tls-verify reject client and send message

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
jpknz
OpenVpn Newbie
Posts: 6
Joined: Mon Aug 13, 2018 3:26 pm

tls-verify reject client and send message

Post by jpknz » Tue Apr 09, 2019 2:35 pm

Hi

I currently have a working VPN and use a tls-verify script to stop temporarily suspended clients from connecting. This works fine however there are a couple of issues.

The tls-verify script is essentially the same one from https://github.com/OpenVPN/openvpn/blob ... /verify-cn except that instead of allowing clients who are in the list it rejects them.

When a client connects and is suspended they aren't able to connect however the client simply hangs and retries after a period of time. I have a couple of questions as below.
1. How to I force the client to disconnect and not retry connecting?
2. How do I send a message to the client to be displayed to the user? I've tried using push "echo messagehere" (just in the server.conf as a test) and I can see the message in the log on an iphone but on windows it simply displays echo alongside the push options (haven't tried on Mac, Android or Linux yet). Can I use if statements in the server.conf to selectively send a message to only those clients who have been refused connection? And can the message require the user to press OK to acknowledge the message?

The use case is the end user has service temporarily suspended because their payment failed and they need to take action to reinstate it.

Thanks in advance.

Example of what happens (client) is below.

Client Log File
Tue Apr 09 15:19:06 2019 OpenVPN 2.4.7 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
Tue Apr 09 15:19:06 2019 Windows version 6.1 (Windows 7) 32bit
Tue Apr 09 15:19:06 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Tue Apr 09 15:19:06 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Apr 09 15:19:06 2019 Need hold release from management interface, waiting...
Tue Apr 09 15:19:06 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'state on'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'log all on'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'echo all on'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'bytecount 5'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'hold off'
Tue Apr 09 15:19:06 2019 MANAGEMENT: CMD 'hold release'
Tue Apr 09 15:19:06 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Apr 09 15:19:06 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Apr 09 15:19:06 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Apr 09 15:19:06 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Apr 09 15:19:06 2019 MANAGEMENT: >STATE:1554819546,RESOLVE,,,,,,
Tue Apr 09 15:19:07 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]****REMOVED****:443
Tue Apr 09 15:19:07 2019 Socket Buffers: R=[8192->8192] S=[64512->64512]
Tue Apr 09 15:19:07 2019 UDP link local: (not bound)
Tue Apr 09 15:19:07 2019 UDP link remote: [AF_INET]****REMOVED****:443
Tue Apr 09 15:19:07 2019 MANAGEMENT: >STATE:1554819547,WAIT,,,,,,
Tue Apr 09 15:19:07 2019 MANAGEMENT: >STATE:1554819547,AUTH,,,,,,
Tue Apr 09 15:19:07 2019 TLS: Initial packet from [AF_INET]****REMOVED****:443, sid=6d76cf0c 482ab743
Tue Apr 09 15:19:07 2019 VERIFY OK: depth=1, CN=****REMOVED****
Tue Apr 09 15:19:07 2019 VERIFY KU OK
Tue Apr 09 15:19:07 2019 Validating certificate extended key usage
Tue Apr 09 15:19:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr 09 15:19:07 2019 VERIFY EKU OK
Tue Apr 09 15:19:07 2019 VERIFY X509NAME OK: CN=****REMOVED****
Tue Apr 09 15:19:07 2019 VERIFY OK: depth=0, CN=****REMOVED****
Tue Apr 09 15:20:08 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Apr 09 15:20:08 2019 TLS Error: TLS handshake failed
Tue Apr 09 15:20:08 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 09 15:20:08 2019 MANAGEMENT: >STATE:1554819608,RECONNECTING,tls-error,,,,,
Tue Apr 09 15:20:08 2019 Restart pause, 5 second(s)
Tue Apr 09 15:20:13 2019 MANAGEMENT: >STATE:1554819613,RESOLVE,,,,,,
Tue Apr 09 15:20:13 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]****REMOVED****:443
Tue Apr 09 15:20:13 2019 Socket Buffers: R=[8192->8192] S=[64512->64512]
Tue Apr 09 15:20:13 2019 UDP link local: (not bound)
Tue Apr 09 15:20:13 2019 UDP link remote: [AF_INET]****REMOVED****:443
Tue Apr 09 15:20:13 2019 MANAGEMENT: >STATE:1554819613,WAIT,,,,,,
Tue Apr 09 15:20:13 2019 MANAGEMENT: >STATE:1554819613,AUTH,,,,,,
Tue Apr 09 15:20:13 2019 TLS: Initial packet from [AF_INET]3****REMOVED****:443, sid=5ee1e8a6 4d9ac213
Tue Apr 09 15:20:13 2019 VERIFY OK: depth=1, CN=****REMOVED****
Tue Apr 09 15:20:13 2019 VERIFY KU OK
Tue Apr 09 15:20:13 2019 Validating certificate extended key usage
Tue Apr 09 15:20:13 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr 09 15:20:13 2019 VERIFY EKU OK
Tue Apr 09 15:20:13 2019 VERIFY X509NAME OK: CN=****REMOVED****
Tue Apr 09 15:20:13 2019 VERIFY OK: depth=0, CN=****REMOVED****
Tue Apr 09 15:21:13 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Apr 09 15:21:13 2019 TLS Error: TLS handshake failed
Tue Apr 09 15:21:13 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 09 15:21:13 2019 MANAGEMENT: >STATE:1554819673,RECONNECTING,tls-error,,,,,
Tue Apr 09 15:21:13 2019 Restart pause, 5 second(s)
Tue Apr 09 15:21:18 2019 MANAGEMENT: >STATE:1554819678,RESOLVE,,,,,,
Tue Apr 09 15:21:18 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]****REMOVED****:443

TinCanTech
OpenVPN Protagonist
Posts: 11138
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-verify reject client and send message

Post by TinCanTech » Tue Apr 09, 2019 3:26 pm

jpknz wrote:
Tue Apr 09, 2019 2:35 pm
How do I send a message to the client to be displayed to the user?
Openvpn does not do this.

jpknz
OpenVpn Newbie
Posts: 6
Joined: Mon Aug 13, 2018 3:26 pm

Re: tls-verify reject client and send message

Post by jpknz » Tue Apr 09, 2019 5:30 pm

Thanks. It seems that the echo command does send the message to the client - see https://openvpn.net/archive/openvpn-dev ... 00029.html that says the echo command should do this but not in the way I describe above.

I also found this https://github.com/selvanair/openvpn-gu ... 1-echo-msg but haven't given it a go yet. I think it may be a specific build for windows rather than anything that has made it in to the main code.

Any idea on making the client disconnect when they are found in the list instead of appearing to hang and then retrying constantly?

Post Reply