I am creating a VPN with very short re-negotiation interval, say 10 secs, and want the client to enter username and password every re-negotiation.
So I set reneg-sec 10 on the server and auth-nocache on the client. Following are full configs:
server: openvpn 2.5.5
server config:
Code: Select all
proto tcp
port 443
dev tun
server 100.89.0.0 255.255.0.0
cert /server/pki/issued/server_cert.pem
ca /server/pki/ca.pem
key /server/pki/private/server_key.pem
dh /server/pki/private/dh_params.pem
topology subnet
ifconfig-pool-persist /openvpn-log/ipp.txt 600
keepalive 10 120
data-ciphers AES-256-GCM
verify-client-cert none
max-clients 1000
user nobody
group nobody
persist-key
persist-tun
status /openvpn-log/openvpn-status.log
log /openvpn-log/openvpn.log
writepid /openvpn-log/pid.log
verb 4
mute 20
machine-readable-output
reneg-sec 10
plugin /path/to/my/plugin
Code: Select all
client
dev tun
auth-retry interact
auth-nocache
nobind
connect-timeout 10
connect-retry-max 2
<connection>
remote 100.89.0.1 443 tcp
</connection>
route 10.0.0.0 255.255.255.0
reneg-sec 0
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
(omit cert here)
-----END CERTIFICATE-----
</ca>
data-ciphers AES-256-GCM
auth-user-pass
However, when running openvpn v2.4.10 or later, the client caches the username and password even with auth-nocache specified.
After digging into the source code, I found the root cause might be this commit
Remove auth_user_pass.wait_for_push variable
It replaced auth_user_pass.wait_for_push with session->opt->pull in ssl.c. But session->opt->pull isn't set to false after the client receives push_reply from the server. So the purge operation is skipped during the entire connection.
Should I consider it a feature or a bug which will be fixed in future?
Thanks!