openvpn-openssl: Compile management interface by default

[kosli]

resolves #21534

Compile tested: OpenWRT 22.03.5, OpenVPN 2.5.7, x86_64 openvpn-openssl & openvpn-mbedtls. Whereas opevpn-wolfssl failed.
Run tested: OpenWRT 22.03.5, OpenVPN 2.5.7, x86_64 all my existing OpenVPN server and client connections worked fine, especially the auth-user-pass-verify featured finally worked as expected. I have tested only the openvpn-openssl package.

This patch is only for enabling it on the openvpn-openssl package.

[kosli]

FYI, the problem with the openvpn-wolfssl compile error with the management interface is mentioned in #18587

[AuthorReflex]

FYI, the problem with the openvpn-wolfssl compile error with the management interface is mentioned in #18587

Problem with wolfSSL is solved in #21547 for version 2.6.5

[sch-m]

FYI, the problem with the openvpn-wolfssl compile error with the management interface is mentioned in #18587

Problem with wolfSSL is solved in #21547 for version 2.6.5

The problem still exists in my pull request #21547 . I think i have to extend the wolfssl patch like it is done in #21322 .
Will update the PR tomorrow.

[sch-m]

I have added 2 further wolfSSL patches to #21547 . I only did compile tests, no runtime tests with wolfSSL.

[kosli]

@AuthorReflex

• Will the 2.6.5 package be included in the upcoming OpenWRT 23.05 release? As I see that currently there is 2.5.8 included.
• Will the manamgent interface be compiled in by default on the 2.6.5 package if wolfSSL can compile the managment interface too?

[AuthorReflex]

In my opinion this is not the good idea due to two aspects: size and security
size: most installations on routers use vpn as clients. Client do not needed this functional, and in embedded devices, size is critical.
security: as described in the documentation, the control protocol is absolutely not secure. Any misconfiguration of the management interface is potentially vulnerable.
Experienced administrators who really need it can independently assemble the option they need. BTW, this is a issue on the OpenVPN itself, let's wait for an answer to the created issue

[kosli]

Thanks @AuthorReflex
I understand your concerns.
Regards security: Even if compiled, the management interface needs to be explicitly activated per server/client. If the management interface is activated on a unix socket and not on a tcp socket, the management interface cannot be accessed remotely, even if the firewall would be misconfigured.
In addition, the management interface, in general, would allow the OpenWRT UI to show the active connections. E.g. OPNsense shows clients connected to the server or if the client is successfully connected to a server. This would be a great feature for OpenWRT too.

Despite the above points, without the managment interface being compiled in, the authentication of OpenVPN users via a script does not work as expected.

Or what about having a openvpn-openssl-full package (like dnsmasq-full) so that the user has the choice?

[AuthorReflex]

@kosli
If the authentication functionality depends on other unrelated and optional functionality, this is a design or implementation error and should be fixed. Can you send me the server and client config files and a verification script sample so I can try to reproduce?

[kosli]

@AuthorReflex
I'll prepare you a sample, just haven't had time yet :-(
In general it is just the auth-user-pass-verify option -> point it to a shell script that exists always with 0, everything works fine. it the script exists with a 1, it should return the client an error but nothing happens and the client waits until a timeout happens. as mentioned in the forum
I'll see if I get some time tomorrow to prepare it for you.

[kosli]

@AuthorReflex
Please find attached the sample server & client config.
The directory "server" holds all the relevant files for the server part whereas the client configuration is put alltogether in one single .ovpn file.
In addition I have added openvpn-openssl ipk filed compiled with the management option enabled.
If you try to connect with the client to the original openvpn server, if the auth.sh script exists with a non-zero exit code, the client will just "hang" and still wait for a reply (AUTH_FAILED) from the server. If you connect to the openvpn server with the managment option compiled in, the client will immediately receive the AUTH_FAILED answer and act appropriately.
The CA, certificates & keys have been generatead with easyrsa only for this sample, so they are not used in any other system.
openwrt-openvpn-21546.tar.gz

