-
Notifications
You must be signed in to change notification settings - Fork 701
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenVPN client overrides not updating in 23.7.5 #6915
Comments
Best check the OpenVPN logs first, these files are being written on login normally.
|
Users are normally authenticated. And also matched against the cso. But from the gui provisioning the user cso file is not created any more or updated. So existing user with cso file will match and use that but new users don't match as their specific config is missing. The problem is in the provisioning adding and changing custom override that creates the cso_filename. That part is not working anymore. Regards Robert |
and what's in the log? |
In the logs is for the authenticated users with matched cso-filename. But if the user has been changed via the gui. The changes are not commited to the cso-filename. For new users the cso-filename is not created so no match off course and the user will get the default config from openvpn. The problem is with adding or changing options in the gui for thje cso-filename. The problem is not on the authentication of openvpn but in configuration in the gui which are not saved to /var/etc/openvpn-csc/1/user |
This is what I tried to explain earlier. these files are being created when a user logs in (has been for many years on our end)... which is why the logs are very important to debug issues. |
Ok i missed that part. For existiing users with exsisting file and no changes it shows the line "using "authname" CSO ... in the log. For new users it does not. Also for existing "working" users new settings are not added and are now only reporting using "authname" So something changes when user / openvpn overrides settings are changed. After this no matching is done anymore. |
Hi, While searching in the code github it seems the function in file src/etc/inc/plugins.inc.d/openvpn.inc function openvpn_csc_conf_write($settings, $server, $target_filename = null) is not triggered or executed anymore when changing user/common name overrides. How can I check if this function is called correctly and creates the correct openvpn-csc/id/commonname file ? Unfortunately I'm not a coder so its a bit of a challenge to follow this code for me. |
it all starts with log output.... details matter |
What output do you need. I reported the output lines <29>1 2023-10-06T13:19:18+02:00 openvpn_server1 16861 - [meta sequenceId="18"] TLS: Username/Password authentication deferred for username 'user1' [CN SET] only the user2 is reporting CSO match that user was not changed the other users have changed config added or removed "local networks" for them. To provide the service they needed I have manual added / changed the user files for them. As the provisioning (gui vpn -> openvpn -> client overrides) does not update them anymore |
Could be a mismatch in common name or a misconfiguration in the cso configuration, as user2 works, it's unlikely a bug. |
While digging in to older few days I see same user sometimes with: Like today for user3 <29>1 2023-10-06T13:01:16+02:00 openvpn_server1 16861 - [meta sequenceId="16"] user3/ TLS: Username/Password authentication deferred for username 'user3' [CN SET] But the /var/etc/openvpn-csc/1/user3 file is not created correctly. So why is it matched sometimes and then not. Also why does the user file(s) not created or updated? even if match statement is reported. |
My community support time is limited, I'll leave this open in case someone else wants to step in. At a first glance I don't expect a bug, but views may change. The user match (resulting in the log entries) is rather straight forward. |
And new added users I have not yet seen a match CSO ,... line entry. Only for pre 23.x OPNsense users are matched when no change has been done to their config. If changes have been done. match will be random and the openvpn-csc/1/user file is not updated with correct "local net" routing. |
Just one quick question. When are the csc files created for the openvpn user. When you create a client override entry or when the specific user authenticates with openvpn to the system? |
when they authenticate, this is also to make sure you can provision data from radius for example. |
Its strange, I see on older users matches using CSO but new users match both only local database without CSO and local database with CSO. It should always match the CSO line I think? Just a quick question may be this is a rights issue on the /var/etc/openvpn-csc/(server)/ directory and files? Where can i find the correct file rights for these files? |
