Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Fri, Feb 9, 2018 at 3:33 AM, Samuli Seppänen  wrote:
> Il 09/02/2018 07:41, Илья Шипицин ha scritto:
>>
>>
>> 2018-02-08 20:40 GMT+05:00 Selva Nair > >:
>>
>> Hi,
>>
>> On Thu, Feb 8, 2018 at 3:15 AM, Samuli Seppänen > > wrote:
>> > Il 07/02/2018 21:58, David Sommerseth ha scritto:
>> >> On 07/02/18 20:32, Илья Шипицин wrote:
>> >>> After auth-token were introduced, when user press "Reconnect",
>> it leads to
>> >>> auth fail (saved password is forgotten), we run about 1000
>> users, nobody
>> >>> complains.
>> >>
>> >> This is actually expected, I'd say - but smells like a bug on the
>> server side
>> >> authentication.
>> >>
>> >> Selva may correct me if I'm wrong, but my understanding of it
>> when clicking
>> >> "Reconnect", the local OpenVPN process which caches the
>> auth-token is stopped
>> >> and a new OpenVPN process is started.  The client should in this
>> case ask for
>> >> username/password again.  So in this case, the server side should
>> treat this
>> >> connection as a fresh connection with no initial state.
>> >>
>> >> The step of stopping the local client and starting a new and
>> fresh one is
>> >> definitely not a bad feature to have on clients.
>> >>
>> >>> It looks like nobody uses that button.
>> >>>
>> >>> So, I asked several users, they confirmed they do not use Reconnect.
>> >>
>> >> This is no good argument for me.  This is one specific setup with
>> 1000 users.
>> >> It would be more valuable with 50 different setups having 20
>> users each.  Your
>> >> conclusion is based on a very homogeneous environment.
>> >
>> > I agree. I also agree that the underlying problem should be fixed.
>> >
>> > That said, Ilya's message was sent to both openvpn-users and
>> > openvpn-devel and nobody has screamed "do not remove the Reconnect
>> > button" :). The only additional thing we can do is post a message
>> to the
>> > forums. As usual, the only sure way to get feedback (read: complaints)
>> > is to release the changes in an official build/installer.
>>
>> Only recently we added a reconnect item to the menu (earlier it was
>> only available as a button in the status window) for ease of doing
>> reconnects and based on user requests -- though I can't now find who
>> asked for it.
>>
>>
>> it is interesting.
>>
>>
>>
>> I wouldn't take lack of response on the user's list as an indication
>> that no one uses it. In fact its very handy -- how else will you
>> restart a connection after editing the config file? Disconnect and
>> connect again? That would close the status window and lose all
>>
>>
>> yes. disconnect and connect again.
>>
>>
>>
>> messages in it and also takes a number of mouse clicks because of the
>> way tray popup menu behaves.
>>
>> Anyway the purported reason to remove it is totally bogus. Its like
>> auth-token cant cope with SIGHUP, so let's remove that signal.
>>
>>
>> no, that is wrong interpretaion.
>> I actually meant
>>
>> "it is broken" --> "users do not complain" --> "users do not care" -->
>> "other buttons will keep their places" --> "let us remove unused button"
>>
>>
>>
>> Finally, I'm an user too and I use that button all the time, though
>> mostly for testing. If that counts as a dissenting voice.
>>
>>
>>
>> yes, I also meant that. it is "designed by developers for themselves" :)
>> same as "edit config" menu item.
>> developers need edit config all the time and reconnect. but do users do
>> same things as well ?
>>
>>
>> as for "edit config", I'd like to keep it. it's removal will change menu
>> order, people will click at wrong items.
>>
>
> This discussion has actually been pretty interesting in the context of
> "how to get [some] VPN providers[1] to join OpenVPN-GUI development".
> We'd almost certainly need the capability to easily modify the GUI
> interface to suit their particular use-cases. Like removing buttons
> their users don't need. At the moment we don't have anybody willing to
> do such refactorings, nor any idea if any VPN provider would be
> interested anyways.

This has been a one-of-a-kind discussion so let's not generalize based
on that. Asking to remove a functionality requires stronger
justification than asking for fix or additional features. This
suggestion to remove the reconnect button was based on a wrong premise
--- that it deletes users saved password whereas the real culrpits are
(i) auth-token handling and (ii) the GUI wiping saved password on some
errors. On top of that when the reason given is something like it
misbehaves in some situations but none of our users have ever
complained which means they never use it, so it must go is bizarre.
Naturally, developers would be sceptic about such requests.

What I've learned from thi

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Samuli Seppänen]

Il 09/02/2018 07:41, Илья Шипицин ha scritto:
> 
> 
> 2018-02-08 20:40 GMT+05:00 Selva Nair  >:
> 
> Hi,
> 
> On Thu, Feb 8, 2018 at 3:15 AM, Samuli Seppänen  > wrote:
> > Il 07/02/2018 21:58, David Sommerseth ha scritto:
> >> On 07/02/18 20:32, Илья Шипицин wrote:
> >>> After auth-token were introduced, when user press "Reconnect",
> it leads to
> >>> auth fail (saved password is forgotten), we run about 1000
> users, nobody
> >>> complains.
> >>
> >> This is actually expected, I'd say - but smells like a bug on the
> server side
> >> authentication.
> >>
> >> Selva may correct me if I'm wrong, but my understanding of it
> when clicking
> >> "Reconnect", the local OpenVPN process which caches the
> auth-token is stopped
> >> and a new OpenVPN process is started.  The client should in this
> case ask for
> >> username/password again.  So in this case, the server side should
> treat this
> >> connection as a fresh connection with no initial state.
> >>
> >> The step of stopping the local client and starting a new and
> fresh one is
> >> definitely not a bad feature to have on clients.
> >>
> >>> It looks like nobody uses that button.
> >>>
> >>> So, I asked several users, they confirmed they do not use Reconnect.
> >>
> >> This is no good argument for me.  This is one specific setup with
> 1000 users.
> >> It would be more valuable with 50 different setups having 20
> users each.  Your
> >> conclusion is based on a very homogeneous environment.
> >
> > I agree. I also agree that the underlying problem should be fixed.
> >
> > That said, Ilya's message was sent to both openvpn-users and
> > openvpn-devel and nobody has screamed "do not remove the Reconnect
> > button" :). The only additional thing we can do is post a message
> to the
> > forums. As usual, the only sure way to get feedback (read: complaints)
> > is to release the changes in an official build/installer.
> 
> Only recently we added a reconnect item to the menu (earlier it was
> only available as a button in the status window) for ease of doing
> reconnects and based on user requests -- though I can't now find who
> asked for it.
> 
> 
> it is interesting.
>  
> 
> 
> I wouldn't take lack of response on the user's list as an indication
> that no one uses it. In fact its very handy -- how else will you
> restart a connection after editing the config file? Disconnect and
> connect again? That would close the status window and lose all
> 
> 
> yes. disconnect and connect again.
> 
>  
> 
> messages in it and also takes a number of mouse clicks because of the
> way tray popup menu behaves.
> 
> Anyway the purported reason to remove it is totally bogus. Its like
> auth-token cant cope with SIGHUP, so let's remove that signal.
> 
> 
> no, that is wrong interpretaion.
> I actually meant
> 
> "it is broken" --> "users do not complain" --> "users do not care" -->
> "other buttons will keep their places" --> "let us remove unused button"
>  
> 
> 
> Finally, I'm an user too and I use that button all the time, though
> mostly for testing. If that counts as a dissenting voice.
> 
> 
> 
> yes, I also meant that. it is "designed by developers for themselves" :)
> same as "edit config" menu item.
> developers need edit config all the time and reconnect. but do users do
> same things as well ?
> 
> 
> as for "edit config", I'd like to keep it. it's removal will change menu
> order, people will click at wrong items.
>  

