Opened 4 years ago

Last modified 2 years ago

#1336 assigned Bug / Defect

AUTH_FAILED is not DDOS resilient

Reported by: tct Owned by: nobody
Priority: major Milestone: release 2.6
Component: Generic / unclassified Version: OpenVPN 2.5.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: tct, plaisthos

Description

Using a default client config:

dev tun
windows-driver wintun
nobind
client
config easytls.conf # Certs/keys

remote-cert-tls server
verb 4

remote 10.10.101.101 34571

# One with and one without the user/pass
auth-user-pass userpass.txt

The client sends the wrong password:

The server rejects this client on account of AUTH_FAILED. This is pushed back to the client and the client restarts in 5 seconds. (DDOS)

--connect-retry does not effect this failure and the client always restarts in 5 seconds.

The client does not send user/pass

If the client fails to push a username+password then the client fails to connect but the server does not respond AUTH_FAILED and the client waits for the expected TLS handshake time-out.

Eventually, the client backs off as per --connect-retry defaults.

Logs below (note: times):

  1. Client sends wrong user/pass, recieves AUTH_FAILED (DDOS)
  2. Continuation snip showing 5 second restart
  3. Client does not send user/pass and receives nothing
  4. Server log showing hammering
  5. Server log when the client does not send user/pass

Client log - receives AUTH_FAILED (DDOS)

2020-10-11 20:15:28 us=411379 OpenVPN 2.5_rc2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 30 2020
2020-10-11 20:15:28 us=411379 Windows version 6.1 (Windows 7) 32bit
2020-10-11 20:15:28 us=411379 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2020-10-11 20:15:28 us=411379 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2020-10-11 20:15:28 us=411379 Need hold release from management interface, waiting...
2020-10-11 20:15:28 us=880129 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2020-10-11 20:15:28 us=989504 MANAGEMENT: CMD 'state on'
2020-10-11 20:15:28 us=989504 MANAGEMENT: CMD 'log all on'
2020-10-11 20:15:29 us=286379 MANAGEMENT: CMD 'echo all on'
2020-10-11 20:15:29 us=302004 MANAGEMENT: CMD 'bytecount 5'
2020-10-11 20:15:29 us=302004 MANAGEMENT: CMD 'hold off'
2020-10-11 20:15:29 us=302004 MANAGEMENT: CMD 'hold release'
2020-10-11 20:15:29 us=317629 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:15:29 us=317629 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:15:29 us=317629 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:15:29 us=317629 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:15:29 us=317629 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2020-10-11 20:15:29 us=317629 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2020-10-11 20:15:29 us=317629 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client'
2020-10-11 20:15:29 us=317629 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server'
2020-10-11 20:15:29 us=317629 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.101.101:34571
2020-10-11 20:15:29 us=317629 Socket Buffers: R=[8192->8192] S=[8192->8192]
2020-10-11 20:15:29 us=317629 UDP link local: (not bound)
2020-10-11 20:15:29 us=317629 UDP link remote: [AF_INET]10.10.101.101:34571
2020-10-11 20:15:29 us=317629 MANAGEMENT: >STATE:1602443729,WAIT,,,,,,
2020-10-11 20:15:29 us=380129 MANAGEMENT: >STATE:1602443729,AUTH,,,,,,
2020-10-11 20:15:29 us=380129 TLS: Initial packet from [AF_INET]10.10.101.101:34571, sid=cb26395e ef50663f
2020-10-11 20:15:29 us=380129 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-10-11 20:15:29 us=395754 VERIFY KU OK
2020-10-11 20:15:29 us=395754 Validating certificate extended key usage
2020-10-11 20:15:29 us=395754 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-10-11 20:15:29 us=395754 VERIFY EKU OK
2020-10-11 20:15:29 us=395754 VERIFY OK: depth=0, CN=s01
2020-10-11 20:15:29 us=427004 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-10-11 20:15:29 us=427004 [s01] Peer Connection Initiated with [AF_INET]10.10.101.101:34571
2020-10-11 20:15:30 us=583254 MANAGEMENT: >STATE:1602443730,GET_CONFIG,,,,,,
2020-10-11 20:15:30 us=583254 SENT CONTROL [s01]: 'PUSH_REQUEST' (status=1)
2020-10-11 20:15:30 us=583254 AUTH: Received control message: AUTH_FAILED
2020-10-11 20:15:30 us=583254 TCP/UDP: Closing socket
2020-10-11 20:15:30 us=583254 SIGUSR1[soft,auth-failure] received, process restarting
2020-10-11 20:15:30 us=583254 MANAGEMENT: >STATE:1602443730,RECONNECTING,auth-failure,,,,,
2020-10-11 20:15:30 us=583254 Restart pause, 5 second(s)

