Page 1 of 1
[Solved] User access : ccd-exclusive not "working"
Posted: Wed Sep 25, 2013 12:48 pm
by Outpox
Hello,
I want to be able to grand access to my server for the user, but aswell beeing able to remove this access (for a certain duration) and maybe reactive it later.
My configuration :
Debian wheezy 7
latest openvpn
server.conf:
Code: Select all
# Terveur TCP/443
mode server
proto tcp
port 443
dev tun
# Cles et certificats
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
cipher AES-256-CBC
# Doit etre commente pour autoriser une seule connexion a la fois par cle
; duplicate-cn
# Reseau
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
# Securite
user nobody
group nogroup
chroot /etc/openvpn/jail
persist-key
persist-tun
comp-lzo
#crl-verify /etc/openvpn/crl.pem
# Log
verb 3
mute 20
status openvpn-status.log
log-append /var/log/openvpn.log
script-security 3 system
client-config-dir clientaccess
ccd-exclusive
ls -la from clientaccess directory :
Code: Select all
drwxr-xr-x 3 root root 4,0K sept. 25 14:19 .
drwxr-xr-x 10 root root 4,0K sept. 25 14:32 ..
-rw-r--r-- 1 root root 0 sept. 25 11:03 foo1
-rw-r--r-- 1 root root 0 sept. 25 11:04 foo2
-rw-r--r-- 1 root root 0 sept. 25 11:04 foo3
-rw-r--r-- 1 root root 0 sept. 25 11:04 outpox
And here is the log from /var/log/openvpn.log with verb 5 in my server.conf
Code: Select all
RWed Sep 25 11:30:38 2013 us=308646 myIP TLS: Initial packet from [AF_INET]myIP, sid=df5b15a6 f3710805
WRRWRWRWWWWRWRWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWed Sep 25 11:30:39 2013 us=174288 myIP VERIFY OK: depth=1, /C=FR/ST=06/L=Nancy/OU=changeme/CN=changeme/name=changeme
Wed Sep 25 11:30:39 2013 us=174397 myIP VERIFY OK: depth=0, /C=FR/ST=06/L=Nancy/CN=outpox
WRWRWRWWWWRWRWWWRWRWRWRRRRWRWRWRWed Sep 25 11:30:39 2013 us=639248 myIP TLS Auth Error: --client-config-dir authentication failed for common name 'outpox' file='/etc/openvpn/clientaccess/outpox'
WWWRRWed Sep 25 11:30:39 2013 us=754258 myIP Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Sep 25 11:30:39 2013 us=754289 myIP [outpox] Peer Connection Initiated with [AF_INET]myIP
RWed Sep 25 11:30:41 2013 us=839663 myIP PUSH: Received control message: 'PUSH_REQUEST'
Wed Sep 25 11:30:41 2013 us=839685 myIP Delayed exit in 5 seconds
Wed Sep 25 11:30:41 2013 us=839707 myIP SENT CONTROL [outpox]: 'AUTH_FAILED' (status=1)
WWWed Sep 25 11:30:41 2013 us=907057 myIP Connection reset, restarting [0]
Wed Sep 25 11:30:41 2013 us=907086 myIP SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed Sep 25 11:30:41 2013 us=907173 TCP/UDP: Closing socket
So my client-config-dir is configurated with /etc/openvpn/clientaccess (you can see it in the first code), I have a outpox file in clientaccess (the file is empty, I created it with : "touch outpox" ). According to the log openvpn is looking in the good folder for the filen but I don't know why it doesn't "read" it. Because I can't connect the vpn.
Any idea ? If you need anything else just ask !
Thanks in advance
Re: User access : ccd-exclusive not "working"
Posted: Wed Sep 25, 2013 9:24 pm
by Outpox
Thanks for the information, I'll try it tommorow when all users are offline.
By the way, is that (using ccd-exclusive) a good way to activate/de-activate users access (without restarting the daemon each modification) or is there anything else easier or simply different ?
Re: User access : ccd-exclusive not "working"
Posted: Thu Sep 26, 2013 6:18 am
by Outpox
I just tried what you proposed, but it still fails.