This discussion has actually been pretty interesting in the context of
"how to get [some] VPN providers[1] to join OpenVPN-GUI development".
We'd almost certainly need the capability to easily modify the GUI
interface to suit their particular use-cases. Like removing buttons
their users don't need. At the moment we don't have anybody willing to
do such refactorings, nor any idea if any VPN provider would be
interested anyways.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] This is something we discussed in the OpenVPN-GUI project
(issues/PRs?) on GitHub.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Илья Шипицин]

2018-02-09 0:34 GMT+05:00 Selva Nair :

> Hi,
>
> On Thu, Feb 8, 2018 at 2:21 PM, blz  wrote:
> > On 2/7/2018 13:00 PM, Selva Nair wrote:
> >
> > One way for the GUI to handle the current situation is to not take the
> first
> > AUTH_FAILED seriously (i.e keep the saved password) when auth-token is in
> > use. But I would consider that a hack.
> >
> >
> > In general it seems like it is rarely a good idea to just modify
> > user-entered information, especially without asking first. Many programs
> > like graphical sftp/ftp clients, web browsers, VNC and RDP clients, and
> many
> > others that I've seen over the years usually don't just up and clear the
> > saved password upon failure, but leave it up to the user to update if
> > needed. This seems to prevent problems like when an account might be
> > temporarily disabled/inaccessible, or maintenance/testing is being
> performed
> > making some/all accounts inaccessible, where it it will resume working
> as it
> > was before in the near future.
>
> Ideally, the server should not return AUTH_FAILED in such cases. Note
> that we do not clear password for any kind of connection error but
> only for AUTH_FAILED with no indication of a dynamic challenge in the
> pipeline.
>
> That said, if not clearing password would give a better UX, we could
> definitely do it. In the latest GUI version we do add a warning
> message to the dialog saying password failed which may be enough.
>

I'd leave clearing the password to the user. i.e. gui should not clear
password.


>
> Selva
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Илья Шипицин]

2018-02-08 20:40 GMT+05:00 Selva Nair :

> Hi,
>
> On Thu, Feb 8, 2018 at 3:15 AM, Samuli Seppänen 
> wrote:
> > Il 07/02/2018 21:58, David Sommerseth ha scritto:
> >> On 07/02/18 20:32, Илья Шипицин wrote:
> >>> After auth-token were introduced, when user press "Reconnect", it
> leads to
> >>> auth fail (saved password is forgotten), we run about 1000 users,
> nobody
> >>> complains.
> >>
> >> This is actually expected, I'd say - but smells like a bug on the
> server side
> >> authentication.
> >>
> >> Selva may correct me if I'm wrong, but my understanding of it when
> clicking
> >> "Reconnect", the local OpenVPN process which caches the auth-token is
> stopped
> >> and a new OpenVPN process is started.  The client should in this case
> ask for
> >> username/password again.  So in this case, the server side should treat
> this
> >> connection as a fresh connection with no initial state.
> >>
> >> The step of stopping the local client and starting a new and fresh one
> is
> >> definitely not a bad feature to have on clients.
> >>
> >>> It looks like nobody uses that button.
> >>>
> >>> So, I asked several users, they confirmed they do not use Reconnect.
> >>
> >> This is no good argument for me.  This is one specific setup with 1000
> users.
> >> It would be more valuable with 50 different setups having 20 users
> each.  Your
> >> conclusion is based on a very homogeneous environment.
> >
> > I agree. I also agree that the underlying problem should be fixed.
> >
> > That said, Ilya's message was sent to both openvpn-users and
> > openvpn-devel and nobody has screamed "do not remove the Reconnect
> > button" :). The only additional thing we can do is post a message to the
> > forums. As usual, the only sure way to get feedback (read: complaints)
> > is to release the changes in an official build/installer.
>
> Only recently we added a reconnect item to the menu (earlier it was
> only available as a button in the status window) for ease of doing
> reconnects and based on user requests -- though I can't now find who
> asked for it.
>

it is interesting.


>
> I wouldn't take lack of response on the user's list as an indication
> that no one uses it. In fact its very handy -- how else will you
> restart a connection after editing the config file? Disconnect and
> connect again? That would close the status window and lose all
>

yes. disconnect and connect again.



> messages in it and also takes a number of mouse clicks because of the
> way tray popup menu behaves.
>
> Anyway the purported reason to remove it is totally bogus. Its like
> auth-token cant cope with SIGHUP, so let's remove that signal.
>

no, that is wrong interpretaion.
I actually meant

"it is broken" --> "users do not complain" --> "users do not care" -->
"other buttons will keep their places" --> "let us remove unused button"


>
> Finally, I'm an user too and I use that button all the time, though
> mostly for testing. If that counts as a dissenting voice.
>


yes, I also meant that. it is "designed by developers for themselves" :)
same as "edit config" menu item.
developers need edit config all the time and reconnect. but do users do
same things as well ?


as for "edit config", I'd like to keep it. it's removal will change menu
order, people will click at wrong items.


