Page MenuHomePhabricator

OpenVPN client connections with password and certificate authentication don't work
Closed, ResolvedPublicBUG

Description

SUMMARY

If an OpenVPN client-mode connection is setup with password authentication, the certificate will not be passed to the server, which prevents the tunnel from being brought up. A possible workaround is to set the certificate and key manually through the "openvpn-option" setting.

STEPS TO REPRODUCE

  1. Get (or just fake) the CA certificate, client certificate and client private key for an OpenVPN server
  2. Start a Vyos ISO
  3. Run the following commands

__

sudo su -
mkdir -p /config/auth/ovpn/192.0.2.42
cat >/config/auth/ovpn/192.0.2.42/ca-cert.pem <<EOF
# ... CA cert data...
EOF
cat >/config/auth/ovpn/192.0.2.42/cert.pem <<EOF
# ... Client cert data...
EOF
cat >/config/auth/ovpn/192.0.2.42/cert.key <<EOF
# ... Client key data...
EOF
exit
configure
set interfaces openvpn vtun0 mode client
set interfaces openvpn vtun0 authentication username jdoe
set interfaces openvpn vtun0 authentication password foobar
set interfaces openvpn vtun0 remote-host 192.0.2.42
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ovpn/192.0.2.42/ca-cert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/ovpn/192.0.2.42/cert.pem
set interfaces openvpn vtun0 tls key-file /config/auth/ovpn/192.0.2.42/cert.key
commit
sudo su -
ps aux | grep openvpn | grep -- '--cert' | wc -l

OBSERVED RESULT

0

EXPECTED RESULT

1

SOFTWARE/OS VERSIONS

vyos-1.2.0-rolling+201905200337-amd64.iso

ADDITIONAL INFORMATION

The underlying issue is that the Config.pm file in vyatta-openvpn does not add the "--cert" and "--key" parameters to the OpenVPN command line if the selected mode is "client" and a password has been set.

Details

Difficulty level
Easy (less than an hour)
Version
1.2.0-rolling+201905200337
Why the issue appeared?
Issues in third-party code

Event Timeline

The above patch should fix the issue.

c-po claimed this task.May 20 2019, 10:33 AM
c-po added a comment.May 20 2019, 3:31 PM

Thank you @wsapplegate for the contribution. Please test with the next rolling release.

c-po changed the task status from Open to Backport candidate.May 20 2019, 3:33 PM
c-po triaged this task as Normal priority.
c-po added a project: VyOS 1.3 Equuleus.
c-po changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.

Confirmed fixed in vyos-1.2.0-rolling+201905210337

pasik added a subscriber: pasik.May 23 2019, 6:52 AM
c-po closed this task as Resolved.May 26 2019, 4:56 PM
c-po moved this task from Need Triage to VyOS 1.2.2 on the VyOS 1.2 Crux board.
c-po edited projects, added VyOS 1.2 Crux (VyOS 1.2.2); removed VyOS 1.2 Crux.
c-po moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.2) board.