[AuthorReflex]

@AuthorReflex Please find attached the sample server & client config. The directory "server" holds all the relevant files for the server part whereas the client configuration is put alltogether in one single .ovpn file. In addition I have added openvpn-openssl ipk filed compiled with the management option enabled. If you try to connect with the client to the original openvpn server, if the auth.sh script exists with a non-zero exit code, the client will just "hang" and still wait for a reply (AUTH_FAILED) from the server. If you connect to the openvpn server with the managment option compiled in, the client will immediately receive the AUTH_FAILED answer and act appropriately. The CA, certificates & keys have been generatead with easyrsa only for this sample, so they are not used in any other system. openwrt-openvpn-21546.tar.gz

Thanks. Can you in additional provide client config? You can remove certs from archive, I will use my own

[kosli]

@AuthorReflex Please find attached the sample server & client config. The directory "server" holds all the relevant files for the server part whereas the client configuration is put alltogether in one single .ovpn file. In addition I have added openvpn-openssl ipk filed compiled with the management option enabled. If you try to connect with the client to the original openvpn server, if the auth.sh script exists with a non-zero exit code, the client will just "hang" and still wait for a reply (AUTH_FAILED) from the server. If you connect to the openvpn server with the managment option compiled in, the client will immediately receive the AUTH_FAILED answer and act appropriately. The CA, certificates & keys have been generatead with easyrsa only for this sample, so they are not used in any other system. openwrt-openvpn-21546.tar.gz

Thanks. Can you in additional provide client config? You can remove certs from archive, I will use my own

as written, the client config is the .ovpn file included in the archive, or have I missed to add it? (writing from mobile phone right now)

[kosli]

@AuthorReflex Have you been able to test it with the client.ovpn or do you need help with the client configuration?

The client configuration is straightforward:

remote <your server address>
dev tun

auth-user-pass

cipher AES-128-CBC
comp-lzo no

besides the CA, cert & key you need to use the same DH key as on the server side.

[AuthorReflex]

@AuthorReflex Have you been able to test it with the client.ovpn or do you need help with the client configuration?

The client configuration is straightforward:

remote <your server address>
dev tun

auth-user-pass

cipher AES-128-CBC
comp-lzo no

besides the CA, cert & key you need to use the same DH key as on the server side.

In a quick test, I couldn't get the results I wanted. I will continue testing this week

[AuthorReflex]

So I ran some tests. There are a few inaccuracies in your configuration to note.

• in the auth.sh script, the interpreter should be /bin/sh instead of /bin/bash
• the auth-user-pass option in case of non-interactive operation should point to the file with the client login and password

Under these conditions, the return code of the auth.sh script is processed correctly regardless of the MANAGEMENT_INTERFACE option enabled

For tests, I use Xiaomi mi-mini router. My config files listed below

openvpn-server.conf (generated from /etc/config/openvpn)

fast-io
float
auth-user-pass-verify /etc/openvpn/auth.sh via-env
ca /etc/openvpn/server.ca
cert /etc/openvpn/server.cert
cipher AES-256-GCM
cipher AES-128-CBC
client-config-dir /etc/openvpn/ccd
dev tun0
dev-type tun
dh /etc/openvpn/server.dh
keepalive 10 60
key /etc/openvpn/server.key
port 1194
proto udp
server 192.0.6.0 255.255.255.0
verb 3

openvpn-client.conf(generated from /etc/config/openvpn)

auth-nocache
client
fast-io
float
nobind
persist-key
persist-tun
auth-user-pass /etc/openvpn/userpass.txt
ca /etc/openvpn/server.ca
cert /etc/openvpn/client.cert
cipher AES-256-GCM
dev tun1
key /etc/openvpn/client.key
port 1194
proto udp
remote 192.168.0.70
remote-cert-tls server
reneg-sec 0
resolv-retry infinite
verb 3