>
> Selva
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Thu, Feb 8, 2018 at 2:21 PM, blz  wrote:
> On 2/7/2018 13:00 PM, Selva Nair wrote:
>
> One way for the GUI to handle the current situation is to not take the first
> AUTH_FAILED seriously (i.e keep the saved password) when auth-token is in
> use. But I would consider that a hack.
>
>
> In general it seems like it is rarely a good idea to just modify
> user-entered information, especially without asking first. Many programs
> like graphical sftp/ftp clients, web browsers, VNC and RDP clients, and many
> others that I've seen over the years usually don't just up and clear the
> saved password upon failure, but leave it up to the user to update if
> needed. This seems to prevent problems like when an account might be
> temporarily disabled/inaccessible, or maintenance/testing is being performed
> making some/all accounts inaccessible, where it it will resume working as it
> was before in the near future.

Ideally, the server should not return AUTH_FAILED in such cases. Note
that we do not clear password for any kind of connection error but
only for AUTH_FAILED with no indication of a dynamic challenge in the
pipeline.

That said, if not clearing password would give a better UX, we could
definitely do it. In the latest GUI version we do add a warning
message to the dialog saying password failed which may be enough.

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[blz]

On 2/7/2018 13:00 PM, Selva Nair wrote:
One way for the GUI to handle the current situation is to not take the 
first AUTH_FAILED seriously (i.e keep the saved password) when 
auth-token is in use. But I would consider that a hack.


In general it seems like it is rarely a good idea to just modify 
user-entered information, especially without asking first. Many programs 
like graphical sftp/ftp clients, web browsers, VNC and RDP clients, and 
many others that I've seen over the years usually don't just up and 
clear the saved password upon failure, but leave it up to the user to 
update if needed. This seems to prevent problems like when an account 
might be temporarily disabled/inaccessible, or maintenance/testing is 
being performed making some/all accounts inaccessible, where it it will 
resume working as it was before in the near future.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Thu, Feb 8, 2018 at 12:07 PM, Arne Schwabe  wrote:
> Am 08.02.18 um 16:31 schrieb Selva Nair:
>> Hi,
>>
>> On Thu, Feb 8, 2018 at 7:20 AM, David Sommerseth
>>  wrote:
>>> On 08/02/18 04:36, Antonio Quartulli wrote:


 On 08/02/18 04:41, David Sommerseth wrote:
> On 07/02/18 21:21, Selva Nair wrote:
>
>> In my view auth-token handling in openvpn.exe is broken at multiple 
>> levels:
>>
>> Client process:
>> (i) it should not remember the token after a reconnect is issued
>
> Agreed.  This should trigger retrieving new user input in regards to 
> SIGHUP at
> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
> though (hang-up).

 I discussed this Arne as well as he also had users complaining about this.

 The conclusion we came was that it may be meaningful, upon reconnection,
 to try sending the token once (the token might be handled by external
 server side scripts and might still be alive, so one attempt is worth)
 and if it fails then we should dump the token, ask the user for the
 password and reconnect.
>>
>> But this is the current behaviour, isn't it? So what's the difference?
>> I think its wrong to reuse auth-token of one "connection"  in another
>> one.  A client restart leads to a new connection and that should get a
>> new token. Else a stolen token could be used in a new TLS session --
>> may sound far-fetched as one also has to steal the private key, but as
>> far as a user is concerned token is a place holder for their password
>> and OTP. It should be reused only for reneg.
>>
>> I think the correct and easy fix is to wipe the token on the client
>> when it restarts by SIGUSR1 or SIGHUP.  If a server side script
>> doesn't like it that script is anyway broken.
>
> No it isn't. Current behaviour is to exit with AUTH_FAILED in that case.

It doesn't exit if auth-retry is in use (Windows GUI enforces that
option) but gets a prompt for username/password. Even then AUTH_FAILED
is bad as that has other implications like forgetting saved password
(at least on Windows GUI).

So is the proposal to change the server-side handling of auth-token?
That is, the server would try to use auth-token from the previous
connection and fall back to current behaviour if that fails, is it?
How would the server determine that the new connection is from the
same client if, say, duplicate-cn is in use? Sounds like opening up
new security holes to me..

>
> And always forgetting it on SIGUSR1 with normal reconnect will
> absolutely annoy users with mobile devices and otp password. Every roam
> between wifi and mobile will then reask for the password. SOmething the
> auth-token is designed to avoid.

Hmm.. auth-token is designed to avoid re-prompting for password/otp
during reneg. Not during SIGUSR1/SIGHUP restarts. Of course, it could
be made to handle such situations, but I'm not convinced that just
reusing the token set in a different context is a safe approach.

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Thu, Feb 8, 2018 at 3:15 AM, Samuli Seppänen  wrote:
> Il 07/02/2018 21:58, David Sommerseth ha scritto:
>> On 07/02/18 20:32, Илья Шипицин wrote:
>>> After auth-token were introduced, when user press "Reconnect", it leads to
>>> auth fail (saved password is forgotten), we run about 1000 users, nobody
>>> complains.
>>
>> This is actually expected, I'd say - but smells like a bug on the server side
>> authentication.
>>
>> Selva may correct me if I'm wrong, but my understanding of it when clicking
>> "Reconnect", the local OpenVPN process which caches the auth-token is stopped
>> and a new OpenVPN process is started.  The client should in this case ask for
>> username/password again.  So in this case, the server side should treat this
>> connection as a fresh connection with no initial state.
>>
>> The step of stopping the local client and starting a new and fresh one is
>> definitely not a bad feature to have on clients.
>>
>>> It looks like nobody uses that button.
>>>
>>> So, I asked several users, they confirmed they do not use Reconnect.
>>
>> This is no good argument for me.  This is one specific setup with 1000 users.
>> It would be more valuable with 50 different setups having 20 users each.  
>> Your
>> conclusion is based on a very homogeneous environment.
>
> I agree. I also agree that the underlying problem should be fixed.
>
> That said, Ilya's message was sent to both openvpn-users and
> openvpn-devel and nobody has screamed "do not remove the Reconnect
> button" :). The only additional thing we can do is post a message to the
> forums. As usual, the only sure way to get feedback (read: complaints)
> is to release the changes in an official build/installer.

Only recently we added a reconnect item to the menu (earlier it was
only available as a button in the status window) for ease of doing
reconnects and based on user requests -- though I can't now find who
asked for it.

