post by TinCanTech » Wed Aug 31, 2022 9:57 pm

Can you please open a bug report here:
https://community.openvpn.net/openvpn/report

Please include details like you full configs and logs at --verb 4 , where necessary.

Here is a basic example: viewtopic.php?t=22603#p68963

Post Reply