In my ccd I have my file outpox :
Code: Select all
# I also tried adding #!/bin/bash
echo "connexion"
Here's the /var/log/openvpn/log
Code: Select all
Thu Sep 26 05:34:40 2013 LZO compression initialized
Thu Sep 26 05:34:40 2013 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Thu Sep 26 05:34:40 2013 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Sep 26 05:34:40 2013 Local Options hash (VER=V4): '9915e4a2'
Thu Sep 26 05:34:40 2013 Expected Remote Options hash (VER=V4): '2f2c6498'
Thu Sep 26 05:34:40 2013 TCP connection established with [AF_INET]myIP
Thu Sep 26 05:34:40 2013 TCPv4_SERVER link local: [undef]
Thu Sep 26 05:34:40 2013 TCPv4_SERVER link remote: [AF_INET]myIP
Thu Sep 26 05:34:41 2013 myIP TLS: Initial packet from [AF_INET]myIP, sid=b4dd4031 40d11b99
Thu Sep 26 05:34:42 2013 myIP VERIFY OK: depth=1, /C=FR/ST=06/L=Nancy/OU=changeme/CN=changeme/name=changeme
Thu Sep 26 05:34:42 2013 myIP VERIFY OK: depth=0, /C=FR/ST=06/L=Nancy/CN=outpox
Thu Sep 26 05:34:42 2013 myIP TLS Auth Error: --client-config-dir authentication failed for common name 'outpox' file='clientaccess/outpox'
Thu Sep 26 05:34:43 2013 myIP Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Sep 26 05:34:43 2013 myIP [outpox] Peer Connection Initiated with [AF_INET]myIP
Thu Sep 26 05:34:45 2013 myIP PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 26 05:34:45 2013 myIP Delayed exit in 5 seconds
Thu Sep 26 05:34:45 2013 myIP SENT CONTROL [outpox]: 'AUTH_FAILED' (status=1)
Thu Sep 26 05:34:45 2013 myIP Connection reset, restarting [0]
Thu Sep 26 05:34:45 2013 myIP SIGUSR1[soft,connection-reset] received, client-instance restarting
Thu Sep 26 05:34:45 2013 TCP/UDP: Closing socket
Re: User access : ccd-exclusive not "working"
Posted: Thu Sep 26, 2013 9:28 pm
by Outpox
debbie10t wrote:Also, post your client config please.
Client config :
Code: Select all
# Client
client
dev tun
proto tcp-client
remote myIP 443
resolv-retry infinite
cipher AES-256-CBC
; client-config-dir ccd
# Cles
ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
# Securite
nobind
persist-key
persist-tun
comp-lzo
verb 3
debbie10t wrote:Basically, it looks like the openvpn process does not have access to your client connection directory and files, probably due to the dropped privilege levels.
You can remedy that situation by chmod'ing the directory and files to allow access to all users, add execute flag. Or, remove the "ccd-exclusive" directive from the server config, which will allow the connection but will still fail at the CCD script. Or don't drop the privilege level of the process.
I will try to chmod yes.
When "ccd-exclusive" is quoted, users can connect and it works.
How do I not drop the privilege level ?
Re: User access : ccd-exclusive not "working"
Posted: Thu Sep 26, 2013 10:06 pm
by Outpox
debbie10t wrote:Outpox wrote:I will try to chmod yes.
This is only an option, you choose which option you prefer. (This is what i would do).
Does is it lower the security ?
debbie10t wrote:Outpox wrote:When "ccd-exclusive" is quoted, users can connect and it works.
This is because "ccd-exclusive" is a security option that will
deny the connection if the CCD option cannot be read, which is the case for you.
By "quoting" this option in your server config you are saying "try CCD but
do not fail if it does not work. ccd-exclusive means try CCD and
deny if it fails.
That's what I somehow understood yep. So I need to solve the privilege issue and then it should work ?
Then I'm asking the same question as the first quote, how about the security breach ?
debbie10t wrote:Outpox wrote:How do I not drop the privilege level ?
Remove this from your server config:
Code: Select all
# Securite
user nobody
group nogroup
I will try this first.
So (sorry for asking this for the 3rd time) for the security, which option would be the "best" ?
Re: User access : ccd-exclusive not "working"
Posted: Thu Sep 26, 2013 10:48 pm
by Outpox
Ok, I will try this tommorow and I'll let you know if it works.
Anyway thanks a lot for your answers !
Re: User access : ccd-exclusive not "working"
Posted: Thu Sep 26, 2013 11:06 pm
by Outpox
Can't edit my last post, but just to let you know :
I found the issue !
In fact it was the chroot command in my server.conf wich broke everything. In order to get it work here is my new server.conf
Code: Select all
# Terveur TCP/443
mode server
proto tcp
port 443
dev tun
# Cles et certificats
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
cipher AES-256-CBC
# Doit etre commente pour autoriser une seule connexion a la fois par cle
; duplicate-cn
# Reseau
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
# Securite
user nobody
group nogroup
#chroot /etc/openvpn/jail # <---- Comment or delete this line
persist-key
persist-tun
comp-lzo
#crl-verify /etc/openvpn/crl.pem
# Log
verb 3
mute 20
status openvpn-status.log
log-append /var/log/openvpn.log
script-security 3 system
client-config-dir clientaccess
ccd-exclusive
So thanks again and I hope it will help someone a day !