I wouldn't take lack of response on the user's list as an indication
that no one uses it. In fact its very handy -- how else will you
restart a connection after editing the config file? Disconnect and
connect again? That would close the status window and lose all
messages in it and also takes a number of mouse clicks because of the
way tray popup menu behaves.

Anyway the purported reason to remove it is totally bogus. Its like
auth-token cant cope with SIGHUP, so let's remove that signal.

Finally, I'm an user too and I use that button all the time, though
mostly for testing. If that counts as a dissenting voice.

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Thu, Feb 8, 2018 at 7:20 AM, David Sommerseth
 wrote:
> On 08/02/18 04:36, Antonio Quartulli wrote:
>>
>>
>> On 08/02/18 04:41, David Sommerseth wrote:
>>> On 07/02/18 21:21, Selva Nair wrote:
>>>
 In my view auth-token handling in openvpn.exe is broken at multiple levels:

 Client process:
 (i) it should not remember the token after a reconnect is issued
>>>
>>> Agreed.  This should trigger retrieving new user input in regards to SIGHUP 
>>> at
>>> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
>>> though (hang-up).
>>
>> I discussed this Arne as well as he also had users complaining about this.
>>
>> The conclusion we came was that it may be meaningful, upon reconnection,
>> to try sending the token once (the token might be handled by external
>> server side scripts and might still be alive, so one attempt is worth)
>> and if it fails then we should dump the token, ask the user for the
>> password and reconnect.

But this is the current behaviour, isn't it? So what's the difference?
I think its wrong to reuse auth-token of one "connection"  in another
one.  A client restart leads to a new connection and that should get a
new token. Else a stolen token could be used in a new TLS session --
may sound far-fetched as one also has to steal the private key, but as
far as a user is concerned token is a place holder for their password
and OTP. It should be reused only for reneg.

I think the correct and easy fix is to wipe the token on the client
when it restarts by SIGUSR1 or SIGHUP.  If a server side script
doesn't like it that script is anyway broken.

>>
>>
>> This way we still save all those setups where the token survives fast
>> reconenctions on the server side
>
> This sounds reasonable to me.  But it is crucial that it is a proper
> re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent
> to the server to close the session on the server side.  Otherwise you'll get
> into some odd back-and-forth until the session is fully closed on the server.

Any reason not to make explicit-exit-notify 1 as the default for UDP?

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Antonio Quartulli]

On 08/02/18 20:20, David Sommerseth wrote:
>> This way we still save all those setups where the token survives fast
>> reconenctions on the server side
> 
> This sounds reasonable to me.  But it is crucial that it is a proper
> re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent
> to the server to close the session on the server side.  Otherwise you'll get
> into some odd back-and-forth until the session is fully closed on the server.

I thought that the new CLIENT_HARD_RESET packet would still clear the
client session on the server.

No matter if we did send an exit-notify or not.


Cheers,


-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[David Sommerseth]

On 08/02/18 04:36, Antonio Quartulli wrote:
> 
> 
> On 08/02/18 04:41, David Sommerseth wrote:
>> On 07/02/18 21:21, Selva Nair wrote:
>>
>>> In my view auth-token handling in openvpn.exe is broken at multiple levels:
>>>
>>> Client process:
>>> (i) it should not remember the token after a reconnect is issued
>>
>> Agreed.  This should trigger retrieving new user input in regards to SIGHUP 
>> at
>> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
>> though (hang-up).
> 
> I discussed this Arne as well as he also had users complaining about this.
> 
> The conclusion we came was that it may be meaningful, upon reconnection,
> to try sending the token once (the token might be handled by external
> server side scripts and might still be alive, so one attempt is worth)
> and if it fails then we should dump the token, ask the user for the
> password and reconnect.
> 
> 
> This way we still save all those setups where the token survives fast
> reconenctions on the server side

This sounds reasonable to me.  But it is crucial that it is a proper
re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent
to the server to close the session on the server side.  Otherwise you'll get
into some odd back-and-forth until the session is fully closed on the server.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Gert Doering]

Hi,

On Thu, Feb 08, 2018 at 01:26:27PM +0500,  ?? wrote:
> I also noticed nobody screaming "stop!!! do not remove that button!!!"

I hear at least two developers saying "do not remove the button", which 
closes the topic for me.

No need to discuss this further.

gert

-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Samuli Seppänen]

Il 08/02/2018 10:26, Илья Шипицин ha scritto:
> 
> 
> 2018-02-08 13:15 GMT+05:00 Samuli Seppänen  >:
> 
> Il 07/02/2018 21:58, David Sommerseth ha scritto:
> > On 07/02/18 20:32, Илья Шипицин wrote:
> >> After auth-token were introduced, when user press "Reconnect", it 
> leads to
> >> auth fail (saved password is forgotten), we run about 1000 users, 
> nobody
> >> complains.
> >
> > This is actually expected, I'd say - but smells like a bug on the 
> server side
> > authentication.
> >
> > Selva may correct me if I'm wrong, but my understanding of it when 
> clicking
> > "Reconnect", the local OpenVPN process which caches the auth-token is 
> stopped
> > and a new OpenVPN process is started.  The client should in this case 
> ask for
> > username/password again.  So in this case, the server side should treat 
> this
> > connection as a fresh connection with no initial state.
> >
> > The step of stopping the local client and starting a new and fresh one 
> is
> > definitely not a bad feature to have on clients.
> >
> >> It looks like nobody uses that button.
> >>
> >> So, I asked several users, they confirmed they do not use Reconnect.
> >
> > This is no good argument for me.  This is one specific setup with 1000 
> users.
> > It would be more valuable with 50 different setups having 20 users 
> each.  Your
> > conclusion is based on a very homogeneous environment.
> 
> I agree. I also agree that the underlying problem should be fixed.
> 
> That said, Ilya's message was sent to both openvpn-users and
> openvpn-devel and nobody has screamed "do not remove the Reconnect
> button" :). The only additional thing we can do is post a message to the
> forums. As usual, the only sure way to get feedback (read: complaints)
> is to release the changes in an official build/installer.
> 
> 
> I suggest to do that after 2.4.5 installer.
> I'll write post on the forum. I think, even a good idea to place
> snapshot installer with new feature (i.e. button removed) to forum as well.
> 
> after feedback is received we can take it into account and act.
> 
> I also noticed nobody screaming "stop!!! do not remove that button!!!"
> 
> Samuli ?
>  

Posting a message to forums does not bind us to anything, so feel free
to do it. If even one person screams then I suspect at least hundreds of
people are actually using the button.

