Openvpn and OTP auth

gabriel1 · Post by **gabriel1** » Thu Nov 02, 2017 10:31 pm

Hi !
I'm running openvpn on debian 9. I want OTP as authentication and clients' being able to reach each other. I have only one subnet and this is my openvpn.conf:

server

port 4343
proto udp
dev tun
# openvpn LAN
server 10.1.0.0 255.255.255.0
topology subnet
client-to-client
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "explicit-exit-notify 2"
#
keepalive 10 120
mute 20
comp-lzo
max-clients 20
ping-timer-rem
tun-mtu 1500
comp-lzo
persist-key
persist-tun
persist-local-ip

# TLS
#duplicate-cn
tls-version-min 1.2 or-highest
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
dh /etc/openvpn/server/dh4096.pem
tls-server
tls-auth /etc/openvpn/ssl/ta.key 0
remote-cert-tls client
remote-cert-eku "TLS Web Client Authentication"
auth SHA512
cipher AES-256-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

client-config-dir /etc/openvpn/ccd [iroute 192.168.1.0 255.255.255.0]
route 192.168.1.0 255.255.255.0
user nobody
group nogroup
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
# AUTH
reneg-sec 0
auth-nocache
#plugin "/etc/openvpn/otp/openvpn-otp.so" "otp_secrets=/etc/openvpn/otp/otp-secrets otp_slop=300 totp_t0=2 totp_step=30 totp_digits=8 motp_step=10 password_is_cr=1"
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

Client configuration:

cli

client
dev tun
proto udp
remote server_ip 4343
persist-key
persist-tun
proto udp
nobind
comp-lzo

remote-cert-tls server
auth SHA512
cipher AES-256-CBC
tls-version-min 1.2 or-highest
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
reneg-sec 0
auth-user-pass
auth-nocache
verify-x509-name 'C=DE, O=xxx, CN=my.vpn.domain' subject
remote-cert-eku "TLS Web Server Authentication"
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
b9c592513a9ae04
3780624ed40f387018d9caf751c381d1
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
MIIGxDCCBKygAwIBAgIJAL7AqT1cjoON2zwl3Hb4TH1
TfY6wGfBsaM=
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIHATCCBOmgAwIBAgIBAjANBgkqhkiG9w0BAQ0FADCBnDELMAkGA1UEBhMCREUx
0HOO8EGoNHEiFitC38WMNy2mfMOYLej/vqLfkX0RCCE1Pc9owltdIK+py3yxBOI/
OO5LZB+//xZge6KYoEsFxscXOVQ7
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC19dk6uhaXOvjo
VzvmCBAD1jKQuti7Wqje49dFJJiGAw==
-----END PRIVATE KEY-----
</key>

And this is the /etc/pam.d/openvpn file:

Code: Select all

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
auth required pam_google_authenticator.so forward_pass

It doesn't look right to me either, but, to be honest, i don't know much about pam/auth and nothing at all about OTP, first time i use OTP ever.
That's what server's logs say:

Code: Select all

Thu Nov  2 22:31:27 2017 us=419186 Initialization Sequence Completed
Thu Nov  2 22:32:08 2017 us=250394 MULTI: multi_create_instance called
Thu Nov  2 22:32:08 2017 us=250580 client_ip:59734 Re-using SSL/TLS context
Thu Nov  2 22:32:08 2017 us=250623 client_ip:59734 LZO compression initializing
Thu Nov  2 22:32:08 2017 us=250965 client_ip:59734 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Thu Nov  2 22:32:08 2017 us=250981 client_ip:59734 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Nov  2 22:32:08 2017 us=251074 client_ip:59734 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Thu Nov  2 22:32:08 2017 us=251111 client_ip:59734 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Thu Nov  2 22:32:08 2017 us=251192 client_ip:59734 TLS: Initial packet from [AF_INET]client_ip:59734, sid=13e1ee63 f0c48427
Thu Nov  2 22:32:10 2017 us=368879 MULTI: multi_create_instance called
Thu Nov  2 22:32:10 2017 us=369370 client_ip:60036 Re-using SSL/TLS context
Thu Nov  2 22:32:10 2017 us=369465 client_ip:60036 LZO compression initializing
Thu Nov  2 22:32:10 2017 us=369736 client_ip:60036 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Thu Nov  2 22:32:10 2017 us=369810 client_ip:60036 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Nov  2 22:32:10 2017 us=369907 client_ip:60036 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Thu Nov  2 22:32:10 2017 us=369960 client_ip:60036 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Thu Nov  2 22:32:10 2017 us=370077 client_ip:60036 TLS: Initial packet from [AF_INET]client_ip:60036, sid=5e6a175e a3113e1e
Thu Nov  2 22:33:08 2017 us=278887 client_ip:59734 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Nov  2 22:33:08 2017 us=279035 client_ip:59734 TLS Error: TLS handshake failed
Thu Nov  2 22:33:08 2017 us=279165 client_ip:59734 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Nov  2 22:33:10 2017 us=629872 client_ip:60036 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

