Opened 3 months ago

Last modified 2 months ago

#1482 new Bug / Defect

openvpn 2.4.7 with auth-user-pass-optional breaks auth-gen-token

Reported by: wdoekes Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: walter.openvpn@…

Description

Hi,

as far as I understand, we can use this on the server side:

auth-user-pass-verify my-auth-script via-file

reneg-sec 3600
auth-gen-token 57600  # 16 hours.. you need one reconnect/repassword daily

This should cause the user to get a 2FA prompt only once every 16 hours.

If we then combine this with:

auth-user-pass-optional

making the 2FA optional (*) and a client that does not provide a password, we get these errors on the server every 3600 seconds:

TLS Auth Error: Auth-token verification failed for username ''
TLS Error: local/remote TLS keys are out of sync: [AF_INET]<ip>:<port> [0]
TLS Error: local/remote TLS keys are out of sync: [AF_INET]<ip>:<port> [0]
...

after which the connection is terminated in due time because the keepalives start to fail.

I assume the cause is that the client doesn't know it should send any tokens at all, while the server starts expecting tokens after the first hour.

There appear to be two workarounds for this:

(1) Pass a bogus username/password from the client (and ignore the bogus values in the {{auth-user-pass-verify}} module):

auth-user-pass /etc/protocols

(2) Don't use {{auth-gen-token}} in the server, but increase {{reneg-sec}}:

reneg-sec 57600  # 16 hours.. you need one reconnect/repassword daily
#auth-gen-token 57600

This issue looks related, but not equal, to #1447.

To me, it looks like the bogus username/password passing is the more secure option -- because then we do get renegotiation. But it is also the ugliest.

Cheers,
Walter Doekes
OSSO B.V.

(*) Why optional 2FA? For systems without humans attached we have separate security measures (IP whitelists, etc.).

() This behaviour was observed with the default openvpn on Ubuntu/Focal?. I did not find tickets/changes that looked like this was fixed in newer versions.

Change History (3)

comment:1 Changed 3 months ago by plaisthos

I think auth-user-pass-optional without the external-auth parameter to auth-gen-token is a very weird combination.

Old OpenVPN version will only accept an auth-token if they did user-pass authentication before and you are seeing that behaviour. If you use the default for auth-gen-token auth gen token needs to make the decision without consulting external auth scripts. And since auth-gen-token does not implement optional user/pass without external-auth, you are seeing this behaviour.

comment:2 Changed 3 months ago by wdoekes

Thanks for the response, plaisthos.

Adding external-auth to auth-gen-token does not look like it helps: the reneg-sec happens really soon, and I assume the external-auth is only invoked at 57600.

It does appear that 2.4.7 is affected both with and without auth-user-pass, while 2.5.5 is not affected with auth-user-pass. So, using fix (1) does not help, even though I previously thought it did.

I'll go with a higher reneg-sec for now when I want auth-user-pass-optional.

Cheers,
Walter

comment:3 Changed 2 months ago by Gert Döring

(1) might actually work, but maybe not on 2.4 - this is old code, and most of the auth-token code has been changed in 2.5. So if what happens if you do (1) on 2.5?

Note: See TracTickets for help on using tickets.