If we remove the button it should be because next to nobody is using it
and we want to clean up the GUI and its codebase. We should not remove
it because it does not work due to lower-level issues, which should be
fixed instead.

The problem with snapshot installers is that unless we actually merge
the button-removing code into OpenVPN GUI master, people will not use
it. And by announcing the snapshot installer on the mailing lists and
forums won't reach an audience any larger than your original email has.
So just asking about this on forums is probably enough.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Jan Just Keijser]

Hi,

On 08/02/18 09:15, Samuli Seppänen wrote:

Il 07/02/2018 21:58, David Sommerseth ha scritto:

On 07/02/18 20:32, Илья Шипицин wrote:

After auth-token were introduced, when user press "Reconnect", it leads to
auth fail (saved password is forgotten), we run about 1000 users, nobody
complains.

This is actually expected, I'd say - but smells like a bug on the server side
authentication.

Selva may correct me if I'm wrong, but my understanding of it when clicking
"Reconnect", the local OpenVPN process which caches the auth-token is stopped
and a new OpenVPN process is started.  The client should in this case ask for
username/password again.  So in this case, the server side should treat this
connection as a fresh connection with no initial state.

The step of stopping the local client and starting a new and fresh one is
definitely not a bad feature to have on clients.


It looks like nobody uses that button.

So, I asked several users, they confirmed they do not use Reconnect.

This is no good argument for me.  This is one specific setup with 1000 users.
It would be more valuable with 50 different setups having 20 users each.  Your
conclusion is based on a very homogeneous environment.

I agree. I also agree that the underlying problem should be fixed.

That said, Ilya's message was sent to both openvpn-users and
openvpn-devel and nobody has screamed "do not remove the Reconnect
button" :). The only additional thing we can do is post a message to the
forums. As usual, the only sure way to get feedback (read: complaints)
is to release the changes in an official build/installer.

I won't be screaming "Don't remove that button" as I don't use OpenVPN 
on Windows that often, but I __DO__ find that button to be quite handy 
in the Windows GUI. I remember writing an OpenVPN book where I had to 
test and debug an OpenVPN setup on Windows and I found myself hitting 
that 'reconnect' button over and over. Of course, this was (probably?) 
all before auth tokens and I certainly did not use things like one-time 
passwords, but removing that button would have made the GUI much more 
annoying to me.


JM2CW,

JJK


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Илья Шипицин]

2018-02-08 13:15 GMT+05:00 Samuli Seppänen :

> Il 07/02/2018 21:58, David Sommerseth ha scritto:
> > On 07/02/18 20:32, Илья Шипицин wrote:
> >> After auth-token were introduced, when user press "Reconnect", it leads
> to
> >> auth fail (saved password is forgotten), we run about 1000 users, nobody
> >> complains.
> >
> > This is actually expected, I'd say - but smells like a bug on the server
> side
> > authentication.
> >
> > Selva may correct me if I'm wrong, but my understanding of it when
> clicking
> > "Reconnect", the local OpenVPN process which caches the auth-token is
> stopped
> > and a new OpenVPN process is started.  The client should in this case
> ask for
> > username/password again.  So in this case, the server side should treat
> this
> > connection as a fresh connection with no initial state.
> >
> > The step of stopping the local client and starting a new and fresh one is
> > definitely not a bad feature to have on clients.
> >
> >> It looks like nobody uses that button.
> >>
> >> So, I asked several users, they confirmed they do not use Reconnect.
> >
> > This is no good argument for me.  This is one specific setup with 1000
> users.
> > It would be more valuable with 50 different setups having 20 users
> each.  Your
> > conclusion is based on a very homogeneous environment.
>
> I agree. I also agree that the underlying problem should be fixed.
>
> That said, Ilya's message was sent to both openvpn-users and
> openvpn-devel and nobody has screamed "do not remove the Reconnect
> button" :). The only additional thing we can do is post a message to the
> forums. As usual, the only sure way to get feedback (read: complaints)
> is to release the changes in an official build/installer.
>
>
I suggest to do that after 2.4.5 installer.
I'll write post on the forum. I think, even a good idea to place snapshot
installer with new feature (i.e. button removed) to forum as well.

after feedback is received we can take it into account and act.

I also noticed nobody screaming "stop!!! do not remove that button!!!"

Samuli ?


> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Samuli Seppänen]

Il 07/02/2018 21:58, David Sommerseth ha scritto:
> On 07/02/18 20:32, Илья Шипицин wrote:
>> After auth-token were introduced, when user press "Reconnect", it leads to
>> auth fail (saved password is forgotten), we run about 1000 users, nobody
>> complains.
> 
> This is actually expected, I'd say - but smells like a bug on the server side
> authentication.
> 
> Selva may correct me if I'm wrong, but my understanding of it when clicking
> "Reconnect", the local OpenVPN process which caches the auth-token is stopped
> and a new OpenVPN process is started.  The client should in this case ask for
> username/password again.  So in this case, the server side should treat this
> connection as a fresh connection with no initial state.
> 
> The step of stopping the local client and starting a new and fresh one is
> definitely not a bad feature to have on clients.
> 
>> It looks like nobody uses that button.
>>
>> So, I asked several users, they confirmed they do not use Reconnect.
> 
> This is no good argument for me.  This is one specific setup with 1000 users.
> It would be more valuable with 50 different setups having 20 users each.  Your
> conclusion is based on a very homogeneous environment.

I agree. I also agree that the underlying problem should be fixed.

That said, Ilya's message was sent to both openvpn-users and
openvpn-devel and nobody has screamed "do not remove the Reconnect
button" :). The only additional thing we can do is post a message to the
forums. As usual, the only sure way to get feedback (read: complaints)
is to release the changes in an official build/installer.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Antonio Quartulli]

On 08/02/18 04:41, David Sommerseth wrote:
> On 07/02/18 21:21, Selva Nair wrote:
> 
>> In my view auth-token handling in openvpn.exe is broken at multiple levels:
>>
>> Client process:
>> (i) it should not remember the token after a reconnect is issued
> 
> Agreed.  This should trigger retrieving new user input in regards to SIGHUP at
> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
> though (hang-up).

I discussed this Arne as well as he also had users complaining about this.