log output

Sat Aug  5 11:37:26 2023 daemon.warn openvpn(server)[16342]: WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
Sat Aug  5 11:37:27 2023 daemon.warn openvpn(server)[16342]: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(client)[16343]: OpenVPN 2.6.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(client)[16343]: library versions: OpenSSL 3.0.10 1 Aug 2023
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(client)[16343]: DCO version: N/A
Sat Aug  5 11:37:27 2023 daemon.warn openvpn(client)[16343]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: Note: NOT using '--topology subnet' disables data channel offload.
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: OpenVPN 2.6.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: library versions: OpenSSL 3.0.10 1 Aug 2023
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: DCO version: N/A
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: net_route_v4_best_gw query: dst 0.0.0.0
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: net_route_v4_best_gw result: via 192.168.0.254 dev eth0.2
Sat Aug  5 11:37:27 2023 daemon.warn openvpn(server)[16342]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Aug  5 11:37:27 2023 daemon.warn openvpn(server)[16342]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: Diffie-Hellman initialized with 2048 bit key
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(client)[16343]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.70:1194
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(client)[16343]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(client)[16343]: UDPv4 link local: (not bound)
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(client)[16343]: UDPv4 link remote: [AF_INET]192.168.0.70:1194
Sat Aug  5 11:37:27 2023 daemon.err openvpn(client)[16343]: read UDPv4 [ECONNREFUSED]: Connection refused (fd=5,code=146)
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: net_route_v4_best_gw query: dst 0.0.0.0
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: net_route_v4_best_gw result: via 192.168.0.254 dev eth0.2
Sat Aug  5 11:37:27 2023 daemon.notice netifd: Interface 'ovpn' is enabled
Sat Aug  5 11:37:27 2023 daemon.notice netifd: Network device 'tun0' link is up
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: TUN/TAP device tun0 opened
Sat Aug  5 11:37:27 2023 daemon.notice netifd: Interface 'ovpn' has link connectivity
Sat Aug  5 11:37:27 2023 daemon.notice netifd: Interface 'ovpn' is setting up now
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: net_iface_mtu_set: mtu 1500 for tun0
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: net_iface_up: set tun0 up
Sat Aug  5 11:37:27 2023 daemon.notice netifd: Interface 'ovpn' is now up
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: net_addr_ptp_v4_add: 192.0.6.1 peer 192.0.6.2 dev tun0
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: /usr/libexec/openvpn-hotplug up server tun0 1500 0 192.0.6.1 192.0.6.2 init
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: net_route_v4_add: 192.0.6.0/24 via 192.0.6.2 dev [NULL] table 0 metric -1
Sat Aug  5 11:37:27 2023 daemon.warn openvpn(server)[16342]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: UDPv4 link remote: [AF_UNSPEC]
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: MULTI: multi_init called, r=256 v=256
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: IFCONFIG POOL IPv4: base=192.0.6.4 size=62
Sat Aug  5 11:37:27 2023 daemon.notice openvpn(server)[16342]: Initialization Sequence Completed
Sat Aug  5 11:37:28 2023 user.notice firewall: Reloading firewall due to ifup of ovpn (tun0)
Sat Aug  5 11:37:29 2023 daemon.notice openvpn(client)[16343]: TLS: Initial packet from [AF_INET]192.168.0.70:1194, sid=5c9f49eb fa9c0894
Sat Aug  5 11:37:29 2023 daemon.notice openvpn(client)[16343]: VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Aug  5 11:37:29 2023 daemon.notice openvpn(client)[16343]: VERIFY KU OK
Sat Aug  5 11:37:29 2023 daemon.notice openvpn(client)[16343]: Validating certificate extended key usage
Sat Aug  5 11:37:29 2023 daemon.notice openvpn(client)[16343]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Aug  5 11:37:29 2023 daemon.notice openvpn(client)[16343]: VERIFY EKU OK
Sat Aug  5 11:37:29 2023 daemon.notice openvpn(client)[16343]: VERIFY OK: depth=0, CN=server
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 VERIFY OK: depth=0, CN=client
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 peer info: IV_VER=2.6.5
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 peer info: IV_PLAT=linux
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 peer info: IV_TCPNL=1
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 peer info: IV_MTU=1600
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 peer info: IV_NCP=2
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 peer info: IV_PROTO=990
Sat Aug  5 11:37:30 2023 user.notice auth.script: client client_password
Sat Aug  5 11:37:30 2023 daemon.err openvpn(server)[16342]: 192.168.0.70:34902 TLS Auth Error: Auth Username/Password verification failed for peer
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 Delayed exit in 5 seconds
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(client)[16343]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(client)[16343]: [server] Peer Connection Initiated with [AF_INET]192.168.0.70:1194
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(client)[16343]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(client)[16343]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 [client] Peer Connection Initiated with [AF_INET]192.168.0.70:34902
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(client)[16343]: AUTH: Received control message: AUTH_FAILED
Sat Aug  5 11:37:30 2023 daemon.notice openvpn(client)[16343]: SIGTERM[soft,auth-failure] received, process exiting
Sat Aug  5 11:37:32 2023 daemon.err openvpn(server)[16342]: read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=146)
Sat Aug  5 11:37:35 2023 daemon.notice openvpn(server)[16342]: 192.168.0.70:34902 SIGTERM[soft,delayed-exit] received, client-instance exiting