This goes on and on:

2020-10-11 20:17:22 us=520754 Restart pause, 5 second(s)
2020-10-11 20:17:27 us=520754 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:17:27 us=520754 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:17:27 us=520754 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:17:27 us=520754 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:17:27 us=520754 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2020-10-11 20:17:27 us=520754 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2020-10-11 20:17:27 us=520754 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client'
2020-10-11 20:17:27 us=520754 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server'
2020-10-11 20:17:27 us=520754 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.101.101:34571
2020-10-11 20:17:27 us=520754 Socket Buffers: R=[8192->8192] S=[8192->8192]
2020-10-11 20:17:27 us=520754 UDP link local: (not bound)
2020-10-11 20:17:27 us=520754 UDP link remote: [AF_INET]10.10.101.101:34571
2020-10-11 20:17:27 us=520754 MANAGEMENT: >STATE:1602443847,WAIT,,,,,,
2020-10-11 20:17:27 us=614504 MANAGEMENT: >STATE:1602443847,AUTH,,,,,,
2020-10-11 20:17:27 us=614504 TLS: Initial packet from [AF_INET]10.10.101.101:34571, sid=bb537965 8ff299f1
2020-10-11 20:17:27 us=630129 VERIFY KU OK
2020-10-11 20:17:27 us=630129 Validating certificate extended key usage
2020-10-11 20:17:27 us=630129 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-10-11 20:17:27 us=630129 VERIFY EKU OK
2020-10-11 20:17:27 us=630129 VERIFY OK: depth=0, CN=s01
2020-10-11 20:17:27 us=692629 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-10-11 20:17:27 us=692629 [s01] Peer Connection Initiated with [AF_INET]10.10.101.101:34571
2020-10-11 20:17:28 us=723879 MANAGEMENT: >STATE:1602443848,GET_CONFIG,,,,,,
2020-10-11 20:17:28 us=723879 SENT CONTROL [s01]: 'PUSH_REQUEST' (status=1)
2020-10-11 20:17:28 us=723879 AUTH: Received control message: AUTH_FAILED
2020-10-11 20:17:28 us=723879 TCP/UDP: Closing socket
2020-10-11 20:17:28 us=723879 SIGUSR1[soft,auth-failure] received, process restarting
2020-10-11 20:17:28 us=723879 MANAGEMENT: >STATE:1602443848,RECONNECTING,auth-failure,,,,,
2020-10-11 20:17:28 us=723879 Restart pause, 5 second(s)
2020-10-11 20:17:32 us=723879 SIGTERM[hard,init_instance] received, process exiting
2020-10-11 20:17:32 us=723879 MANAGEMENT: >STATE:1602443852,EXITING,init_instance,,,,,

Client log waits for TLS handshake:

Sun Oct 11 20:07:00 2020 OpenVPN 2.5_rc2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 30 2020
Sun Oct 11 20:07:00 2020 Windows version 6.1 (Windows 7) 32bit
Sun Oct 11 20:07:00 2020 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Sun Oct 11 20:07:00 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Oct 11 20:07:00 2020 Need hold release from management interface, waiting...
Sun Oct 11 20:07:01 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'state on'
Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'log all on'
Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'echo all on'
Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'bytecount 5'
Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'hold off'
Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'hold release'
Sun Oct 11 20:07:01 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Oct 11 20:07:01 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Oct 11 20:07:01 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Oct 11 20:07:01 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Oct 11 20:07:01 2020 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Oct 11 20:07:01 2020 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sun Oct 11 20:07:01 2020 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Oct 11 20:07:01 2020 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Oct 11 20:07:01 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.101.101:34571
Sun Oct 11 20:07:01 2020 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Oct 11 20:07:01 2020 UDP link local: (not bound)
Sun Oct 11 20:07:01 2020 UDP link remote: [AF_INET]10.10.101.101:34571
Sun Oct 11 20:07:01 2020 MANAGEMENT: >STATE:1602443221,WAIT,,,,,,
Sun Oct 11 20:07:01 2020 MANAGEMENT: >STATE:1602443221,AUTH,,,,,,
Sun Oct 11 20:07:01 2020 TLS: Initial packet from [AF_INET]10.10.101.101:34571, sid=acd4374d 3676ee51
Sun Oct 11 20:07:01 2020 VERIFY KU OK
Sun Oct 11 20:07:01 2020 Validating certificate extended key usage
Sun Oct 11 20:07:01 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Oct 11 20:07:01 2020 VERIFY EKU OK
Sun Oct 11 20:07:01 2020 VERIFY OK: depth=0, CN=s01
Sun Oct 11 20:08:01 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Oct 11 20:08:01 2020 TLS Error: TLS handshake failed
Sun Oct 11 20:08:01 2020 TCP/UDP: Closing socket
Sun Oct 11 20:08:01 2020 SIGUSR1[soft,tls-error] received, process restarting
Sun Oct 11 20:08:01 2020 MANAGEMENT: >STATE:1602443281,RECONNECTING,tls-error,,,,,
Sun Oct 11 20:08:01 2020 Restart pause, 5 second(s)
Sun Oct 11 20:08:06 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

Server log showing hammering, also note the client was able to send --explicit-exit-notify (looks like it did):

2020-10-11 20:17:27 us=470623 MULTI: multi_create_instance called
2020-10-11 20:17:27 us=470859 10.10.201.107:51782 Re-using SSL/TLS context
2020-10-11 20:17:27 us=471068 10.10.201.107:51782 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:17:27 us=471447 10.10.201.107:51782 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:17:27 us=471788 10.10.201.107:51782 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2020-10-11 20:17:27 us=472055 10.10.201.107:51782 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2020-10-11 20:17:27 us=472246 10.10.201.107:51782 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server'