The conclusion we came was that it may be meaningful, upon reconnection,
to try sending the token once (the token might be handled by external
server side scripts and might still be alive, so one attempt is worth)
and if it fails then we should dump the token, ask the user for the
password and reconnect.


This way we still save all those setups where the token survives fast
reconenctions on the server side

Cheers,


-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Илья Шипицин]

2018-02-08 1:43 GMT+05:00 Selva Nair :

> Hi,
>
> On Wed, Feb 7, 2018 at 3:30 PM, Илья Шипицин  wrote:
> >
> >
> > 2018-02-08 1:21 GMT+05:00 Selva Nair :
> >>
> >> Hi,
> >>
> >> On Wed, Feb 7, 2018 at 2:58 PM, David Sommerseth
> >>  wrote:
> >> > On 07/02/18 20:32, Илья Шипицин wrote:
> >> >> After auth-token were introduced, when user press "Reconnect", it
> leads
> >> >> to
> >> >> auth fail (saved password is forgotten), we run about 1000 users,
> >> >> nobody
> >> >> complains.
> >> >
> >> > This is actually expected, I'd say - but smells like a bug on the
> server
> >> > side
> >> > authentication.
> >> >
> >> > Selva may correct me if I'm wrong, but my understanding of it when
> >> > clicking
> >> > "Reconnect", the local OpenVPN process which caches the auth-token is
> >> > stopped
> >> > and a new OpenVPN process is started.  The client should in this case
> >> > ask for
> >> > username/password again.  So in this case, the server side should
> treat
> >> > this
> >> > connection as a fresh connection with no initial state.
> >>
> >> GUI's reconnect button is wired to send a SIGHUP to the client openvpn
> >> process. The problem is that if auth-token is in use, the client
> >> openvpn.exe does not forget it it when restarting the connection by
> >> SIGHUP or SIGUSR1 -- I think it should but it doesn't. That leads to
> >> an AUTH_FAILED from server. The GUI has hard time distinguishing
> >> between reasons for AUTH_FAILED, so it just assumes that password
> >> verification failed and clears the saved password and prompts for a
> >> new one. Obviously users are not happy.
> >
> >
> > users don't care :)
> >
> > if they we ever unhappy, we should fix it.
> >
> > currently, I'm open to ideas how to perform a (proper) investigation in
> > order to actually remove "Reconnect" button
>
> I do not understand why you keep harping about removing the reconnect
> button.
>
> If you are angry with auth-token do not take it out on the wrong
> victim. Its not reconnect button's fault. In fact if your users do not
> use it, why bother?
>


those victims are not mutually exclusive.

I noticed that nobody cares of broken behaviour of "REconnect" button. So,
I suggest to remove it (as a user, I cannot imagine when
I would press it ... probably something like "change IP address on
reconnect", like I do with Tor)

Also, I think that auth-token should be handled in better way.


>
> Selva
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Wed, Feb 7, 2018 at 3:41 PM, David Sommerseth
 wrote:
> On 07/02/18 21:21, Selva Nair wrote:
>>> Selva may correct me if I'm wrong, but my understanding of it when clicking
>>> "Reconnect", the local OpenVPN process which caches the auth-token is 
>>> stopped
>>> and a new OpenVPN process is started.  The client should in this case ask 
>>> for
>>> username/password again.  So in this case, the server side should treat this
>>> connection as a fresh connection with no initial state.
>>
>> GUI's reconnect button is wired to send a SIGHUP to the client openvpn
>> process. The problem is that if auth-token is in use, the client
>> openvpn.exe does not forget it it when restarting the connection by
>> SIGHUP or SIGUSR1 -- I think it should but it doesn't. That leads to
>> an AUTH_FAILED from server. The GUI has hard time distinguishing
>> between reasons for AUTH_FAILED, so it just assumes that password
>> verification failed and clears the saved password and prompts for a
>> new one. Obviously users are not happy.
>
> Ahh, thanks for the correction!
>
>> In my view auth-token handling in openvpn.exe is broken at multiple levels:
>>
>> Client process:
>> (i) it should not remember the token after a reconnect is issued
>
> Agreed.  This should trigger retrieving new user input in regards to SIGHUP at
> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
> though (hang-up).

IIRC, the server creates a new context on both SIGUSR1 and SIGHUP
(and auth-token gets wiped). So I think the client should dump it
before sending SIGUSR1 and SIGHUP.

>
>> (ii) it should not remember the auth-token when auth-nocache is in
>> effect --- without that there is no way for the GUI to take over
>> handling auth-token. In my view auth-nocache is the only way
>> openvpn.exe can stand aside and let the GUI take over all password
>> handling. Unless we introduce a --management-auth-token flag.
>
> Currently, OpenVPN will display the auth-token in the management interface
> when received.  So the management interface should be able to capture it and
> at least know that a token has been received.  But it should also have a
> chance to override it.
>
>> Else what's the use of sending the token to the management interface?
>
> After a discussion with James in regards to the opposite problem with
> NetworkManager.  NM would actually disconnect clients on each tunnel
> renegotiation, as the auth-token was not cached by the NM-openvpn plugin.
>
> We agreed the OpenVPN process was the owner of the token value, not the
> management interface.  So commit 571165360db0392f was applied.  Now we at
> least have a lot of more happy NM users :)

I see. In that case a --management-auth-token or an extra parameter to
management-auth would help. A willing GUI can then use that to
indicate that it'll handle auth-token. Otherwise, openvpn should keep
track of password and auth-token separately instead of using the same
data structure to save it. And notify the GUI whether the failure was
in auth-token or password.

One way for the GUI to handle the current situation is to not take the
first AUTH_FAILED seriously (i.e keep the saved password) when
auth-token is in use. But I would consider that a hack.

>
>> Server process
>> (iii) --gen-auth-token with an expiry just doesn't work -- we need to
>> have a mechanism for the server to tell the client that the token has
>> expired.
>
> Agreed.  We've started looking into this.  But it will require a bigger API
> overhaul to get the needed structs at the proper place where we can send the
> "auth-token expired" message back to the client.  Those code paths involved,
> both the send control channel message and the authentication functions have
> quite different view to the session related structs.

In the mean time we can just document that do not use token expiry.

