client-connect script not closing connection

How to customize and extend your OpenVPN installation.
Post Reply
gravasio
OpenVpn Newbie
Posts: 4
Joined: Sun Mar 17, 2019 9:23 pm

client-connect script not closing connection

Post by gravasio » Wed Apr 10, 2019 3:14 pm

Hi,
I'm using an ActiveDirectory Authentication plus a custom python script for authorization:

Code: Select all

[oconf=]
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/server/config/AD-ldap.conf
client-connect /etc/openvpn/server/scripts/access.py
[/oconf]
Everything is working and the user authenticated and authorized can connect safely.
When the user fails the authentication the client process exits as expected:

Code: Select all

[olog=]
Wed Apr 10 17:03:46 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Apr 10 17:03:46 2019 AUTH: Received control message: AUTH_FAILED
Wed Apr 10 17:03:46 2019 SIGTERM[soft,auth-failure] received, process exiting
[/olog]
but I cannot manage to obtain the same when the authentication is ok but the authorization fails (the script exits with 1).
In fact the client keeps trying and trying:

CLIENT:

Code: Select all

[olog=]
Wed Apr 10 17:08:20 2019 [server] Peer Connection Initiated with [AF_INET]
Wed Apr 10 17:08:21 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Apr 10 17:08:26 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Apr 10 17:08:31 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
[/olog]
SERVER:

Code: Select all

[olog=]
Apr 10 17:08:20 ares ovpn-server_UDP[38724]: Beppe/1.2.3.4:40839 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Apr 10 17:08:20 ares ovpn-server_UDP[38724]: Beppe/1.2.3.4:40839 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_1f6bec0bd1abbb4523d69f7555b449d8.tmp
Apr 10 17:08:20 ares ovpn-server_UDP[38724]: Beppe/1.2.3.4:40839 WARNING: Failed running command (--client-connect): external program exited with error status: 1
Apr 10 17:08:22 ares ovpn-server_UDP[38724]: Beppe/1.2.3.4:40839 PUSH: Received control message: 'PUSH_REQUEST'
Apr 10 17:08:26 ares ovpn-server_UDP[38724]: Beppe/1.2.3.4:40839 PUSH: Received control message: 'PUSH_REQUEST'
[/olog]
Is there anything that I need to do on the custom script to simply close the connection in the same way as the ldap auth plugin is doing?

Thanks
Giuseppe

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-connect script not closing connection

Post by TinCanTech » Wed Apr 10, 2019 4:13 pm

Please add your server and client config files.

gravasio
OpenVpn Newbie
Posts: 4
Joined: Sun Mar 17, 2019 9:23 pm

Re: client-connect script not closing connection

Post by gravasio » Wed Apr 10, 2019 7:23 pm

Hi,
here you can find the client config:
C

cipher AES-256-CBC
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote 1.2.3.4 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
auth-user-pass
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
key-direction 1


and here the server one
S

proto udp
proto udp6
multihome
port 1194
dev openvpn0
ifconfig 172.20.101.1 255.255.255.0
status /etc/openvpn/server/server_UDP_status.log
client-config-dir /etc/openvpn/server/server_UDP_ccd
ifconfig-pool-persist /etc/openvpn/server/server_UDP_ip-pool.txt
ifconfig-pool 172.20.101.100 172.20.101.253 255.255.255.0
management localhost 10444 /etc/openvpn/server/mgmt-pwd
mode server
tls-server

user openvpn
group openvpn
persist-key
persist-tun

dev-type tun
topology subnet
push "topology subnet"

keepalive 12 50
push "explicit-exit-notify"

cipher AES-256-CBC
fast-io
opt-verify
mute-replay-warnings
mssfix 1350
comp-lzo no
sndbuf 0
rcvbuf 0
txqueuelen 100

# SSL settings
tls-version-min 1.2
engine auto

dh /etc/openvpn/server/dh.pem
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/crt.crt
key /etc/openvpn/server/key.key
crl-verify /etc/openvpn/server/revoke.pem
key-direction 0
tls-auth /etc/openvpn/server/ta.key

# Logging
verb 3
status-version 2
mute 5

# Auth LDAP
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/server/config/AD-ldap.conf

client-connect /etc/openvpn/server/scripts/ovpn_access.py
client-disconnect /etc/openvpn/server/scripts/ovpn_access.py

### Cutting all the push configs that should not be of any interest


but It seems to me that the strange behaviour happens also with a much simpler configuration.
Thanks
Beppe

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-connect script not closing connection

Post by TinCanTech » Wed Apr 10, 2019 8:11 pm

Thanks for the configs, they really help if you want people to help.

Also, what versions of Openvpn are your server and client using ?


Quoting the manual:
wrote:--auth-retry type
  • Controls how OpenVPN responds to username/password verification errors such as the client-side response to an AUTH_FAILED message from the server or verification failure of the private key password.

    Normally used to prevent auth errors from being fatal on the client side, and to permit username/password requeries in case of error.

    An AUTH_FAILED message is generated by the server if the client fails --auth-user-pass authentication, or if the server-side --client-connect script returns an error status when the client tries to connect.

    type can be one of:

    none -- Client will exit with a fatal error (this is the default).
    nointeract -- Client will retry the connection without requerying for an --auth-user-pass username/password. Use this option for unattended clients.
    interact -- Client will requery for an --auth-user-pass username/password and/or private key password before attempting a reconnection.
which seems to be reasonably unambiguous ..
gravasio wrote:
Wed Apr 10, 2019 7:23 pm
but It seems to me that the strange behaviour happens also with a much simpler configuration
That is probably correct, which is why this is interesting.

gravasio
OpenVpn Newbie
Posts: 4
Joined: Sun Mar 17, 2019 9:23 pm

Re: client-connect script not closing connection

Post by gravasio » Thu Apr 11, 2019 7:07 am

Hi,
I'm using "OpenVPN 2.4.7" for the server and "OpenVPN 2.4.6" on the client and both are Linux boxes.

I agree that the manual you quoted is unambiguous and that behavior is respected.
My problem is with --client-connect behaviour:
--client-connect cmd
Run command cmd on client connection.

cmd consists of a path to script (or executable program), optionally followed by arguments. The path
and arguments may be single- or double-quoted and/or escaped using a backslash, and should be sepa‐
rated by one or more spaces.

The command is passed the common name and IP address of the just-authenticated client as environmen‐
tal variables (see environmental variable section below). The command is also passed the pathname
of a freshly created temporary file as the last argument (after any arguments specified in cmd ), to
be used by the command to pass dynamically generated config file directives back to OpenVPN.

If the script wants to generate a dynamic config file to be applied on the server when the client
connects, it should write it to the file named by the last argument.

See the --client-config-dir option below for options which can be legally used in a dynamically gen‐
erated config file.

Note that the return value of script is significant. If script returns a non-zero error status, it
will cause the client to be disconnected.
as you can see the client should be disconnected in case of an exit code != 0 but in my case that doesn't seem to happen.
I also tried with a very old version of openvpn (OpenVPN 2.1_rc7) but the behaviour is the same.

Thanks
Giuseppe

dazo
OpenVPN Inc.
Posts: 141
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: client-connect script not closing connection

Post by dazo » Thu Apr 11, 2019 11:47 am

The client-connect scripts are called after the authentication has completed. The client disconnect you see when the LDAP kicks off the client is because the client receives the AUTH_FAILED message. This situation is not possible to trigger after the authentication has completed.

What might be a possibility is to trigger a "kill" command via the management interface on authorization failures. This interface can also handle authentication too. You might have a more powerful interface this way, but it's going over a Unix or TCP socket, so it'll be a bit more work to implement.

dazo
OpenVPN Inc.
Posts: 141
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: client-connect script not closing connection

Post by dazo » Thu Apr 11, 2019 11:53 am

Note that the return value of script is significant. If script returns a non-zero error status, it will cause the client to be disconnected.
Actually, this statement might not be completely true for all script and plug-in hooks. The return value is significant. But it might not result in the client disconnecting instantly, as you would expect.

That said, I wonder if there's an option you can push to trigger a disconnect. I don't think there's anything simple though as the AUTH_FAILED response is not a pushed option.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-connect script not closing connection

Post by TinCanTech » Thu Apr 11, 2019 3:17 pm

My testing shows that this works as expected.

Server log:

Code: Select all

TLS: Username/Password authentication succeeded for username 'c01'
<...>
WARNING: Failed running command (--client-connect): external program exited with error status: 1
PUSH: Received control message: 'PUSH_REQUEST'
Delayed exit in 5 seconds
SENT CONTROL [v303.tct.c01]: 'AUTH_FAILED' (status=1)
PUSH: Received control message: 'PUSH_REQUEST'
Delayed exit in 5 seconds
SENT CONTROL [v303.tct.c01]: 'AUTH_FAILED' (status=1)
PUSH: Received control message: 'PUSH_REQUEST'
Delayed exit in 5 seconds
SENT CONTROL [v303.tct.c01]: 'AUTH_FAILED' (status=1)
SIGTERM[soft,delayed-exit] received, client-instance exiting
Client log:

Code: Select all

[v303.tct.s01] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
SENT CONTROL [v303.tct.s01]: 'PUSH_REQUEST' (status=1)
SENT CONTROL [v303.tct.s01]: 'PUSH_REQUEST' (status=1)
SENT CONTROL [v303.tct.s01]: 'PUSH_REQUEST' (status=1)
AUTH: Received control message: AUTH_FAILED
TCP/UDP: Closing socket
SIGTERM[soft,auth-failure] received, process exiting
Note, Openvpn version:
  • Server: OpenVPN 2.5_git [git:master/c3f565f0590b152c] x86_64-pc-linux-gnu
    built on Nov 26 2018
  • Client: OpenVPN 2.5_git [git:master/ccb636c75103f11b+] x86_64-pc-linux-gnu
    built on Mar 18 2019
Last edited by TinCanTech on Thu Apr 11, 2019 4:11 pm, edited 3 times in total.

gravasio
OpenVpn Newbie
Posts: 4
Joined: Sun Mar 17, 2019 9:23 pm

Re: client-connect script not closing connection

Post by gravasio » Thu Apr 11, 2019 3:36 pm

dazo wrote:
Thu Apr 11, 2019 11:47 am
The client-connect scripts are called after the authentication has completed. The client disconnect you see when the LDAP kicks off the client is because the client receives the AUTH_FAILED message. This situation is not possible to trigger after the authentication has completed.

What might be a possibility is to trigger a "kill" command via the management interface on authorization failures. This interface can also handle authentication too. You might have a more powerful interface this way, but it's going over a Unix or TCP socket, so it'll be a bit more work to implement.
I still consider using the management interface a viable option, but I stayed with the client-connect because the auth-ldap plugin has proven to work very well in my environment and I think I cannot use the plugin through the management interface?! is that right?
I'm also looking to some documentation/examples about implementing the challenge/response protocol and the use of the management interface, but I'm struggling to find something!
dazo wrote:
Thu Apr 11, 2019 11:53 am
Note that the return value of script is significant. If script returns a non-zero error status, it will cause the client to be disconnected.
Actually, this statement might not be completely true for all script and plug-in hooks. The return value is significant. But it might not result in the client disconnecting instantly, as you would expect.

That said, I wonder if there's an option you can push to trigger a disconnect. I don't think there's anything simple though as the AUTH_FAILED response is not a pushed option.
Thanks for the clarification about the man page and I explored the documentation about some option to trigger the disconnect and I didn't have any luke. I'm still hoping that someone has managed to do that ;-)

Thanks
Giuseppe

dazo
OpenVPN Inc.
Posts: 141
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: client-connect script not closing connection

Post by dazo » Thu Apr 11, 2019 4:05 pm

gravasio wrote:
Thu Apr 11, 2019 3:36 pm
I still consider using the management interface a viable option, but I stayed with the client-connect because the auth-ldap plugin has proven to work very well in my environment and I think I cannot use the plugin through the management interface?! is that right?
That should work, mixing --plugin and management interface. The management interface can only be used for client authentication if you add --management-client-auth to the server config.
gravasio wrote:
Thu Apr 11, 2019 3:36 pm
I'm also looking to some documentation/examples about implementing the challenge/response protocol and the use of the management interface, but I'm struggling to find something!
The management interface is documented in the management-notes.txt file: https://gitlab.com/openvpn/openvpn/blob ... .txt#L1016

But for OTP/challenge-response based auth, you will need to add --management-client-auth as well as implementing the full username/password auth via the management interface as well.

Post Reply