2020-10-11 20:17:27 us=472452 10.10.201.107:51782 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client'
2020-10-11 20:17:27 us=472631 10.10.201.107:51782 TLS: Initial packet from [AF_INET]10.10.201.107:51782, sid=99dfa143 100c9c53
2020-10-11 20:17:27 us=472734 10.10.201.107:51782 Control Channel: using tls-crypt-v2 key
2020-10-11 20:17:27 us=472852 10.10.201.107:51782 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:17:27 us=472950 10.10.201.107:51782 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:17:27 us=473037 10.10.201.107:51782 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:17:27 us=473073 10.10.201.107:51782 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
<EXOK> * TLS-crypt-v2-verify (index) ==> easytls OK ==> custom_group tincantech OK ==> Key age 0 days OK ==> identity OK ==> Enabled OK ==> Client certificate is recognised and Valid: 5E80D99E6EBB48C8C7E7FB5987AD1EF3 cw01
2020-10-11 20:17:27 us=557125 10.10.201.107:51782 TLS CRYPT V2 VERIFY SCRIPT OK
2020-10-11 20:17:27 us=623270 10.10.201.107:51782 VERIFY OK: depth=1, CN=easytls
2020-10-11 20:17:27 us=624391 10.10.201.107:51782 VERIFY OK: depth=0, CN=cw01
2020-10-11 20:17:27 us=624828 10.10.201.107:51782 peer info: IV_VER=2.5_rc2
2020-10-11 20:17:27 us=624876 10.10.201.107:51782 peer info: IV_PLAT=win
2020-10-11 20:17:27 us=624909 10.10.201.107:51782 peer info: IV_PROTO=6
2020-10-11 20:17:27 us=624934 10.10.201.107:51782 peer info: IV_NCP=2
2020-10-11 20:17:27 us=624959 10.10.201.107:51782 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2020-10-11 20:17:27 us=624977 10.10.201.107:51782 peer info: IV_LZ4=1
2020-10-11 20:17:27 us=624997 10.10.201.107:51782 peer info: IV_LZ4v2=1
2020-10-11 20:17:27 us=625013 10.10.201.107:51782 peer info: IV_LZO=1
2020-10-11 20:17:27 us=625029 10.10.201.107:51782 peer info: IV_COMP_STUB=1
2020-10-11 20:17:27 us=625045 10.10.201.107:51782 peer info: IV_COMP_STUBv2=1
2020-10-11 20:17:27 us=625061 10.10.201.107:51782 peer info: IV_TCPNL=1
2020-10-11 20:17:27 us=625076 10.10.201.107:51782 peer info: IV_HWADDR=08:00:27:10:b8:d0
2020-10-11 20:17:27 us=625094 10.10.201.107:51782 peer info: IV_SSL=OpenSSL_1.1.1h__22_Sep_2020
2020-10-11 20:17:27 us=625110 10.10.201.107:51782 peer info: IV_PLAT_VER=6.1_32bit
2020-10-11 20:17:27 us=625125 10.10.201.107:51782 peer info: IV_GUI_VER=OpenVPN_GUI_11
NO-NO-NO
2020-10-11 20:17:27 us=636464 10.10.201.107:51782 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
2020-10-11 20:17:27 us=636561 10.10.201.107:51782 TLS Auth Error: Auth Username/Password verification failed for peer
2020-10-11 20:17:27 us=650336 10.10.201.107:51782 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-10-11 20:17:27 us=650482 10.10.201.107:51782 [cw01] Peer Connection Initiated with [AF_INET]10.10.201.107:51782
2020-10-11 20:17:27 us=895839 10.10.201.107:51781 SIGTERM[soft,delayed-exit] received, client-instance exiting
2020-10-11 20:17:28 us=672267 10.10.201.107:51782 PUSH: Received control message: 'PUSH_REQUEST'
2020-10-11 20:17:28 us=672308 10.10.201.107:51782 Delayed exit in 5 seconds
2020-10-11 20:17:28 us=672424 10.10.201.107:51782 SENT CONTROL [cw01]: 'AUTH_FAILED' (status=1)
2020-10-11 20:17:33 us=877372 10.10.201.107:51782 SIGTERM[soft,delayed-exit] received, client-instance exiting