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Wed, Feb 7, 2018 at 3:30 PM, Илья Шипицин  wrote:
>
>
> 2018-02-08 1:21 GMT+05:00 Selva Nair :
>>
>> Hi,
>>
>> On Wed, Feb 7, 2018 at 2:58 PM, David Sommerseth
>>  wrote:
>> > On 07/02/18 20:32, Илья Шипицин wrote:
>> >> After auth-token were introduced, when user press "Reconnect", it leads
>> >> to
>> >> auth fail (saved password is forgotten), we run about 1000 users,
>> >> nobody
>> >> complains.
>> >
>> > This is actually expected, I'd say - but smells like a bug on the server
>> > side
>> > authentication.
>> >
>> > Selva may correct me if I'm wrong, but my understanding of it when
>> > clicking
>> > "Reconnect", the local OpenVPN process which caches the auth-token is
>> > stopped
>> > and a new OpenVPN process is started.  The client should in this case
>> > ask for
>> > username/password again.  So in this case, the server side should treat
>> > this
>> > connection as a fresh connection with no initial state.
>>
>> GUI's reconnect button is wired to send a SIGHUP to the client openvpn
>> process. The problem is that if auth-token is in use, the client
>> openvpn.exe does not forget it it when restarting the connection by
>> SIGHUP or SIGUSR1 -- I think it should but it doesn't. That leads to
>> an AUTH_FAILED from server. The GUI has hard time distinguishing
>> between reasons for AUTH_FAILED, so it just assumes that password
>> verification failed and clears the saved password and prompts for a
>> new one. Obviously users are not happy.
>
>
> users don't care :)
>
> if they we ever unhappy, we should fix it.
>
> currently, I'm open to ideas how to perform a (proper) investigation in
> order to actually remove "Reconnect" button

I do not understand why you keep harping about removing the reconnect button.

If you are angry with auth-token do not take it out on the wrong
victim. Its not reconnect button's fault. In fact if your users do not
use it, why bother?

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[David Sommerseth]

On 07/02/18 21:30, Илья Шипицин wrote:
> 
> if they we ever unhappy, we should fix it.
> 
> currently, I'm open to ideas how to perform a (proper) investigation in order
> to actually remove "Reconnect" button

Removing the button isn't the solution.  That's a workaround.

We should fix the real bug instead.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[David Sommerseth]

On 07/02/18 21:21, Selva Nair wrote:
>> Selva may correct me if I'm wrong, but my understanding of it when clicking
>> "Reconnect", the local OpenVPN process which caches the auth-token is stopped
>> and a new OpenVPN process is started.  The client should in this case ask for
>> username/password again.  So in this case, the server side should treat this
>> connection as a fresh connection with no initial state.
> 
> GUI's reconnect button is wired to send a SIGHUP to the client openvpn
> process. The problem is that if auth-token is in use, the client
> openvpn.exe does not forget it it when restarting the connection by
> SIGHUP or SIGUSR1 -- I think it should but it doesn't. That leads to
> an AUTH_FAILED from server. The GUI has hard time distinguishing
> between reasons for AUTH_FAILED, so it just assumes that password
> verification failed and clears the saved password and prompts for a
> new one. Obviously users are not happy.

Ahh, thanks for the correction!

> In my view auth-token handling in openvpn.exe is broken at multiple levels:
> 
> Client process:
> (i) it should not remember the token after a reconnect is issued

Agreed.  This should trigger retrieving new user input in regards to SIGHUP at
least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
though (hang-up).

> (ii) it should not remember the auth-token when auth-nocache is in
> effect --- without that there is no way for the GUI to take over
> handling auth-token. In my view auth-nocache is the only way
> openvpn.exe can stand aside and let the GUI take over all password
> handling. Unless we introduce a --management-auth-token flag.

Currently, OpenVPN will display the auth-token in the management interface
when received.  So the management interface should be able to capture it and
at least know that a token has been received.  But it should also have a
chance to override it.

> Else what's the use of sending the token to the management interface?

After a discussion with James in regards to the opposite problem with
NetworkManager.  NM would actually disconnect clients on each tunnel
renegotiation, as the auth-token was not cached by the NM-openvpn plugin.

We agreed the OpenVPN process was the owner of the token value, not the
management interface.  So commit 571165360db0392f was applied.  Now we at
least have a lot of more happy NM users :)

> Server process
> (iii) --gen-auth-token with an expiry just doesn't work -- we need to
> have a mechanism for the server to tell the client that the token has
> expired.

Agreed.  We've started looking into this.  But it will require a bigger API
overhaul to get the needed structs at the proper place where we can send the
"auth-token expired" message back to the client.  Those code paths involved,
both the send control channel message and the authentication functions have
quite different view to the session related structs.

>>> It looks like nobody uses that button.
>>>
>>> So, I asked several users, they confirmed they do not use Reconnect.
>> This is no good argument for me.  This is one specific setup with 1000 users.
>> It would be more valuable with 50 different setups having 20 users each.  
>> Your
>> conclusion is based on a very homogeneous environment.
> 
> Indeed. Actually I use that button frequently.
> 
>>> After auth-token were introduced, when user press "Reconnect", it leads to
>>> auth fail (saved password is forgotten),
> 
> That reads as if introduction of auth-token broke reconnect. It did
> not. Only those users who have 2-factor turned on and use
> --gen-auth-token on the server are affected.

Yeah, I can see that being a bad combination.  We clearly didn't consider the
"restart" scenario well enough.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Илья Шипицин]

2018-02-08 1:21 GMT+05:00 Selva Nair :

> Hi,
>
> On Wed, Feb 7, 2018 at 2:58 PM, David Sommerseth
>  wrote:
> > On 07/02/18 20:32, Илья Шипицин wrote:
> >> After auth-token were introduced, when user press "Reconnect", it leads
> to
> >> auth fail (saved password is forgotten), we run about 1000 users, nobody
> >> complains.
> >
> > This is actually expected, I'd say - but smells like a bug on the server
> side
> > authentication.
> >
> > Selva may correct me if I'm wrong, but my understanding of it when
> clicking
> > "Reconnect", the local OpenVPN process which caches the auth-token is
> stopped
> > and a new OpenVPN process is started.  The client should in this case
> ask for
> > username/password again.  So in this case, the server side should treat
> this
> > connection as a fresh connection with no initial state.
>
> GUI's reconnect button is wired to send a SIGHUP to the client openvpn
> process. The problem is that if auth-token is in use, the client
> openvpn.exe does not forget it it when restarting the connection by
> SIGHUP or SIGUSR1 -- I think it should but it doesn't. That leads to
> an AUTH_FAILED from server. The GUI has hard time distinguishing
> between reasons for AUTH_FAILED, so it just assumes that password
> verification failed and clears the saved password and prompts for a
> new one. Obviously users are not happy.
>

users don't care :)

if they we ever unhappy, we should fix it.

