Autenticacion OpenVPN
Juan Francisco Brunet Zuniga
jbrunet en alumnos.inf.utfsm.cl
Jue Oct 12 16:19:07 CLT 2006
Holas a la lista
Tengo un servidor openvpn con la sgte configuracion
/etc/openvpm.conf
-----------
port 1194
proto udp
dev tun
ca 2.0/keys/ca.crt
cert 2.0/keys/server.inf.utfsm.cl.crt
key 2.0/keys/server.inf.utfsm.cl.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 7
management localhost 7505
client-cert-not-required
username-as-common-name
--auth-user-pass-verify /usr/share/doc/openvpn-2.0.7/sample-scripts/auth-pam.pl
via-env
----------
La cosa es que cuando quiero autenticar el cliente via NetworkManager me tira un
error con TLS
log con verb 7
----------
Oct 12 16:01:17 server openvpn[32165]: MULTI: multi_create_instance called
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 Re-using SSL/TLS
context
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 LZO compression
initialized
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 MTU DYNAMIC mtu=0,
flags=1, 0 -> 138
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 PID packet_id_init
seq_backtrack=64 time_backtrack=15
Oct 12 16:01:17 server last message repeated 3 times
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 Control Channel MTU
parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 MTU DYNAMIC mtu=1450,
flags=2, 1542 -> 1450
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 Data Channel MTU parms
[ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 Local Options String:
'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 Expected Remote
Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto
UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 Local Options hash
(VER=V4): '530fdded'
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 Expected Remote
Options hash (VER=V4): '41690919'
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 GET INST BY REAL:
ipcliente:33125 [created]
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 UDPv4 READ [14] from
ipcliente:33125: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 TLS: Initial packet
from ipcliente:33125, sid=c02029bc 543837ae
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [26] to
ipcliente:33125: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Oct 12 16:01:17 server openvpn[32165]: GET INST BY REAL: ipcliente:33125
[succeeded]
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 UDPv4 READ [22] from
ipcliente:33125: P_ACK_V1 kid=0 [ 0 ]
Oct 12 16:01:17 server openvpn[32165]: GET INST BY REAL: ipcliente:33125
[succeeded]
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 UDPv4 READ [114] from
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [126] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=100
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [114] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [114] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=100
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [114] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=100
Oct 12 16:01:17 server openvpn[32165]: ipcliente:33125 ACK output sequence
broken: [5] 1 2 3 4
[...muchos mensages similares...]
Oct 12 16:01:19 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [22] to
ipcliente:33125: P_ACK_V1 kid=0 [ 2 ]
Oct 12 16:01:19 server openvpn[32165]: GET INST BY REAL: ipcliente:33125
[succeeded]
Oct 12 16:01:19 server openvpn[32165]: ipcliente:33125 UDPv4 READ [112] from
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=98
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [85] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ 3 ] pid=27 DATA len=59
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 UDPv4 READ [44] from
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=7 DATA len=30
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 SYSTEM[1]
'/usr/share/doc/openvpn-2.0.7/sample-scripts/auth-pam.pl '
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [0]
'untrusted_port=33125'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [1]
'untrusted_ip=ipcliente'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [2]
'password=password'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [3]
'username=user'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [4]
'script_type=user-pass-verify'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [5]
'daemon_log_redirect=0'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [6] 'daemon=1'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [7] 'verb=7'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [8]
'local_port=1194'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [9] 'proto=udp'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [10]
'config=server.conf'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [11]
'ifconfig_local=10.8.0.1'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [12]
