We have an OpenVPN server running for years now, using TOTP + LDAP authentication. This evening I have run an update on the firewall out of office hours to reduce the impact of the necessary restart.
The system is now updated to the following version:
Type opnsense
Version 24.7.10_1
Architecture amd64
Commit 426002340
Mirror https://pkg.opnsense.org/FreeBSD:14:amd64/24.7
Repositories OPNsense (Priority: 11)
Updated on Tue Dec 3 18:35:06 CET 2024
Checked on Tue Dec 3 20:20:42 CET 2024
After the update I tried to login via OpenVPN with the TOTP and LDAP user account. This failed.
Looking in the logfiles of Open VPN a ran in to this error:
2024-12-03T20:18:51 Warning openvpn user 'username_here' could not authenticate.
2024-12-03T20:18:51 Error openvpn LDAP bind error [80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials]
I assumed there was a problem between the firewall and the LDAP server.
But using System: Access: Tester. the LDAP server responded that everything is OK and access is granted.
Reading to the release notes a found that for version 24.7.9 a hotfix is released 24.7.9_1 to tackle an issue with TOTP + local accounts.
This triggered me and tested the following. I disabled temporarily the TOTP requirement on the OpenVPN server and only use LDAP for verification. This allowed me to log in successfully. Disabling TOTP is not a solution as this compromises security.
Might there also be an issue with TOTP + LDAP similar to what is already fixed with TOTP + local?
Is there a way to roll back to version 24.7.8 or 24.7.7 to get it operational again as all employees are unable to work from home / in the field.
Thank you upfront for reading through my issues :)
Hey,
We've been over the code. Can you flip the actual fix for the Local TOTP issue?
# opnsense-patch https://github.com/opnsense/core/commit/ae97263e
A bit of a catch-22 at the moment. We will discuss this in detail tomorrow.
Thanks,
Franco
Hey Franco,
Thank you for the quick response.
I have changed the file mentoned in the github commit.
Tested, but was unable to authenticate.
Restarted the firewall. Maybe the php file was already loaded in a service for example.
Tested agian, stull unable to authenticate.
Reverted the change and restarted againg to make sure I am back in the original state.
Have to run now to bring kids to school.
Good morning,
Can you try this one then? Were talking about it internally yesterday night:
# opnsense-patch https://github.com/opnsense/core/commit/f271c6a3f
Cheers,
Franco
Hi Franco,
I've got the same problem, how can I apply the patch?
Just copy & paste the code into the file on the firewall?
Hi,
opnsense-patch is a command line utility, just run it with the url or the short version in the root shell:
# opnsense-patch f271c6a3f
Thanks,
Franco
Hi Franco, I can confirm the patch has been applied successful and is working! :)
Oh yeah! Thanks!
Awesome, thanks. I will issue a hotfix in a bit.
Cheers,
Franco
Hi Franco,
I can also confirm that the patch solves the issue.
My colleague is able to login again with TOTP.
Thank you for the quick support and we look forward to the hotfix.
Thank you so much, it's saved my day just 5 min before planned go-live ;-)
It's hotfixed now in 24.7.10_2. Announcement follows.
OpenVPN broken here, too. Tried the patch noted above. Same issue. Log entries:
Date
Severity
Process
Line
2024-12-04T20:51:00-08:00 Error openvpn_client2 Cannot load CA certificate file /var/etc/openvpn/client2.ca (no entries were read)
2024-12-04T20:51:00-08:00 Warning openvpn_client2 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-12-04T20:51:00-08:00 Warning openvpn_client2 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-12-04T20:51:00-08:00 Warning openvpn_client2 WARNING: using --pull/--client and --ifconfig together is probably not what you want
2024-12-04T20:51:00-08:00 Warning openvpn_client2 WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible
2024-12-04T20:51:00-08:00 Warning openvpn_client2 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2024-12-04T20:51:00-08:00 Warning openvpn_client2 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-12-04T20:50:58-08:00 Error openvpn_server1 Cannot load CA certificate file /var/etc/openvpn/server1.ca (no entries were read)
2024-12-04T20:50:58-08:00 Warning openvpn_server1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Update: I created a new OpenPVN instance, seeing that the old one was marked legacy, exported the client file and now, all is well. I also had to update the firewall rule to allow LAN visibility once I was in.
