Hi Selva,
you were right, I did forget the closing ’END’. Somehow I failed to notice it
in your script.
Now I have it, but the config still does not work:
CLIENT_PUBLIC_IP:57516 TLS: Username/Password authentication deferred for
username 'mysecretuser' [CN SET]
CLIENT_PUBLIC_IP:57516 Control Channel: TLSv1.2, cipher TLSv1.2
ECDHE-ECDSA-AES256-GCM-SHA384
CLIENT_PUBLIC_IP:57516 [mysecretuser] Peer Connection Initiated with
[AF_INET]CLIENT_PUBLIC_IP:57516
CLIENT_PUBLIC_IP:57516 PUSH: Received control message: 'PUSH_REQUEST'
MANAGEMENT: CMD 'client-auth-nt 3 0'
MANAGEMENT: CMD 'END'
mysecretuser/CLIENT_PUBLIC_IP:57516 MULTI: no dynamic or static remote
--ifconfig address is available for mysecretuser/CLIENT_PUBLIC_IP:57516
mysecretuser/CLIENT_PUBLIC_IP:57516 SENT CONTROL [mysecretuser]:
'PUSH_REPLY,redirect-gateway def1,route-gateway dhcp,ip-win32 dynamic 0
3600,ping 60,route-gateway dhcp,ping 10,ping-restart 120,peer-id 0,cipher
AES-256-GCM,auth-token' (status=1)
mysecretuser/CLIENT_PUBLIC_IP:57516 Key [AF_INET]CLIENT_PUBLIC_IP:57516 [0] not
initialized (yet), dropping packet.
mysecretuser/CLIENT_PUBLIC_IP:57516 Key [AF_INET]CLIENT_PUBLIC_IP:57516 [0] not
initialized (yet), dropping packet.
mysecretuser/CLIENT_PUBLIC_IP:57516 Key [AF_INET]CLIENT_PUBLIC_IP:57516 [0] not
initialized (yet), dropping packet.
What else did I miss?
Thanks,
Tom
From: Selva Nair [mailto:[email protected]]
Sent: Wednesday, April 1, 2020 6:13 PM
To: Dajka Tamás <[email protected]>
Cc: openvpn users list ([email protected])
<[email protected]>
Subject: Re: [Openvpn-users] management-auth breaks data-channel?
Hi
On Wed, Apr 1, 2020 at 10:17 AM Dajka Tamás <[email protected]
<mailto:[email protected]> > wrote:
Hi all,
I’ve a _working_ server-client setup (tap + L2 bridge; server-bridge with
on-lan DHCP), where the pam-auth plugin does the authentication (OTP with
static-challenge, works OK). However, if I disable the plugin authentication
and enable ’management-client-auth’ (nothing else chages in either of the
configs), the client fails to establish the data channel (authentication works,
control channel is ok).
In the server logs I see the following (with mgmt auth):
mysecretuser/CLIENT_PUBLIC_IP:63979 TLS Warning: no data channel send key
available: [key#0 state=S_ACTIVE id=0 sid=f1576b13 7324afbe] [key#1
state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0
sid=00000000 00000000]
mysecretuser/CLIENT_PUBLIC_IP:63979 MULTI: C2C/MCAST/BCAST
and a lot of these:
mysecretuser/CLIENT_PUBLIC_IP:63808 TCPv4_SERVER READ [172] from
[AF_INET]CLIENT_PUBLIC_IP:63808: P_DATA_V2 kid=0 DATA len=171
mysecretuser/CLIENT_PUBLIC_IP:63808 Key [AF_INET]CLIENT_PUBLIC_IP:63808 [0] not
initialized (yet), dropping packet.
mysecretuser/CLIENT_PUBLIC_IP:63808 TCPv4_SERVER READ [347] from
[AF_INET]CLIENT_PUBLIC_IP:63808: P_DATA_V2 kid=0 DATA len=346
mysecretuser/CLIENT_PUBLIC_IP:63808 Key [AF_INET]CLIENT_PUBLIC_IP:63808 [0] not
initialized (yet), dropping packet.
mysecretuser/CLIENT_PUBLIC_IP:63808 TCPv4_SERVER READ [108] from
[AF_INET]CLIENT_PUBLIC_IP:63808: P_DATA_V2 kid=0 DATA len=107
mysecretuser/CLIENT_PUBLIC_IP:63808 Key [AF_INET]CLIENT_PUBLIC_IP:63808 [0] not
initialized (yet), dropping packet.
Looks like your script is not sending a complete response and the server is
still waiting to authenticate the client. Unlike scripts, management doesn't
block, but the session will not get fully initialized until the management
client has responded.
What can be the matter? Do I need to supply anything else via mgmt@server other
than ’client-auth ID ID’ upon successful authentication?
You have to send back either
"client-deny CID KID <reason text>"
OR
"client-auth-nt CID KID"
OR
"client-auth CID KID
client-specific directives
END"
If you have no client-connect confg parameters to send, use "client-auth-nt" as
in my demo script that you referred to. if sending "client-auth" with no
directives, you still have to send the line "END".
Selva
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