currently, I'm open to ideas how to perform a (proper) investigation in
order to actually remove "Reconnect" button


>
> In my view auth-token handling in openvpn.exe is broken at multiple levels:
>
> Client process:
> (i) it should not remember the token after a reconnect is issued
> (ii) it should not remember the auth-token when auth-nocache is in
> effect --- without that there is no way for the GUI to take over
> handling auth-token. In my view auth-nocache is the only way
> openvpn.exe can stand aside and let the GUI take over all password
> handling. Unless we introduce a --management-auth-token flag. Else
> what's the use of sending the token to the management interface?
> In other words if a user wants auth-token and no GUI, they should not
> use auth-nocache, GUI users should use it if they want the GUI to
> control all password requests. No need to bend over backwards to
> support auth-nocache with auth-token as we now do.
>
> Server process
> (iii) --gen-auth-token with an expiry just doesn't work -- we need to
> have a mechanism for the server to tell the client that the token has
> expired.
>
> >> It looks like nobody uses that button.
> >>
> >> So, I asked several users, they confirmed they do not use Reconnect.
> >This is no good argument for me.  This is one specific setup with 1000
> users.
> >It would be more valuable with 50 different setups having 20 users each.
> Your
> >conclusion is based on a very homogeneous environment.
>
> Indeed. Actually I use that button frequently.
>
> >> After auth-token were introduced, when user press "Reconnect", it leads
> to
> >> auth fail (saved password is forgotten),
>
> That reads as if introduction of auth-token broke reconnect. It did
> not. Only those users who have 2-factor turned on and use
> --gen-auth-token on the server are affected.
>
> Selva
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Wed, Feb 7, 2018 at 2:58 PM, David Sommerseth
 wrote:
> On 07/02/18 20:32, Илья Шипицин wrote:
>> After auth-token were introduced, when user press "Reconnect", it leads to
>> auth fail (saved password is forgotten), we run about 1000 users, nobody
>> complains.
>
> This is actually expected, I'd say - but smells like a bug on the server side
> authentication.
>
> Selva may correct me if I'm wrong, but my understanding of it when clicking
> "Reconnect", the local OpenVPN process which caches the auth-token is stopped
> and a new OpenVPN process is started.  The client should in this case ask for
> username/password again.  So in this case, the server side should treat this
> connection as a fresh connection with no initial state.

GUI's reconnect button is wired to send a SIGHUP to the client openvpn
process. The problem is that if auth-token is in use, the client
openvpn.exe does not forget it it when restarting the connection by
SIGHUP or SIGUSR1 -- I think it should but it doesn't. That leads to
an AUTH_FAILED from server. The GUI has hard time distinguishing
between reasons for AUTH_FAILED, so it just assumes that password
verification failed and clears the saved password and prompts for a
new one. Obviously users are not happy.

In my view auth-token handling in openvpn.exe is broken at multiple levels:

Client process:
(i) it should not remember the token after a reconnect is issued
(ii) it should not remember the auth-token when auth-nocache is in
effect --- without that there is no way for the GUI to take over
handling auth-token. In my view auth-nocache is the only way
openvpn.exe can stand aside and let the GUI take over all password
handling. Unless we introduce a --management-auth-token flag. Else
what's the use of sending the token to the management interface?
In other words if a user wants auth-token and no GUI, they should not
use auth-nocache, GUI users should use it if they want the GUI to
control all password requests. No need to bend over backwards to
support auth-nocache with auth-token as we now do.

Server process
(iii) --gen-auth-token with an expiry just doesn't work -- we need to
have a mechanism for the server to tell the client that the token has
expired.

>> It looks like nobody uses that button.
>>
>> So, I asked several users, they confirmed they do not use Reconnect.
>This is no good argument for me.  This is one specific setup with 1000 users.
>It would be more valuable with 50 different setups having 20 users each.  Your
>conclusion is based on a very homogeneous environment.

Indeed. Actually I use that button frequently.

>> After auth-token were introduced, when user press "Reconnect", it leads to
>> auth fail (saved password is forgotten),

That reads as if introduction of auth-token broke reconnect. It did
not. Only those users who have 2-factor turned on and use
--gen-auth-token on the server are affected.

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[David Sommerseth]

On 07/02/18 20:32, Илья Шипицин wrote:
> After auth-token were introduced, when user press "Reconnect", it leads to
> auth fail (saved password is forgotten), we run about 1000 users, nobody
> complains.

This is actually expected, I'd say - but smells like a bug on the server side
authentication.

Selva may correct me if I'm wrong, but my understanding of it when clicking
"Reconnect", the local OpenVPN process which caches the auth-token is stopped
and a new OpenVPN process is started.  The client should in this case ask for
username/password again.  So in this case, the server side should treat this
connection as a fresh connection with no initial state.

The step of stopping the local client and starting a new and fresh one is
definitely not a bad feature to have on clients.

> It looks like nobody uses that button.
> 
> So, I asked several users, they confirmed they do not use Reconnect.

This is no good argument for me.  This is one specific setup with 1000 users.
It would be more valuable with 50 different setups having 20 users each.  Your
conclusion is based on a very homogeneous environment.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Илья Шипицин]

After auth-token were introduced, when user press "Reconnect", it leads to
auth fail (saved password is forgotten), we run about 1000 users, nobody
complains.

It looks like nobody uses that button.

So, I asked several users, they confirmed they do not use Reconnect.

On Feb 8, 2018 12:07 AM, "Selva Nair"  wrote:

> Hi,
>
> On Wed, Feb 7, 2018 at 1:47 AM, Илья Шипицин  wrote:
> > Hi,
> >
> > based on our UX investigation, I think we can remove "Reconnect" button
> for
> > good.
>
> I also would like to know how and why you came to that conclusion.
>
> Thanks,
>
> Selva
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Wed, Feb 7, 2018 at 1:47 AM, Илья Шипицин  wrote:
> Hi,
>
> based on our UX investigation, I think we can remove "Reconnect" button for
> good.

I also would like to know how and why you came to that conclusion.

Thanks,

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users