These are clients logs:

Code: Select all

Thu Nov  2 22:31:54 2017 OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Thu Nov  2 22:31:54 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Enter Auth Username: ********
Enter Auth Password: **********
Thu Nov  2 22:32:08 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Nov  2 22:32:08 2017 Control Channel Authentication: tls-auth using INLINE static key file
Thu Nov  2 22:32:08 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Nov  2 22:32:08 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Nov  2 22:32:08 2017 Socket Buffers: R=[31457280->31457280] S=[31457280->31457280]
Thu Nov  2 22:32:08 2017 UDPv4 link local: [undef]
Thu Nov  2 22:32:08 2017 UDPv4 link remote: [AF_INET]server_ip:4343
Thu Nov  2 22:32:08 2017 TLS: Initial packet from [AF_INET]server_ip:4343, sid=34a8d6c9 fc30085b
Thu Nov  2 22:32:08 2017 VERIFY OK: depth=1, C=DE, ST=DE, L=Berlin, O=xxx, OU=VPN, CN=my.vpn.hostname, name=EasyRSA, emailAddress=admin@mydomain
Thu Nov  2 22:32:08 2017 Validating certificate key usage
Thu Nov  2 22:32:08 2017 ++ Certificate has key usage  00a0, expects 00a0
Thu Nov  2 22:32:08 2017 VERIFY KU OK
Thu Nov  2 22:32:08 2017 Validating certificate extended key usage
Thu Nov  2 22:32:08 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Nov  2 22:32:08 2017 VERIFY EKU OK
Thu Nov  2 22:32:08 2017 VERIFY X509NAME ERROR: C=DE, ST=DE, L=Berlin, O=xxx, OU=VPN, CN=my.vpn.hostname, name=EasyRSA, emailAddress=admin@mydomain, must be C=DE, O=TCPRESET, CN=my.vpn.hostname
Thu Nov  2 22:32:08 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Thu Nov  2 22:32:08 2017 TLS Error: TLS object -> incoming plaintext read error
Thu Nov  2 22:32:08 2017 TLS Error: TLS handshake failed
Thu Nov  2 22:32:08 2017 SIGUSR1[soft,tls-error] received, process restarting
Thu Nov  2 22:32:08 2017 Restart pause, 2 second(s)
Thu Nov  2 22:32:10 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Nov  2 22:32:10 2017 Socket Buffers: R=[31457280->31457280] S=[31457280->31457280]
Thu Nov  2 22:32:10 2017 UDPv4 link local: [undef]
Thu Nov  2 22:32:10 2017 UDPv4 link remote: [AF_INET]server_ip:4343
Thu Nov  2 22:32:10 2017 TLS: Initial packet from [AF_INET]server_ip:4343, sid=72fc1c57 43936072
Enter Auth Username:

I will be really glad to get help on this, as you can see authentication doesn't work, tls certs are generated in easy-rsa.
Forwarding is enabled in etc/sysctl.conf and iptables is masquerading/nating connections coming from LAN 10.1.0.0 network in postrouting.
Regards

gabriel1 · Post by **gabriel1** » Sun Nov 05, 2017 7:11 pm

I switched off authentication on both client and server openvpn, regenerated ssl certificates (ca,server and client) in easy-rsa and vpn works .The last bit is getting OTP to work, these are server side logs:

Code: Select all

OTP-AUTH: Error extracting challenge/response from '$MYPASSWD'. Parse error = 'Incorrectly formatted cr string.'Sun Nov  5 19:54:22 2017 us=335193 80.182.73.200:58235 PLUGIN_CALL: POST /etc/openvpn/otp/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Sun Nov  5 19:54:22 2017 us=335270 80.182.73.200:58235 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/otp/openvpn-otp.so
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: $MYUSER
AUTH-PAM: BACKGROUND: my_conv[0] query='Password & verification code: ' style=1
AUTH-PAM: BACKGROUND: user 'gabriel1' failed to authenticate: Authentication failure
Sun Nov  5 19:54:22 2017 us=348493 80.182.73.200:58235 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Sun Nov  5 19:54:22 2017 us=348616 80.182.73.200:58235 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
Sun Nov  5 19:54:22 2017 us=348690 80.182.73.200:58235 TLS Auth Error: Auth Username/Password verification failed for peer

I wish not to use external server authentication mechanism starting from googleauthenticator to radius, i want to startup with a local solution, understand it, and than maybe use some external resource. I have never came across otp, never scanned a code or used yubikeys !
Newbbb to it ...
Regards everybody

