Lockout Policy does nothing with non-windows clients
Posted: Thu Jul 01, 2021 7:44 pm
We are preforming an internal audit and started testing our lockout policies with respect to the VPN tool.
What we found was that only the Windows OpenVPN Connect Client seems to ever trigger a lockout. Solutions like Veritas, Tunnelblick, or the OpenVPN Connect Clients for MacOS do not trigger a user lockout with repeated testing.
I would not think that the lockout mechanism should be tied to the client (as it would be easy to comment out a routine in an open source client) which makes me think its more likely a protocol related issue. I have noticed when the Windows Clients log in, they do not show a Protocol/Port when connecting like the other clients do (usually UDP 1194). So I wonder if there is something broken in the way the protocol handshakes are working in OpenVPN AS. We are testing this on a 2.9.1 build, for Ubuntu Linux 18.04.3.
I would be curious if others could reproduce this issue, and if someone with deeper understanding could explain it, or get someone to patch it.
What we found was that only the Windows OpenVPN Connect Client seems to ever trigger a lockout. Solutions like Veritas, Tunnelblick, or the OpenVPN Connect Clients for MacOS do not trigger a user lockout with repeated testing.
I would not think that the lockout mechanism should be tied to the client (as it would be easy to comment out a routine in an open source client) which makes me think its more likely a protocol related issue. I have noticed when the Windows Clients log in, they do not show a Protocol/Port when connecting like the other clients do (usually UDP 1194). So I wonder if there is something broken in the way the protocol handshakes are working in OpenVPN AS. We are testing this on a 2.9.1 build, for Ubuntu Linux 18.04.3.
I would be curious if others could reproduce this issue, and if someone with deeper understanding could explain it, or get someone to patch it.