'ifconfig_remote=10.8.0.2'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [13]
'route_net_gateway=ipdelgateway'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [14]
'route_vpn_gateway=10.8.0.2'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [15]
'route_network_1=10.8.0.0'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [16]
'route_netmask_1=255.255.255.0'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [17]
'route_gateway_1=10.8.0.2'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [18]
'script_context=init'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [19]
'tun_mtu=1500'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [20]
'link_mtu=1542'
Oct 12 16:01:20 server openvpn[32165]: ipcliente:33125 ENV [21] 'dev=tun0'
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 SYSTEM return=32256
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 TLS Auth Error: Auth
Username/Password verification failed for peer
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [126] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ 7 ] pid=28 DATA len=100
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [114] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=100
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [80] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=30 DATA len=66
Oct 12 16:01:21 server openvpn[32165]: GET INST BY REAL: ipcliente:33125
[succeeded]
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 UDPv4 READ [44] from
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=7 DATA len=30
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [22] to
ipcliente:33125: P_ACK_V1 kid=0 [ 7 ]
Oct 12 16:01:21 server openvpn[32165]: GET INST BY REAL: ipcliente:33125
[succeeded]
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 UDPv4 READ [22] from
ipcliente:33125: P_ACK_V1 kid=0 [ 28 ]
Oct 12 16:01:21 server openvpn[32165]: GET INST BY REAL: ipcliente:33125
[succeeded]
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 UDPv4 READ [22] from
ipcliente:33125: P_ACK_V1 kid=0 [ 29 ]
Oct 12 16:01:21 server openvpn[32165]: GET INST BY REAL: ipcliente:33125
[succeeded]
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 UDPv4 READ [22] from
ipcliente:33125: P_ACK_V1 kid=0 [ 30 ]
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 Control Channel:
TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Oct 12 16:01:21 server openvpn[32165]: ipcliente:33125 [] Peer Connection
Initiated with ipcliente:33125
Oct 12 16:01:22 server openvpn[32165]: GET INST BY REAL: ipcliente:33125
[succeeded]
Oct 12 16:01:22 server openvpn[32165]: ipcliente:33125 UDPv4 READ [104] from
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=8 DATA len=90
Oct 12 16:01:22 server openvpn[32165]: ipcliente:33125 PUSH: Received control
message: 'PUSH_REQUEST'
Oct 12 16:01:22 server openvpn[32165]: ipcliente:33125 SENT CONTROL [UNDEF]:
'AUTH_FAILED' (status=1)
Oct 12 16:01:22 server openvpn[32165]: ipcliente:33125 Delayed exit in 5
seconds
Oct 12 16:01:22 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [22] to
ipcliente:33125: P_ACK_V1 kid=0 [ 8 ]
Oct 12 16:01:22 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [104] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=31 DATA len=90
Oct 12 16:01:24 server openvpn[32165]: ipcliente:33125 UDPv4 WRITE [104] to
ipcliente:33125: P_CONTROL_V1 kid=0 [ ] pid=31 DATA len=90
Oct 12 16:01:24 server openvpn[32165]: read UDPv4 [ECONNREFUSED]: Connection
refused (code=111)
Oct 12 16:01:27 server openvpn[32165]: MULTI: REAP range 224 -> 240
Oct 12 16:01:27 server openvpn[32165]: ipcliente:33125
SIGTERM[soft,delayed-exit] received, client-instance exiting
Oct 12 16:01:27 server openvpn[32165]: MULTI: multi_close_instance called
Oct 12 16:01:27 server openvpn[32165]: PID packet_id_free
Oct 12 16:01:27 server last message repeated 8 times
---------
La cosa es que el servidor recibe los datos para autenticar, pero no lo hace
El servidor ademas tiene un directorio LDAP autenticando los usuarios y me puedo
loguear con el user y el password en el servidor
Trate de usar el plugin que trae openvpn para autenticacion
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
y ni siquiera sube el servidor
Alguna idea?
Alguien desarroll'o su propio script de autenticacion?
ayuda please
--
Juan Francisco Brunet Zuniga
Unidad de Servicios de Computacion e Internet
Departamento de Informatica, UTFSM
Estudiante Ingenieria Civil Informatica, UTFSM
------------ próxima parte ------------
Se ha borrado un mensaje que no está en formato texto plano...
Nombre : no disponible
Tipo : application/pgp-signature
Tamaño : 189 bytes
Descripción: no disponible
Url : http://listas.inf.utfsm.cl/pipermail/linux/attachments/20061012/198346cf/attachment.bin
Más información sobre la lista de distribución Linux