Opened 17 months ago
Last modified 16 months ago
#1482 new Bug / Defect
openvpn 2.4.7 with auth-user-pass-optional breaks auth-gen-token
Reported by: | wdoekes | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.4.7 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | walter.openvpn@… |
Description
Hi,
as far as I understand, we can use this on the server side:
auth-user-pass-verify my-auth-script via-file reneg-sec 3600 auth-gen-token 57600 # 16 hours.. you need one reconnect/repassword daily
This should cause the user to get a 2FA prompt only once every 16 hours.
If we then combine this with:
auth-user-pass-optional
making the 2FA optional (*) and a client that does not provide a password, we get these errors on the server every 3600 seconds:
TLS Auth Error: Auth-token verification failed for username '' TLS Error: local/remote TLS keys are out of sync: [AF_INET]<ip>:<port> [0] TLS Error: local/remote TLS keys are out of sync: [AF_INET]<ip>:<port> [0] ...
after which the connection is terminated in due time because the keepalives start to fail.
I assume the cause is that the client doesn't know it should send any tokens at all, while the server starts expecting tokens after the first hour.
There appear to be two workarounds for this:
(1) Pass a bogus username/password from the client (and ignore the bogus values in the {{auth-user-pass-verify}} module):
auth-user-pass /etc/protocols
(2) Don't use {{auth-gen-token}} in the server, but increase {{reneg-sec}}:
reneg-sec 57600 # 16 hours.. you need one reconnect/repassword daily #auth-gen-token 57600
This issue looks related, but not equal, to #1447.
To me, it looks like the bogus username/password passing is the more secure option -- because then we do get renegotiation. But it is also the ugliest.
Cheers,
Walter Doekes
OSSO B.V.
(*) Why optional 2FA? For systems without humans attached we have separate security measures (IP whitelists, etc.).
() This behaviour was observed with the default openvpn on Ubuntu/Focal?. I did not find tickets/changes that looked like this was fixed in newer versions.
Change History (3)
comment:1 Changed 17 months ago by
comment:2 Changed 17 months ago by
Thanks for the response, plaisthos.
Adding external-auth
to auth-gen-token
does not look like it helps: the reneg-sec
happens really soon, and I assume the external-auth
is only invoked at 57600
.
It does appear that 2.4.7
is affected both with and without auth-user-pass
, while 2.5.5
is not affected with auth-user-pass
. So, using fix (1) does not help, even though I previously thought it did.
I'll go with a higher reneg-sec
for now when I want auth-user-pass-optional
.
Cheers,
Walter
comment:3 Changed 16 months ago by
(1) might actually work, but maybe not on 2.4 - this is old code, and most of the auth-token code has been changed in 2.5. So if what happens if you do (1) on 2.5?
I think auth-user-pass-optional without the external-auth parameter to auth-gen-token is a very weird combination.
Old OpenVPN version will only accept an auth-token if they did user-pass authentication before and you are seeing that behaviour. If you use the default for auth-gen-token auth gen token needs to make the decision without consulting external auth scripts. And since auth-gen-token does not implement optional user/pass without external-auth, you are seeing this behaviour.