Page MenuHomeVyOS Platform

ocserv openconnect looks broken in recent bulds of 1.3 Equuleus
Closed, ResolvedPublicBUG


In recent rolling builds of 1.3 Equuleus something looks broken in openconnect vpn. Clients are unable to connect. HTTPs connection to an end-point throws '404 Not Found' error instead of expected XML served.

My config:

# show vpn openconnect 
 authentication {
     mode radius
     radius {
         server {
             key ******
 listen-ports {
     tcp 443
     udp 443
 network-settings {
     client-ip-settings {
 ssl {
     ca-cert-file /config/auth/rootca.pem
     cert-file /config/auth/cert-chain.pem
     key-file /config/auth/key.pem

I also checked by switching to local authentication. Same thing.

ocserv process looks running and listening. But client connections are not possible. I observe this behavior in every build starting from the mid of January. Going back to mid-December build restores the functionality.

Client's log contains:

2022-02-13 13:52:47 | 70000ffbc000 | Failed to parse HTTP response 'HTTP/1.57679 404 Not found'


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

@Viacheslav As I said: every rolling version of VyOS 1.3 branch starting from mid-January. I built ISO several times during this month. Last one I tried today (built today). All of them behave like this in my two different routers. Last time ocserv worked was middle of December build.

I don't see any issues with LTS 1.3.0

set vpn openconnect authentication mode 'radius'
set vpn openconnect authentication radius server key 'vyoskey'
set vpn openconnect network-settings client-ip-settings subnet ''
set vpn openconnect ssl ca-cert-file '/config/auth/ca.crt'
set vpn openconnect ssl cert-file '/config/auth/server.crt'
set vpn openconnect ssl key-file '/config/auth/server.key'

Check session:

[email protected]:~$ show openconnect-server sessions 
interface    username    ip         remote IP      RX         TX         state      uptime
-----------  ----------  ---------  -------------  ---------  ---------  ---------  --------
sslvpn0      vyos  304 bytes  152 bytes  connected  1m:23s
[email protected]:~$ 
[email protected]:~$ show version 

Version:          VyOS 1.3.0
Release train:    equuleus

Built by:         Sentrium S.L.
Built on:         Sun 19 Dec 2021 12:59 UTC
Build UUID:       ff458f8a-3ef7-453c-a7f9-4aeb6d03012e

Confirmed than issue in other versions, for example in VyOS 1.3-stable-202202150442

Feb 16 19:46:03 r4 ocserv[2409]: main: user disconnected (reason: unspecified, rx: 0, tx: 0)
Feb 16 19:46:03 r4 ocserv[2409]: main: user disconnected (reason: unspecified, rx: 0, tx: 0)

It has broken for both radius and local authentication

Viacheslav changed the task status from Open to Confirmed.Feb 16 2022, 5:48 PM
Viacheslav triaged this task as High priority.

Can be related
Found out some strange things, client address was banned:

ocserv[2072]: main: added 1 points (total 1) for IP '' to ban list

sudo occtl -s /run/ocserv/occtl.socket

> show ip ban points
            IP          score             14

> unban ip
IP '' was unbanned
> unban ip
IP '' was unbanned
> unban ip
IP '' was unbanned
> show ip ban points
            IP          score              0

Install official pkg solve the issue

dpkg -i *.deb

Most likely we should to revert commit which was in T3934

CI job for re-build pkg ocserv should fix this issue.

Viacheslav changed the task status from Confirmed to Needs testing.Feb 17 2022, 10:34 AM

I just built ISO from the 1.3 branch and tried (1.3-rolling-202202171824). ocserv works normal. The issue is probably resolved.
Thank you.

Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.

@dutty Thanks for confirming.

dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).Mar 21 2022, 11:58 AM