OpenVPN + TOTP + LDAP does not work after upgrading to 24.7.10_1

Started by JeroenS, December 03, 2024, 09:05:01 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
December 03, 2024, 09:05:01 PM
We have an OpenVPN server running for years now, using TOTP + LDAP authentication. This evening I have run an update on the firewall out of office hours to reduce the impact of the necessary restart.

The system is now updated to the following version:
Type   opnsense   
Version   24.7.10_1   
Architecture   amd64   
Commit   426002340   
Mirror   https://pkg.opnsense.org/FreeBSD:14:amd64/24.7   
Repositories   OPNsense (Priority: 11)   
Updated on   Tue Dec 3 18:35:06 CET 2024   
Checked on   Tue Dec 3 20:20:42 CET 2024

After the update I tried to login via OpenVPN with the TOTP and LDAP user account. This failed.
Looking in the logfiles of Open VPN a ran in to this error:
2024-12-03T20:18:51   Warning   openvpn   user 'username_here' could not authenticate.   
2024-12-03T20:18:51   Error   openvpn   LDAP bind error [80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1; Invalid credentials]

I assumed there was a problem between the firewall and the LDAP server.
But using System: Access: Tester. the LDAP server responded that everything is OK and access is granted.

Reading to the release notes a found that for version 24.7.9 a hotfix is released 24.7.9_1 to tackle an issue with TOTP + local accounts.
This triggered me and tested the following. I disabled temporarily the TOTP requirement on the OpenVPN server and only use LDAP for verification. This allowed me to log in successfully. Disabling TOTP is not a solution as this compromises security.

Might there also be an issue with TOTP + LDAP similar to what is already fixed with TOTP + local? 
Is there a way to roll back to version 24.7.8 or 24.7.7 to get it operational again as all employees are unable to work from home / in the field.

Thank you upfront for reading through my issues  :)
December 03, 2024, 09:17:47 PM #1
Hey,

We've been over the code. Can you flip the actual fix for the Local TOTP issue?

# opnsense-patch https://github.com/opnsense/core/commit/ae97263e

A bit of a catch-22 at the moment. We will discuss this in detail tomorrow.


Thanks,
Franco
December 04, 2024, 08:03:03 AM #2
Hey Franco,

Thank you for the quick response.

I have changed the file mentoned in the github commit.
Tested, but was unable to authenticate.
Restarted the firewall. Maybe the php file was already loaded in a service for example.
Tested agian, stull unable to authenticate.
Reverted the change  and restarted againg to make sure I am back in the original state.

Have to run now to bring kids to school.
December 04, 2024, 08:16:31 AM #3
Good morning,

Can you try this one then? Were talking about it internally yesterday night:

# opnsense-patch https://github.com/opnsense/core/commit/f271c6a3f


Cheers,
Franco
December 04, 2024, 08:46:03 AM #4
Hi Franco,

I've got the same problem, how can I apply the patch?

Just copy & paste the code into the file on the firewall?
December 04, 2024, 09:00:19 AM #5
Hi,

opnsense-patch is a command line utility, just run it with the url or the short version in the root shell:

# opnsense-patch f271c6a3f


Thanks,
Franco
December 04, 2024, 09:17:23 AM #6 Last Edit: December 04, 2024, 09:23:27 AM by bitfinity-nl
Hi Franco, I can confirm the patch has been applied successful and is working! :)

Oh yeah! Thanks!
December 04, 2024, 09:26:58 AM #7
Awesome, thanks. I will issue a hotfix in a bit.


Cheers,
Franco
December 04, 2024, 10:10:56 AM #8
Hi Franco,

I can also confirm that the patch solves the issue.

My colleague is able to login again with TOTP.

Thank you for the quick support and we look forward to the hotfix.
December 04, 2024, 10:27:00 AM #9
Thank you so much, it's saved my day just 5 min before planned go-live ;-)
December 04, 2024, 10:55:03 AM #10
It's hotfixed now in 24.7.10_2. Announcement follows.
December 05, 2024, 06:00:01 AM #11 Last Edit: December 06, 2024, 12:29:01 AM by 2Gnu
OpenVPN broken here, too. Tried the patch noted above.  Same issue.  Log entries:
Date
Severity
Process
Line
2024-12-04T20:51:00-08:00   Error   openvpn_client2   Cannot load CA certificate file /var/etc/openvpn/client2.ca (no entries were read)   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   WARNING: using --pull/--client and --ifconfig together is probably not what you want   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.   
2024-12-04T20:50:58-08:00   Error   openvpn_server1   Cannot load CA certificate file /var/etc/openvpn/server1.ca (no entries were read)   
2024-12-04T20:50:58-08:00   Warning   openvpn_server1   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Update: I created a new OpenPVN instance, seeing that the old one was marked legacy, exported the client file and now, all is well.  I also had to update the firewall rule to allow LAN visibility once I was in.

Thanks for your awesome work.
December 05, 2024, 08:12:54 AM #12 Last Edit: December 05, 2024, 08:16:23 AM by Evert
Quote from: franco on December 04, 2024, 10:55:03 AM
It's hotfixed now in 24.7.10_2. Announcement follows.

My unit reported
Code Select
root@OPN0:~ # uname -v
FreeBSD 14.1-RELEASE-p6 stable/24.7-n267939-fd5bc7f34e1 SMP

so I ran
Code Select
root@OPN0:~ # opnsense-update -fk
Fetching kernel-24.7.8-amd64.txz: ... done
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing kernel-24.7.8-amd64.txz... done
Please reboot.
and I rebooted.

However, it still reports:
Code Select
FreeBSD 14.1-RELEASE-p6 stable/24.7-n267939-fd5bc7f34e1 SMP

How do I proceed?
--
Regards,
   Evert
December 05, 2024, 08:28:30 AM #13
Hi Evert,

You have to update first. Looks like you still have either 24.7.8 or 24.7.9 installed.

"opnsense-update -fk" will force a kernel update, but to the last known good version that opnsense-update knows, which is 24.7.8 as it is likely also at 24.7.8 judging by the fact that it reinstalls the kernel for 24.7.8 :)


Cheers,
Franco
December 05, 2024, 08:31:20 AM #14
Quote from: 2Gnu on December 05, 2024, 06:00:01 AM
OpenVPN broken here, too. Tried the patch noted above.  Same issue.  Log entries:
Date
Severity
Process
Line
2024-12-04T20:51:00-08:00   Error   openvpn_client2   Cannot load CA certificate file /var/etc/openvpn/client2.ca (no entries were read)   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   WARNING: using --pull/--client and --ifconfig together is probably not what you want   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.   
2024-12-04T20:51:00-08:00   Warning   openvpn_client2   WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.   
2024-12-04T20:50:58-08:00   Error   openvpn_server1   Cannot load CA certificate file /var/etc/openvpn/server1.ca (no entries were read)   
2024-12-04T20:50:58-08:00   Warning   openvpn_server1   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

First make sure the authentication tester works fine for your LDAP/TOTP now being on 24.7.10_2 (the "_2" is the important bit). There has been one change in OpenVPN that could interfere, but entirely unsure. It doesn't look like it would cause a problem:

https://github.com/opnsense/core/commit/8f270a8c3f6


Cheers,
Franco
Print
Go Up Pages1 2
User actions