[Openvpn-users] 2.6rc2 server with DCO and 2.6rc2 client with DCO: not working

Ralf Hildebrandt via Openvpn-users Wed, 18 Jan 2023 08:57:14 -0800

You might have noticed our bug reports regarding capabilities && 2.6rc2.
The whole point of it all was to test 2.6.x's DCO in our openvpn infrastructure 
:)


Upgrades were made, kernel module were being compiled and modprobed,
the gateway's filesystem is cluttered with source packages and
hotfixed scripts all over the place -- and ultimately 2.6rc2 would be
working ok on the server side of things. YAY!

But once we enabled DCO on the server side, things started to go awry - again.

2.5.x was not able to connect. 
So I thought: "Meh, maybe I should use 2.6rc on both cient and server". 
Said and done.

Now the server complains:
=========================

Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 Outgoing 
Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC 
authentication
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 Incoming 
Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC 
authentication
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY SCRIPT 
OK: depth=1, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=Charite-VPN 
CA, name=EasyRSA, emailAddress=v...@charite.de
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY OK: 
depth=1, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=Charite-VPN CA, 
name=EasyRSA, emailAddress=v...@charite.de
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 Validating 
certificate extended key usage
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 ++ 
Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client 
Authentication
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY EKU OK
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY SCRIPT 
OK: depth=0, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=hildeb, 
emailAddress=v...@charite.de
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 VERIFY OK: 
depth=0, C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, CN=hildeb, 
emailAddress=v...@charite.de
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: 
IV_VER=2.6_rc2
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: 
IV_PLAT=linux
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: 
IV_TCPNL=1
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: 
IV_MTU=1600
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: 
IV_CIPHERS=AES-256-GCM
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: 
IV_PROTO=478
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: 
IV_LZO_STUB=1
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: 
IV_COMP_STUB=1
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 peer info: 
IV_COMP_STUBv2=1
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 TLS: 
Username/Password authentication succeeded for username 'hildeb' 
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 TLS: 
move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jan 18 17:16:35 localhost openvpn-udp[50313]: 10.31.123.139:39440 TLS: 
tls_multi_process: initial untrusted session promoted to trusted
Jan 18 17:16:36 localhost openvpn-udp[50313]: 10.31.123.139:39440 Control 
Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 
bit RSA, signature: RSA-SHA256
Jan 18 17:16:36 localhost openvpn-udp[50313]: 10.31.123.139:39440 [hildeb] Peer 
Connection Initiated with [AF_INET6]::ffff:10.31.123.139:39440
Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 
MULTI_sva: pool returned IPv4=172.29.0.2, IPv6=(Not enabled)
Jan 18 17:16:36 localhost openVPN-clientConnect: {"user": "hildeb", 
"common_name": "hildeb", "platform": "linux", "version": "2.6_rc2", 
"gui_version": ""}
Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 
OPTIONS IMPORT: reading client specific options from: 
/tmp/openvpn_cc_59804ac825fbf6a474bade0a88233ff0.tmp

Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 Note: 
'--allow-compression' is not set to 'no', disabling data channel offload.
Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 
Consider using the '--compress migrate' option.
Jan 18 17:16:36 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 MULTI: 
client has been rejected due to incompatible DCO options

Jan 18 17:16:37 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 PUSH: 
Received control message: 'PUSH_REQUEST'
Jan 18 17:16:37 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 
Delayed exit in 5 seconds
Jan 18 17:16:37 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 SENT 
CONTROL [hildeb]: 'AUTH_FAILED' (status=1)
Jan 18 17:16:42 localhost openvpn-udp[50313]: hildeb/10.31.123.139:39440 
SIGTERM[soft,delayed-exit] received, client-instance exiting

I'm reading this as: The server doesn't like the client based on "incompatible 
DCO
options", obviously due to "allow-compression" not being set to "no"
(which is the default, according to the docs) 

Personally I think this shouldn't prevent the client from connecting,
but instead it should not be using DCO. But since we want to test DCO
taht's ok for now.

On the server config we're using (I modprobed ovpn-dco):

--- snip ---
syslog openvpn-udp
proto udp6
management 127.0.0.1 7505
status /var/log/openvpn-udp-status.log
dev tun0

user openvpn
group openvpn

mssfix 1350

topology subnet
mode server
tls-server
push "topology subnet"
ifconfig-pool 172.29.0.2 172.29.7.254 255.255.248.0
push "route-gateway 172.29.0.1"

port 1194

duplicate-cn

## Crypto stuff
ca         /etc/openvpn/certs/ca.crt
key        /etc/openvpn/certs/openvpn.charite.de.key
cert       /etc/openvpn/certs/openvpn.charite.de.crt
crl-verify /etc/openvpn/certs/crl.pem
dh         /etc/openvpn/certs/dhparam.pem
tls-auth   /etc/openvpn/certs/ta.key 0
remote-cert-eku "TLS Web Client Authentication"

