OpenVPN GA Issue

SemyonG · Post by **SemyonG** » Wed Jul 25, 2018 10:58 am

I'm a little confused with using Google Authenticator.
I've enabled GA for my server and it worked well with the OpenVPN client v2.3.2 on Linux. And was checking a one-time password from GA:

Code: Select all

$ sudo openvpn --config dev.ovpn
Tue Jul 24 19:54:52 2018 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
Enter Auth Username:test
Enter Auth Password:
CHALLENGE: Enter Google Authenticator Code
Response:218795
Tue Jul 24 19:55:09 2018 Control Channel Authentication: tls-auth using INLINE static key file
Tue Jul 24 19:55:09 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 24 19:55:09 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
.....................

Then I've updated ciphers on my server and minimal supported TLS version to 1.2. And I had to update my client because it didn't want to work with TLS 1.2.
Now it doesn't check a one-time password. You can just put enter and connect to the server.

Code: Select all

$ sudo openvpn --config dev.ovpn 
[sudo] password for siamion: 
Wed Jul 25 11:17:15 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Wed Jul 25 11:17:15 2018 library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06
Enter Auth Username:alpha 
Enter Auth Password:
CHALLENGE: Enter Google Authenticator Code
Wed Jul 25 11:17:37 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Wed Jul 25 11:17:37 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 25 11:17:37 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
.......................

There's no response place for GA code.
OpenVPN client is v.2.4.6.
OpenVPN AS server is v.2.5.

Client config:

Code: Select all

cipher AES-256-CBC

setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
remote dev.example.com 443 tcp
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass
static-challenge "Enter Google Authenticator Code" 1

comp-lzo no
verb 3
setenv PUSH_PEER_INFO
key-direction 1

auth SHA256

Server log during connection without a GA code:

Code: Select all

2018-07-25 10:45:35+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:35 2018 192.168.1.10:42050 TLS: Initial packet from [AF_INET]192.168.1.10:42050 (via [AF_INET]10.1.0.100%eth0), sid=54a6e68d 5abac6d5'
2018-07-25 10:45:35+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:35 2018 192.168.1.10:42050 VERIFY OK: depth=1, /CN=OpenVPN CA'
2018-07-25 10:45:35+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:35 2018 192.168.1.10:42050 VERIFY OK: nsCertType=CLIENT'
2018-07-25 10:45:35+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:35 2018 192.168.1.10:42050 VERIFY OK: depth=0, /CN=test'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_VER=2.4.6'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_PLAT=linux'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_PROTO=2'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_NCP=2'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_LZ4=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_LZ4v2=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_LZO=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_COMP_STUB=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_COMP_STUBv2=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_TCPNL=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_HWADDR=44:8a:5b:62:6d:f0'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_SSL=OpenSSL_1.0.1f_6_Jan_2014'
2018-07-25 10:45:36+0000 [-] AUTH SUCCESS {'status': 0, 'reason': 'PAM auth succeeded', 'serial_list': [], 'user': u'test', 'proplist': {u'pvt_google_auth_secret_locked': u'true', u'prop_autogenerate': 'true', 'prop_deny': 'false', u'pvt_google_auth_secret': '[redacted]', u'prop_superuser': 'true', u'pvt_password_digest': '[redacted]', u'type': u'user_compile'}, 'common_name': u'test', 'serial': '18'} cli=u'linux'/u'2.4.6'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:36 2018 MANAGEMENT: CMD 'client-auth 6 0'"
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 [test] Peer Connection Initiated with [AF_INET]192.168.1.10:42050 (via [AF_INET]10.1.0.100%eth0)'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 test/192.168.1.10:42050 OPTIONS IMPORT: compression parms modified'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 test/192.168.1.10:42050 MULTI: Learn: 10.1.1.122 -> test/192.168.1.10:42050'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 test/192.168.1.10:42050 MULTI: primary virtual IP for test/192.168.1.10:42050: 10.1.1.122'
2018-07-25 10:45:37+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:37 2018 test/192.168.1.10:42050 SENT CONTROL [test]: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-tokenSESS_ID,comp-lzo yes,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,redirect-private bypass-dns,route-gateway 10.1.1.1,route 10.1.0.0 255.255.248.0,block-ipv6,ifconfig 10.1.1.122 255.255.255.128,peer-id 0,cipher AES-256-GCM' (status=1)"
2018-07-25 10:45:37+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:37 2018 test/192.168.1.10:42050 Data Channel: using negotiated cipher 'AES-256-GCM'"
2018-07-25 10:45:37+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:37 2018 test/192.168.1.10:42050 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key"
2018-07-25 10:45:37+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:37 2018 test/192.168.1.10:42050 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key"

Looks like OpenVPN client issue. So wrong client can bypass the MFA security?!?!?!

SemyonG · Post by **SemyonG** » Wed Jul 25, 2018 12:32 pm

In the same time, OS X client v2.5.0.114 works as expected

Post by **novaflash** » Wed Jul 25, 2018 1:24 pm

Can you open up the client.ovpn file that you downloaded from the Access Server and look for the text 'AUTOLOGIN' in that file? Does it exist?

SemyonG · Post by **SemyonG** » Thu Jul 26, 2018 9:55 am

novaflash wrote: ↑
Wed Jul 25, 2018 1:24 pm
Can you open up the client.ovpn file that you downloaded from the Access Server and look for the text 'AUTOLOGIN' in that file? Does it exist?

Thank you for the reply.
There's no this string. And auto-login is disabled for all users on my server.
My full client config excluding certs and keys is in the post above

Post by **novaflash** » Thu Jul 26, 2018 10:12 am

Thanks for checking, I just wanted to be sure.

Is the username you are connecting as mentioned in the file /usr/local/openvpn_as/etc/as.conf? If so, it's a bootstrap user and exempt from Google Authenticator.

SemyonG · Post by **SemyonG** » Thu Jul 26, 2018 11:21 am

Yes, there's this string:

Code: Select all

boot_pam_users.0=myuser

if I remove this, it doesn't break the work of the server?

Post by **novaflash** » Thu Jul 26, 2018 11:35 am

Okay so what I suggest you do is read this page:
https://docs.openvpn.net/getting-starte ... tallation/

SemyonG · Post by **SemyonG** » Thu Jul 26, 2018 12:49 pm

And the openvpn user account is also a bootstrap account meaning it has special access privileges. For example it can bypass Google Authenticator and the authentication failure lockout policy.

novaflash, thank you for the explanation!

Post by **novaflash** » Thu Jul 26, 2018 1:03 pm

No problemo. Have a nice day.

OpenVPN Support Forum

OpenVPN GA Issue

OpenVPN GA Issue

Re: OpenVPN GA Issue

Re: OpenVPN GA Issue

Re: OpenVPN GA Issue

Re: OpenVPN GA Issue

Re: OpenVPN GA Issue

Re: OpenVPN GA Issue

Re: OpenVPN GA Issue

Re: OpenVPN GA Issue