Thanks for your awesome work.
Quote from: franco on December 04, 2024, 10:55:03 AM
It's hotfixed now in 24.7.10_2. Announcement follows.
My unit reported
root@OPN0:~ # uname -v
FreeBSD 14.1-RELEASE-p6 stable/24.7-n267939-fd5bc7f34e1 SMP
so I ran
root@OPN0:~ # opnsense-update -fk
Fetching kernel-24.7.8-amd64.txz: ... done
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing kernel-24.7.8-amd64.txz... done
Please reboot.
and I rebooted.
However, it still reports:
FreeBSD 14.1-RELEASE-p6 stable/24.7-n267939-fd5bc7f34e1 SMPHow do I proceed?
Hi Evert,
You have to update first. Looks like you still have either 24.7.8 or 24.7.9 installed.
"opnsense-update -fk" will force a kernel update, but to the last known good version that opnsense-update knows, which is 24.7.8 as it is likely also at 24.7.8 judging by the fact that it reinstalls the kernel for 24.7.8 :)
Cheers,
Franco
Quote from: 2Gnu on December 05, 2024, 06:00:01 AM
OpenVPN broken here, too. Tried the patch noted above. Same issue. Log entries:
Date
Severity
Process
Line
2024-12-04T20:51:00-08:00 Error openvpn_client2 Cannot load CA certificate file /var/etc/openvpn/client2.ca (no entries were read)
2024-12-04T20:51:00-08:00 Warning openvpn_client2 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-12-04T20:51:00-08:00 Warning openvpn_client2 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-12-04T20:51:00-08:00 Warning openvpn_client2 WARNING: using --pull/--client and --ifconfig together is probably not what you want
2024-12-04T20:51:00-08:00 Warning openvpn_client2 WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible
2024-12-04T20:51:00-08:00 Warning openvpn_client2 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2024-12-04T20:51:00-08:00 Warning openvpn_client2 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-12-04T20:50:58-08:00 Error openvpn_server1 Cannot load CA certificate file /var/etc/openvpn/server1.ca (no entries were read)
2024-12-04T20:50:58-08:00 Warning openvpn_server1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
First make sure the authentication tester works fine for your LDAP/TOTP now being on 24.7.10_2 (the "_2" is the important bit). There has been one change in OpenVPN that could interfere, but entirely unsure. It doesn't look like it would cause a problem:
https://github.com/opnsense/core/commit/8f270a8c3f6
Cheers,
Franco
Quote from: franco on December 05, 2024, 08:28:30 AM
Hi Evert,
You have to update first. Looks like you still have either 24.7.8 or 24.7.9 installed.
"opnsense-update -fk" will force a kernel update, but to the last known good version that opnsense-update knows, which is 24.7.8 as it is likely also at 24.7.8 judging by the fact that it reinstalls the kernel for 24.7.8 :)
Cheers,
Franco
Hmm, I should have noticed that myself! 8)
Still early here... 😁
However, the web GUI reports:
OPNsense 24.10.1-amd64, which made me think I was running 24.10 .
In that case a health audit is in order. Maybe a partial upgrade? Or a missing reboot?
Quote from: franco on December 05, 2024, 08:47:52 AM
In that case a health audit is in order. Maybe a partial upgrade? Or a missing reboot?
the audit seems happy:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 24.10.1 (amd64) at Thu Dec 5 09:00:13 CET 2024
Strict TLS 1.3 and CRL checking is enabled.
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 24.7.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 24.7.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-OPNBEcore 1.4_3
os-cpu-microcode-amd 1.0
os-iperf 1.0_2
os-mdns-repeater 1.1_1
os-net-snmp 1.6
os-nut 1.8.1_2
os-smart 2.3
os-zabbix7-agent 1.14
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense-business" at 24.10.1 has 70 dependencies to check.
Checking packages: ....................................................................... done
***DONE***the unit reports an uptime of 58 minutes, so the most recent reboot (when I thought I patched the kernel) seems to have been successful.
I see now you are totally unaffected since you run the business edition...
Cheers,
Franco