I think I have found a possible difference between authentication sessions. When openvpn server logs: peer info: IV_SSO= some different / variable options TLS: Username / Password authentication deferred for username 'user' [CN SET] And the CSO matching is done. I'me now search why sometimes IV_SSO= line is missing on some clients and my own commandline openvpn (OpenVPN 2.6.6 amd64-portbld-freebsd13.2 ) and with tunnelblick we see random matching and not matching. Problem is why is it matching sometimes and more often not. |
Related forum post: https://forum.opnsense.org/index.php?topic=36461.0 |
I have the same issue in OPNsense 23.7.8_1-amd64, however, in my case, an OpenVPN server has been created from scratch under "Instances [new]", same for the CSO. My log entries show the correct user name but the CSO never seems to match and nothing is created under /var/etc/openvpn-csc/(server)/ . |
Logs please :) |
I don't seen anything obvious, but logs for a session which didn't work and a config snippet for one cso that should match according to the common name and selected server might help. |
You're both right, I'm terribly sorry. :) Thanks for your explanation, @AdSchellevis, I now understand that the CSO file would appear during the login process. I think I might have found the cause for the problem for my use case. Since I use "Instances [new]" to create a server I don't have the "Force CSO Login Matching" option. I do use the "Username as CN" in my "Instances [new]" server configuration because we don't use client certificates (just uid+pw authentication). However, I only get
("myusername" is correctly set to the username used for login.) What I'm missing is something like Looking at the source code of
$a_server['cso_login_matching'] would ever be set for "Instances [new]" servers? I haven't found any way to do "Force CSO Login Matching" for "Instances [new]" servers.
|
I just realised that I'm wrong,
seems to return an empty file. This is the config snipped of the CSO: <Overwrite uuid="XXXXX">
<enabled>1</enabled>
<servers>XXXXXXXX</servers>
<common_name>myusername</common_name>
<block>0</block>
<push_reset>0</push_reset>
<tunnel_network>192.168.1.101/24</tunnel_network>
<tunnel_networkv6>2001:DB8::101/64</tunnel_networkv6>
<local_networks/>
<remote_networks/>
<route_gateway/>
<redirect_gateway/>
<register_dns>0</register_dns>
<dns_domain/>
<dns_domain_search/>
<dns_servers/>
<ntp_servers/>
<wins_servers/>
<description>User overwriting</description>
</Overwrite> |
ok, so the interesting question is, does the number in |
The uuids of the server is correctly referenced in the CSO: <OpenVPN version="1.0.0">
<Overwrites>
<Overwrite uuid="f8573276-b844-431f-8fca-ce37257cd135">
<enabled>1</enabled>
<servers>af407f96-469b-4d8a-aad9-8ec6c4b21034</servers>
<common_name>myusername</common_name>
...
</Overwrite>
</Overwrites>
<Instances>
<Instance uuid="af407f96-469b-4d8a-aad9-8ec6c4b21034">
<vpnid>1</vpnid>
<enabled>1</enabled>
<dev_type>tun</dev_type>
<verb>3</verb>
... And I can confirm that the username matches as well. When configuring the CSO, the only other option to select (apart from the configured instance) is "( / )" which was selected by default. Is that synonymous with "all"? Please note that no other "Instances [new]" (except for the one mentioned here) or classic Server instances are configured on the box. |
I just checked, it makes no difference whether I select the server instance or none at all. The CSO doesn't match. |
…g for a CSO, might help track #6915
@AdSchellevis amazing work! Your patch does the trick:
Thank you for your help and the time you invest in the project, it's highly appreciated! |
@cs-1 thank you for confirming! |
@AdSchellevis it's the least I can do! I appreciate your help, thanks again. @fichtner if it's not too much trouble do you think this fix could make it into the next minor update of 23.7.8_1-amd64? We're currently in the progress of moving all of our university's VPN infrastructure to OPNsense and it would be amazing if the fix would be available so that no manual patching is necessary. Thanks again for your help, guys, it's highly appreciated! |
P. S.: Just in case: is it possible to apply 5b3c236 using |
yep, opnsense-patch works most of the time. If it doesn't it won't apply the patch, but I don't think that's the case here. If you want to have a clean slate for patching revert to the latest core package first:
This gets rid of local modification too to allow a clean patch apply :) |
