Hi Selva,
I’m trying out things, so I changed the auth handler from ’client-auth-nt’ to
’client-auth’ + ’END’. To further elliminate possible causes I also disabled
the usage of the external DHCP server and change ’server-brigde’ to
’server-bridge GW IP NETMASK’.
Anyway, when I did the test I was using the same config, and my main problem
currently now is that, if I change – and only change that in the server.conf –
from plugin auth to management-client-auth the client is not able to initiate
any traffic – seemingly the Data Channel is not built up at server side. It
seems to me, that the server is still waiting for something, to establish the
data channel (on the management socket I get ’>CLIENT:ESTABLISHED’ both times)
I tried to compare both the server and client logs from the two cases, but did
not see any difference (verb 6). Also left the auth handler python running on
the socket for logging, but did see any differance there either.
(actual server config is as in my last mail)
I hope this clears up the things. So with the very same setup, plugin auth
works, there management-client-auth not (while the rest of the server.conf is
intact, client.conf does not change).
Tomorrow I’ll try with a dummy auth handler: without any logic, just sending
back ’client-auth-nt CID KID’, but I think it’ll not make any difference.
Cheers,
Tom
From: Selva Nair [mailto:[email protected]]
Sent: Thursday, April 2, 2020 10:49 PM
To: Dajka Tamás <[email protected]>
Cc: openvpn users list <[email protected]>
Subject: Re: [Openvpn-users] management-auth breaks data-channel?
Hi
On Thu, Apr 2, 2020 at 4:38 PM Dajka Tamás <[email protected]
<mailto:[email protected]> > wrote:
Plugin part, when management-client is used:
CLIENT_PUBLIC_IP:49712 TLS: Username/Password authentication deferred for
username 'mysecretuser' [CN SET]
CLIENT_PUBLIC_IP:49712 TCPv4_SERVER WRITE [308] to
[AF_INET]CLIENT_PUBLIC_IP:49712: P_CONTROL_V1 kid=0 [ ] pid=1374 DATA len=294
CLIENT_PUBLIC_IP:49712 TCPv4_SERVER READ [62] from
[AF_INET]CLIENT_PUBLIC_IP:49712: P_ACK_V1 kid=0 [ ]
CLIENT_PUBLIC_IP:49712 Control Channel: TLSv1.2, cipher TLSv1.2
ECDHE-ECDSA-AES256-GCM-SHA384
CLIENT_PUBLIC_IP:49712 [mysecretuser] Peer Connection Initiated with
[AF_INET]CLIENT_PUBLIC_IP:49712
CLIENT_PUBLIC_IP:49712 TCPv4_SERVER READ [96] from
[AF_INET]CLIENT_PUBLIC_IP:49712: P_CONTROL_V1 kid=0 [ ] pid=2142 DATA len=82
CLIENT_PUBLIC_IP:49712 PUSH: Received control message: 'PUSH_REQUEST'
CLIENT_PUBLIC_IP:49712 TCPv4_SERVER WRITE [62] to
[AF_INET]CLIENT_PUBLIC_IP:49712: P_ACK_V1 kid=0 [ ]
MANAGEMENT: CMD 'client-auth 0 0'
I don't understand, your reports are inconsistent each time. Now you are
sending "client-auth" as in the first email, not "client-auth-nt" in the second
mail. And not sending END which is required to terminate "client-auth"
configuration directives. Not required after "client-auth-nt"
mysecretuser/CLIENT_PUBLIC_IP:49712 MULTI_sva: pool returned IPv4=10.14.14.1,
IPv6=(Not enabled)
mysecretuser/CLIENT_PUBLIC_IP:49712 SENT CONTROL [mysecretuser]:
'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 172.12.18.65,dhcp-option DNS
172.12.18.66,dhcp-option DOMAIN mydomain.intra,dhcp-option PROXY_HTTP 10.0.0.31
8080,dhcp-option PROXY_HTTPS 10.0.0.31 8080,dhcp-option PROXY_AUTO_CONFIG_URL
http://172.12.5.5/proxy.pac,dhcp-option ip-win32 adaptive -3 28800,route
8.13.15.3 255.255.255.255 10.14.12.1,ping 60,route-gateway 10.14.12.1,ifconfig
10.14.14.1 255.255.252.0,peer-id 0,cipher AES-256-GCM,auth-token' (status=1)
Also you were not pushing ifconfig as per the log snippet last time, and that's
why I had asked you how you are setting the client IP.
I'm at a loss.
Selva
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