TinCanTech · Post by **TinCanTech** » Sun Nov 05, 2017 7:54 pm

https://openvpn.net/index.php/open-sour ... .html#auth

gabriel1 · Post by **gabriel1** » Mon Nov 13, 2017 11:40 pm

TinCanTech wrote: ↑
Sun Nov 05, 2017 7:54 pm
https://openvpn.net/index.php/open-sour ... .html#auth

Reading the manual is always a good hint, but i don't think i need it right now.
Logs are still not saying much apart from the fact that authentication over tls is failing:

Code: Select all

AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: user1
AUTH-PAM: BACKGROUND: my_conv[0] query='Password & verification code: ' style=1
AUTH-PAM: BACKGROUND: user 'user1' failed to authenticate: Authentication failure
Tue Nov 14 00:12:54 2017 us=459195 11.22.33.44:43016 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Nov 14 00:12:54 2017 us=459225 11.22.33.44:43016 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
Tue Nov 14 00:12:54 2017 us=459263 11.22.33.44:43016 TLS Auth Error: Auth Username/Password verification failed for peer
WRTue Nov 14 00:12:54 2017 us=831657 11.22.33.44:43016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Nov 14 00:12:54 2017 us=831720 11.22.33.44:43016 [kthulhu] Peer Connection Initiated with [AF_INET]198.252.153.226:43016
RTue Nov 14 00:12:57 2017 us=331046 11.22.33.44:43016 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 14 00:12:57 2017 us=331080 11.22.33.44:43016 Delayed exit in 5 seconds
Tue Nov 14 00:12:57 2017 us=331092 11.22.33.44:43016 SENT CONTROL [kthulhu]: 'AUTH_FAILED' (status=1)
WWWTue Nov 14 00:13:02 2017 us=745073 11.22.33.44:43016 SIGTERM[soft,delayed-exit] received, client-instance exitingAUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: user1
AUTH-PAM: BACKGROUND: my_conv[0] query='Password & verification code: ' style=1
AUTH-PAM: BACKGROUND: user 'user1' failed to authenticate: Authentication failure
Tue Nov 14 00:12:54 2017 us=459195 11.22.33.44:43016 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Nov 14 00:12:54 2017 us=459225 11.22.33.44:43016 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
Tue Nov 14 00:12:54 2017 us=459263 11.22.33.44:43016 TLS Auth Error: Auth Username/Password verification failed for peer
WRTue Nov 14 00:12:54 2017 us=831657 11.22.33.44:43016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Nov 14 00:12:54 2017 us=831720 11.22.33.44:43016 [kthulhu] Peer Connection Initiated with [AF_INET]11.22.33.44:43016
RTue Nov 14 00:12:57 2017 us=331046 11.22.33.44:43016 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 14 00:12:57 2017 us=331080 11.22.33.44:43016 Delayed exit in 5 seconds
Tue Nov 14 00:12:57 2017 us=331092 11.22.33.44:43016 SENT CONTROL [kthulhu]: 'AUTH_FAILED' (status=1)
WWWTue Nov 14 00:13:02 2017 us=745073 11.22.33.44:43016 SIGTERM[soft,delayed-exit] received, client-instance exiting

I think the most important bit is this:

Code: Select all

TLS Auth Error: Auth Username/Password verification failed for peer

Can this depend because this configuration directive ?

Code: Select all

remote-cert-eku

gabriel1 · Post by **gabriel1** » Tue Nov 14, 2017 12:17 am

Once connection is initialized than connection drops:

Code: Select all

WRWWWWRWRRRRWRTue Nov 14 01:12:38 2017 us=370664 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Nov 14 01:12:38 2017 us=371027 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Nov 14 01:12:38 2017 us=371358 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Nov 14 01:12:38 2017 us=371703 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
WTue Nov 14 01:12:38 2017 us=372155 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Nov 14 01:12:38 2017 us=372407 [vpn.server] Peer Connection Initiated with [AF_INET]11.22.33.44:4343
Tue Nov 14 01:12:40 2017 us=659341 SENT CONTROL [vpn.server]: 'PUSH_REQUEST' (status=1)
WRRTue Nov 14 01:12:41 2017 us=50280 AUTH: Received control message: AUTH_FAILED
Tue Nov 14 01:12:41 2017 us=51622 TCP/UDP: Closing socket
Tue Nov 14 01:12:41 2017 us=51837 SIGTERM[soft,auth-failure] received, process exiting

TinCanTech · Post by **TinCanTech** » Fri Nov 09, 2018 10:38 pm

gabriel1 wrote: ↑
Tue Nov 14, 2017 12:17 am
AUTH: Received control message: AUTH_FAILED

Auth Failed

OpenVPN Support Forum

Openvpn and OTP auth

Openvpn and OTP auth

Re: Openvpn and OTP auth

Re: Openvpn and OTP auth

Re: Openvpn and OTP auth

Re: Openvpn and OTP auth

Re: Openvpn and OTP auth