Help on client auth

[Anlan]

I have a (till few days ago) working instance of OpenVPN AS (community) ver 2.1.9.
Since few days, all of a sudden, all clients can't connect anymore as they receive "Invalid Credentials" error.
Analyzing logs though apparently the request of connection is successfully authenticated but the server sends "AUTH_FAILED".
Here a log example

Code: Select all

2020-11-04 14:50:33+0100 [-] OVPN 0 OUT: 'Wed Nov  4 13:50:33 2020 TCP connection established with [AF_INET]109.117.47.164:61361'
2020-11-04 14:50:33+0100 [-] OVPN 0 OUT: 'Wed Nov  4 13:50:33 2020 109.117.47.164:61361 TCP connection established with [AF_INET]109.117.47.164:61362'
2020-11-04 14:50:33+0100 [-] OVPN 0 OUT: 'Wed Nov  4 13:50:33 2020 109.117.47.164:61361 SIGTERM[soft,port-share-redirect] received, client-instance exiting'
2020-11-04 14:50:33+0100 [-] OVPN 0 OUT: 'Wed Nov  4 13:50:33 2020 109.117.47.164:61362 SIGTERM[soft,port-share-redirect] received, client-instance exiting'
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:39 2020 109.117.47.164:62170 TLS: Initial packet from [AF_INET]109.117.47.164:62170, sid=54fbf59c 3c3d682b'
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:39 2020 109.117.47.164:62170 VERIFY OK: depth=1, /CN=OpenVPN CA'
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:39 2020 109.117.47.164:62170 VERIFY OK: nsCertType=CLIENT'
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:39 2020 109.117.47.164:62170 VERIFY OK: depth=0, /CN=Administrator'
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: "Wed Nov  4 13:50:39 2020 109.117.47.164:62170 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'"
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:39 2020 109.117.47.164:62170 Option inconsistency warnings triggering disconnect due to --opt-verify'
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:39 2020 109.117.47.164:62170 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.'
2020-11-04 14:50:39+0100 [-] AUTH SUCCESS {'status': 0, 'reason': 'local auth succeeded', 'serial_list': [], 'user': u'Administrator', 'proplist': {u'pvt_password_digest': '[redacted]', u'type': u'user_connect', u'prop_autogenerate': u'true'}, 'common_name': u'Administrator', 'serial': '19'} cli=u'win'/u'2.5_rc2'
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: "Wed Nov  4 13:50:39 2020 MANAGEMENT: CMD 'client-auth 13 0'"
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:39 2020 109.117.47.164:62170 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA'
2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:39 2020 109.117.47.164:62170 [Administrator] Peer Connection Initiated with [AF_INET]109.117.47.164:62170'
2020-11-04 14:50:40+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:40 2020 109.117.47.164:62170 Delayed exit in 5 seconds'
2020-11-04 14:50:40+0100 [-] OVPN 2 OUT: "Wed Nov  4 13:50:40 2020 109.117.47.164:62170 SENT CONTROL [Administrator]: 'AUTH_FAILED' (status=1)"
2020-11-04 14:50:45+0100 [-] OVPN 2 OUT: 'Wed Nov  4 13:50:45 2020 109.117.47.164:62170 SIGTERM[soft,delayed-exit] received, client-instance exiting'

As you can see I have an AUTH_SUCCESS message followed by an SENT CONTROL AUTH_FAILED.

Can someone point me in the right direction to further analyze the problem ?

[33153729470]

I have something like that as well...or rather had.

I am using OpenVpn Access Server 2.4.6

If the clients are using the new version for OpenVpn client ( v3 for windows and v 2.5 for Linux ), they cannot connect.

The workaround was to use a lower version of OpenVpn client ( v 2.6 or v2.7 for windows and v 2.4.9.2 for Linux )
I have tested this on Windows and on Linux. On both platforms i had the same issue.
But it is working now, with a lower version of OpenVpn Client


( The version 2.5 for Linux was out on October 27th. )


For windows you can get it from here: openvpn.net/client-connect-vpn-for-windows/

[novaflash]

> OpenVPN AS v2.1.9.
> 2020-11-04 14:50:39+0100 [-] OVPN 2 OUT: "Wed Nov 4 13:50:39 2020 109.117.47.164:62170 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'"

To keep the explanation part short, you are using old software with an old cipher configuration of BF-CBC, but that is no longer considered a reasonable default. It can still be used but now needs to be specifically configured. Because changing the cipher means having to change it on all clients at once, during upgrades of AS, it doesn't get updated automatically. But you can still do it.

Here are your options:

1. Set up a new server that defaults to AES-256-CBC and convert your clients to that with modern client software (probably best idea - start fresh, you probably are also still using 1024 bits keys if you have a server old enough to be using BF-CBC, a new setup would get you to 2048 bits)
2. You can change the cipher on server and all clients in one go to something modern like AES-256-CBC (good idea, bit of work)
3. Or you can re-enable BF-CBC fallback by adding "cipher BF-CBC" in the client config file (not a great idea but keep things working for now)
4. Or you can choose to keep using outdated client software (terrible idea, using outdated software is never a good idea)