Server log when the client does not send user/pass:

2020-10-11 20:07:01 us=409459 MULTI: multi_create_instance called
2020-10-11 20:07:01 us=409499 10.10.201.107:57110 Re-using SSL/TLS context
2020-10-11 20:07:01 us=409536 10.10.201.107:57110 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:07:01 us=409558 10.10.201.107:57110 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:07:01 us=409624 10.10.201.107:57110 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2020-10-11 20:07:01 us=409642 10.10.201.107:57110 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2020-10-11 20:07:01 us=409687 10.10.201.107:57110 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server'
2020-10-11 20:07:01 us=409705 10.10.201.107:57110 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client'
2020-10-11 20:07:01 us=409744 10.10.201.107:57110 TLS: Initial packet from [AF_INET]10.10.201.107:57110, sid=5cda270d 0cb021ad
2020-10-11 20:07:01 us=409758 10.10.201.107:57110 Control Channel: using tls-crypt-v2 key
2020-10-11 20:07:01 us=409788 10.10.201.107:57110 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:07:01 us=409805 10.10.201.107:57110 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:07:01 us=409818 10.10.201.107:57110 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:07:01 us=409836 10.10.201.107:57110 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
<EXOK> * TLS-crypt-v2-verify (index) ==> easytls OK ==> custom_group tincantech OK ==> Key age 0 days OK ==> identity OK ==> Enabled OK ==> Client certificate is recognised and Valid: 5E80D99E6EBB48C8C7E7FB5987AD1EF3 cw01
2020-10-11 20:07:01 us=431426 10.10.201.107:57110 TLS CRYPT V2 VERIFY SCRIPT OK
2020-10-11 20:07:01 us=461498 10.10.201.107:57110 VERIFY OK: depth=1, CN=easytls
2020-10-11 20:07:01 us=461646 10.10.201.107:57110 VERIFY OK: depth=0, CN=cw01
2020-10-11 20:07:01 us=462062 10.10.201.107:57110 peer info: IV_VER=2.5_rc2
2020-10-11 20:07:01 us=462117 10.10.201.107:57110 peer info: IV_PLAT=win
2020-10-11 20:07:01 us=462141 10.10.201.107:57110 peer info: IV_PROTO=6
2020-10-11 20:07:01 us=462164 10.10.201.107:57110 peer info: IV_NCP=2
2020-10-11 20:07:01 us=462187 10.10.201.107:57110 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2020-10-11 20:07:01 us=462208 10.10.201.107:57110 peer info: IV_LZ4=1
2020-10-11 20:07:01 us=462224 10.10.201.107:57110 peer info: IV_LZ4v2=1
2020-10-11 20:07:01 us=462239 10.10.201.107:57110 peer info: IV_LZO=1
2020-10-11 20:07:01 us=462251 10.10.201.107:57110 peer info: IV_COMP_STUB=1
2020-10-11 20:07:01 us=462263 10.10.201.107:57110 peer info: IV_COMP_STUBv2=1
2020-10-11 20:07:01 us=462285 10.10.201.107:57110 peer info: IV_TCPNL=1
2020-10-11 20:07:01 us=462313 10.10.201.107:57110 peer info: IV_HWADDR=08:00:27:10:b8:d0
2020-10-11 20:07:01 us=462343 10.10.201.107:57110 peer info: IV_SSL=OpenSSL_1.1.1h__22_Sep_2020
2020-10-11 20:07:01 us=462357 10.10.201.107:57110 peer info: IV_PLAT_VER=6.1_32bit
2020-10-11 20:07:01 us=462369 10.10.201.107:57110 peer info: IV_GUI_VER=OpenVPN_GUI_11
2020-10-11 20:07:01 us=462384 10.10.201.107:57110 TLS Error: Auth Username/Password was not provided by peer
2020-10-11 20:07:01 us=462396 10.10.201.107:57110 TLS Error: TLS handshake failed
2020-10-11 20:07:01 us=462497 10.10.201.107:57110 SIGUSR1[soft,tls-error] received, client-instance restarting
2020-10-11 20:08:06 us=519418 Control Channel: using tls-crypt-v2 key
2020-10-11 20:08:06 us=519513 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:08:06 us=519553 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:08:06 us=519578 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-10-11 20:08:06 us=519605 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-10-11 20:08:06 us=519659 MULTI: multi_create_instance called

Change History (8)

comment:1 Changed 4 years ago by tct

Cc: tct added

comment:2 Changed 4 years ago by tct

Version: OpenVPN 2.4.5 (Community Ed)OpenVPN 2.5.0 (Community Ed)

comment:3 Changed 4 years ago by tct

Related: #1348

comment:4 Changed 4 years ago by Gert Döring

Milestone: release 2.6

Yeah, having "wrong username + password in a *file*" is really something that wants exponential backoff.

"Interactive" it does not make sense to add delay, as the timing constant is a human typing things in...

Someone needs to dive into the reconnect logic and figure out where these two cases ("real connection failure" and "AUTH_FAIL" diverge wrt timing)

comment:5 Changed 4 years ago by Gert Döring

Cc: plaisthos added

comment:6 Changed 3 years ago by tct

My initial report has been addressed. When the client fails to AUTH, due to incorrect password, the client is terminated.

Edit: Need to double check this ..

A reasonably thorough test shows that if the client fails at password AUTH then the server always send AUTH_FAILED and the client terminates gracefully.

Circumstances regarding systemd or Windows Services not-with-standing, I think this can be closed. Awaiting proper approval because I'm not 100% sure.

Last edited 3 years ago by tct (previous) (diff)

comment:7 Changed 3 years ago by tct

Owner: set to Gert Döring
Status: newassigned

comment:8 Changed 2 years ago by Gert Döring

Owner: changed from Gert Döring to nobody

Whether or not the client fails on AUTH_FAILED depends on --auth-retry nointeract being set (which is non-default). So it still makes sense to have good retry behaviour then.

Note: See TracTickets for help on using tickets.