tls-version-min 1.2

cipher AES-256-GCM
data-ciphers AES-256-GCM:AES-128-GCM
auth SHA256

auth-user-pass-verify /opt/openvpn/scripts/openVPN-authenticate via-env
client-connect        /opt/openvpn/scripts/openVPN-clientConnect
learn-address         /opt/openvpn/scripts/openVPN-learnAddress
tls-verify            /opt/openvpn/scripts/openVPN-tlsverify.sh
script-security 3

push "dhcp-option DNS 141.42.1.1"
push "dhcp-option DOMAIN charite.de"

keepalive 10 30

persist-key
persist-tun
verb 3
reneg-sec 86400

mute-replay-warnings
fast-io

# Neu RHI 18.01.2019
txqueuelen 10000
hand-window 15

allow-compression no
--- snip ---

So we clearly set "allow-compression" to "no". And no other compression
is active (I think).

On the client side of things:
=============================

2023-01-18 17:16:35 OpenVPN 2.6_rc2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] 
[LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-01-18 17:16:35 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2023-01-18 17:16:35 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2023-01-18 17:16:35 Outgoing Control Channel Authentication: Using 256 bit 
message hash 'SHA256' for HMAC authentication
2023-01-18 17:16:35 Incoming Control Channel Authentication: Using 256 bit 
message hash 'SHA256' for HMAC authentication
2023-01-18 17:16:35 TCP/UDP: Preserving recently used remote address: 
[AF_INET]193.175.73.170:1194
2023-01-18 17:16:35 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-01-18 17:16:35 UDPv4 link local: (not bound)
2023-01-18 17:16:35 UDPv4 link remote: [AF_INET]193.175.73.170:1194
2023-01-18 17:16:35 TLS: Initial packet from [AF_INET]193.175.73.170:1194, 
sid=11c0291f de7a5bdd
2023-01-18 17:16:35 VERIFY OK: depth=1, C=DE, ST=Berlin, L=Berlin, 
O=Charite-VPN, OU=GB-IT, CN=Charite-VPN CA, name=EasyRSA, 
emailAddress=v...@charite.de
2023-01-18 17:16:35 VERIFY KU OK
2023-01-18 17:16:35 Validating certificate extended key usage
2023-01-18 17:16:35 ++ Certificate has EKU (str) TLS Web Server Authentication, 
expects TLS Web Server Authentication
2023-01-18 17:16:35 VERIFY EKU OK
2023-01-18 17:16:35 VERIFY X509NAME OK: C=DE, ST=Berlin, L=Berlin, 
O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=v...@charite.de
2023-01-18 17:16:35 VERIFY OK: depth=0, C=DE, ST=Berlin, L=Berlin, 
O=Charite-VPN, OU=GB-IT, CN=openvpn.charite.de, emailAddress=v...@charite.de
2023-01-18 17:16:36 Control Channel: TLSv1.3, cipher TLSv1.3 
TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-18 17:16:36 [openvpn.charite.de] Peer Connection Initiated with 
[AF_INET]193.175.73.170:1194
2023-01-18 17:16:36 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL 
reinit_src=1
2023-01-18 17:16:36 TLS: tls_multi_process: initial untrusted session promoted 
to trusted
2023-01-18 17:16:37 SENT CONTROL [openvpn.charite.de]: 'PUSH_REQUEST' (status=1)
2023-01-18 17:16:37 AUTH: Received control message: AUTH_FAILED
2023-01-18 17:16:37 SIGTERM received, sending exit notification to peer
2023-01-18 17:16:37 Attempting to send data packet while data channel offload 
is in use. Dropping packet
2023-01-18 17:16:38 SIGTERM[soft,exit-with-notification] received, process 
exiting

With this config (I modprobed ovpn-dco):

--- snip ---
client
dev tun

nobind
proto udp
remote openvpn-gw170-ext.charite.de 
port 1194
explicit-exit-notify

cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA256

remote-cert-tls server
verify-x509-name "C=DE, ST=Berlin, L=Berlin, O=Charite-VPN, OU=GB-IT, 
CN=openvpn.charite.de, emailAddress=v...@charite.de" subject
remote-cert-eku "TLS Web Server Authentication"

persist-key
persist-tun

verb 3
reneg-sec 0
auth-user-pass up
auth-nocache
script-security 2
mute-replay-warnings

tls-auth ta.key 1
ca ca.crt
remote-random
key hildeb.key
cert hildeb.crt

allow-compression no
--- snip ---

So what's wrong here?

-- 
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung
Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] 2.6rc2 server with DCO and 2.6rc2 client with DCO: not working

Reply via email to