Quick feedback: I reverted the patch and upgraded to OPNsense 23.7.9-amd64 and your fix works as expected. Thanks again, guys! |
Hi I tested this today with: But it still does not work for us. In the logs: 2023-11-29T10:35:53 Notice openvpn_server1 robert/2a01:1XXXX MULTI_sva: pool returned IPv4=192.168.255.6, IPv6=(Not enabled) And in the client specific overrides it should have used 192.168.255.108/30 and add extra route for 10.5.54.0/24 Enter Auth Username:robert It seems this patch did not help for us. Created new user (localdatabase) and created new client override. But this does not help. Any pointers to get this working again? |
reverted the patch already shipped in the product? |
I don't see the new log line in the log output. Either what @AdSchellevis said or a plain configuration issue. |
It seems i missed to revert patch. Which patch is needed to be reverted? Is it this what needs to be done: # opnsense-revert opnsense && opnsense-patch 5b3c236 ? |
Just the following, otherwise you scrub the patch from the 23.7.9 release (it's a feature):
|
Indeed. In the new release I get the following log entries for CSOs (as it's supposed to work):
@Support-Zylon: Have you checked whether your CSO definition includes the server instance you're using? |
We have in the openvpn server options: Force CSO Login Matching |
Hi I did the opnsense-revert opnsense and tried the openvpn again but I still don't get the the same authentication line Still just these:
|
I added the patch 5b3c236 but it does not the lines |
Jesus Christ, 23.7.9 includes the patch and if you run opnsense-patch you REMOVE it. This appears to be a configuration issue as said previously if neither with or without the patch you hit the existing log message or overwrite code. |
Maybe its because we use local users instead of a remote authentication ? |
Also reverted patch off course after failed test |
I had if working before we upgraded to 23.7.4 or 5 not sure any more. And we did not change configuration. Only added new user. This new user would not get the client specific override anymore. Old user still matched ad they probably have correct openvpn override files so we did not notice issues before. |
I still have user matching and not matching: 2023-12-05T09:31:19 Notice openvpn_server1 user1/X.X.X.112:52104 MULTI_sva: pool returned IPv4=192.168.255.10, IPv6=(Not enabled) 2023-12-04T16:31:26 Notice openvpn user 'user1' authenticated using 'Local Database' CSO [CN]:/var/etc/openvpn-csc/1/user1 Also new users don't match using user as common-name. Is there any one here have a good pointer where to look and why matching sometimes works and sometimes not. This is very unreliable for us now. |
I've manually corrected/edited the files in /var/etc/openvpn-csc until this situation is resolved. That worked for me as an interim solution. My version is OPNsense 23.7.12-amd64 |
Just a update. It seems with 24.1.4 it works without issues. The active users using this vpn get updated configs when logging in with vpn. So it looks like it is fixed. @fwarxma I would recommend to update/upgrade to 24.1.x which has the fixes and works for me. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
OpenVPN client overrides page is not updating /var/etc/openvpn-csc/[0-9]+/ items/files
A clear and concise description of what the bug is, including last known working version (if any).
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior:
When you go to https://opensense/ui/openvpn/client_overwrites
Add a user / common name to have overrides for openvpn client
There will be no entire made in /var/etc/openvpn-csc/[0-9]+/ with that common name or user
Expected behavior
Expected is that a user / common name entry in /var/etc/open-csc/ .. / is made
If you add common name test a file with content of specific overrides will be created
/var/etc/openvpn-csc/1/test
with data like:
ifconfig-push "route 192.168.255.250 192.168.255.249"
push "route 10.0.20.0 255.255.255.0"
A clear and concise description of what you expected to happen.
Describe alternatives you considered
I have added the items manual and that solves the issue for now. But config via gui is not synced to "/var/etc/openvpn-csc/[0-9]+/" dir. This could cause missing updates or mall configuration.
A clear and concise description of any alternative solutions or workaround you considered.
OPNSsense 23.7.5 (amd64 OpenSSL)
Intel(R) Xeon(R) CPU E31230
Network Intel® I210-AT
The text was updated successfully, but these errors were encountered: