Opened 3 years ago

Closed 2 years ago

#836 closed Bug / Defect (fixed)

Password Caching on multiple http-proxies

Reported by: appunnicer13 Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: Proxy Password Caching
Cc:

Description

I use openVPN GUI in my windows 10 computer. There is a problem with it, I am trying to use multiple HTTP proxies using connection tags , our connections are limited by TCP 80 , 443 ports so I used same remote host for all my connections , then i had 5 -6 http proxies through which i wanted the OPENVPN to iterate, but the problem is that it is not iterating the credentials as well while iterating the connection . HTTP proxy Credentials are somehow cached and not iterated through. . I believe that this is not an intended behaviour and caused while trying to Cache Credentials .

https://drive.google.com/file/d/0BwlvQ0O2HFzzVUVZYjZSQ05FY3pnb0U0VUNrUUpLTnN5bG1J/view?usp=sharing here is the typical config.

Change History (5)

comment:1 Changed 3 years ago by tincantech

OP client config .. save on aggravation

# Automatically generated OpenVPN client config file
# Generated on Sat Oct  8 19:23:13 2016 by openvpn-new
# Note: this config file contains inline private keys
#       and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=xxxxxxxx
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=openvpn@x.x.x.x
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=x.x.x.x:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
setenv FORWARD_COMPATIBLE 1
setenv ALLOW_PASSWORD_SAVE 0
client
server-poll-timeout 8
nobind
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass login_aws.conf
auth-nocache
ping-exit 60
resolve-retry 1
connect-retry 1

#
<connection>
http-proxy 10.1.1.18 80 proxy18(1).conf basic
http-proxy-retry
remote x.x.x.x 443 tcp
</connection>

#
<connection>
http-proxy 10.1.1.18 80 proxy18.conf basic
http-proxy-retry
remote x.x.x.x 443 tcp
</connection>

#
<connection>
http-proxy 10.1.1.18 80 proxy18(3).conf basic
http-proxy-retry
remote x.x.x.x 443 tcp
</connection>

#
<connection>
http-proxy 10.1.1.45 80 proxy45(1).conf basic
http-proxy-retry 
remote x.x.x.x 443 tcp
</connection>

#
<connection>
http-proxy 10.1.1.45 80 proxy45.conf basic
http-proxy-retry 
remote x.x.x.x 443 tcp
</connection>

#
<connection>
http-proxy 10.1.1.19 80 proxy19.conf basic
http-proxy-retry
remote x.x.x.x 443 tcp
</connection>

#
<connection>
http-proxy 10.1.1.18 80 proxy18(1).conf basic
http-proxy-retry
remote x.x.x.x 443 tcp
</connection>

#
<connection>
http-proxy 10.1.1.16 80 proxy16.conf basic
http-proxy-retry
remote x.x.x.x 443 tcp
</connection>

# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

## -----BEGIN RSA SIGNATURE-----
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
Last edited 3 years ago by tincantech (previous) (diff)

comment:2 Changed 3 years ago by Antonio

Apparently "http-proxy-user-pass" does not exist in the connection context. OpenVPN expects to have only one set of proxy credentials.
Consequently, in this configuration, the first credentials (specified inline with http-proxy) are stored and the others are ignored.

Not sure why it is like that ... I would also agree that new credentials should be allowed to be specified with a new http-proxy server.

comment:3 Changed 3 years ago by Antonio

I have a patch which would fix this issue, however it is for the current master branch.
Would you have a chance to clone it and apply my patch for a quick test?

comment:4 Changed 3 years ago by Antonio

FYI, the patch is on the ml. The subject is "[PATCH] reload HTTP proxy credentials when moving to the next connection profile"

comment:5 Changed 2 years ago by Antonio

Resolution: fixed
Status: newclosed

The patch fixing this issue has been merged into master (commit 86b58ceb) and the 2.4 (commit fbc50963) branches. It'll be available in 2.5 and in the next 2.4.x release.

Note: See TracTickets for help on using tickets.