If there are errors in the configuration (for example, the login-password for the auth-user-pass parameter is not set), then the behavior you described (the client does not receive a response from the server) is also observed if MANAGEMENT_INTERFACE is enabled during compilation

These tests made on openvpn-2.6.5, maybe in this version issue is already fixed

[kosli]

Thanks @AuthorReflex
Can you please provide me the openvpn 2.6.5 package that you have used? As I have tested with the latest stable OpenWRT release. Thanls.

(the two points mentioned are not relevant for the tests)

[AuthorReflex]

Thanks @AuthorReflex Can you please provide me the openvpn 2.6.5 package that you have used? As I have tested with the latest stable OpenWRT release. Thanls.

(the two points mentioned are not relevant for the tests)

Openvpn 2.6.5 has been included into master branch, you can build for your existing architecture yourself (I don't use x86-64)
Without mentioned this two points i couldn't get succesfully auth result (especially the second). Without sending userpass data from client on server the following error occurred

• TLS Error: Auth Username/Password was not provided by peer
• TLS Error: TLS handshake failed

and this error do not translating to client also if MANAGEMENT_INTERFACE is enabled

[kosli]

@AuthorReflex I was busy and have picked up the testing now again after testing some of my devices with the 23.05.0 release.
The behavior of the clients connecting to the server is still the same. If a wrong password is given, the client never receives an "auth failed" from the server. I have compiled the 2.6.6 version with and without management interface. If I use the version with the management interface being compiled (doesn't need to be enabled in the config), the client gets immediately the auth failed feedback from the server and asks again for the credentials.
I will test now with your configuration from above to see if the behavior is the same.

[kosli]

@AuthorReflex

Without sending userpass data from client on server the following error occurred

What do you mean by "without sending userpass data"? The use case is not about not sending any userpass data (e.g. not having the option enabled in the client), but a user entering wrong username/password and the client not receiving the auth failed from the server and waiting for a timeout, instead of immediately asking again about the username/password.

[kosli]

@AuthorReflex I have tried it with your sample, but it looks like the auth.sh never gets executed and the server always returns auth failed straight away. E.g. adding a "logger test" into the auth.sh doesn't show up in the log files, but executing the file manually does. Have you been able to create a successful connection with your sample?

"The script should examine the username and password, returning a success exit code (0) if the client's authentication request is to be accepted, or a failure code (1) to reject the client."