search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.75k stars 2.99k forks source link

username-as-common-name not propagated to management clients. #498

Closed jkroepke closed 7 months ago

jkroepke commented 7 months ago

Describe the bug If username-as-common-name is configured, I assume that the common name is replaced by the users username. However the common_name is empty for a management client, if management-client-auth is used.

Example:

Server Configuration:

username-as-common-name
verify-client-cert none
management /var/run/openvpn.sock password.txt
management-client-auth

Management Client:

>CLIENT:CONNECT,3,1
>CLIENT:ENV,n_clients=0
>CLIENT:ENV,password=password,of_course
>CLIENT:ENV,untrusted_port=53732
>CLIENT:ENV,untrusted_ip=11.22.33.44
>CLIENT:ENV,username=myself
>CLIENT:ENV,IV_SSO=openurl,webauth,crtext
>CLIENT:ENV,IV_GUI_VER=OpenVPN3/Linux/v21
>CLIENT:ENV,IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
>CLIENT:ENV,IV_MTU=1600
>CLIENT:ENV,IV_PROTO=990
>CLIENT:ENV,IV_TCPNL=1
>CLIENT:ENV,IV_NCP=2
>CLIENT:ENV,IV_PLAT=linux
>CLIENT:ENV,IV_VER=v3.8.2
>CLIENT:ENV,remote_port_1=1194
>CLIENT:ENV,local_port_1=1194
>CLIENT:ENV,proto_1=udp
>CLIENT:ENV,daemon_pid=44361
>CLIENT:ENV,daemon_start_time=1707741604
>CLIENT:ENV,daemon_log_redirect=1
>CLIENT:ENV,daemon=1
>CLIENT:ENV,verb=4
>CLIENT:ENV,config=/etc/openvpn/server.conf
>CLIENT:ENV,ifconfig_local=192.168.1.1
>CLIENT:ENV,ifconfig_netmask=255.255.255.0
>CLIENT:ENV,script_context=init
>CLIENT:ENV,tun_mtu=1500
>CLIENT:ENV,dev=tun0
>CLIENT:ENV,dev_type=tun
>CLIENT:ENV,redirect_gateway=0
>CLIENT:ENV,END

if management-client-auth management client does validation based on the common name, it would break if username-as-common-name is configured and no common name is given. In conclusion, the same username-as-common-name logic need to be replicated.

In case username-as-common-name hits after authentication, a configuration hint from OpenVPN point of view would nice that the management client receives this info out of the box.

To Reproduce

  1. Setup OpenVPN Server with username-as-common-name and verify-client-cert
  2. Setup Management interface auch connect via telnet.
  3. Connect via OpenVPN client to the server
  4. Observe the client connection

Expected behavior If username-as-common-name is configured I expect that >CLIENT:ENV,username=myself and >CLIENT:ENV,common_name=myself having the same values.

Version information (please complete the following information):

Additional context

selvanair commented 7 months ago

Expected behavior If username-as-common-name is configured I expect that >CLIENT:ENV,username=myself and >CLIENT:ENV,common_name=myself having the same values.

In this case the common_name is set to username only after authentication, so you will not see it in CLIENT:ENV when CLIENT:CONNECT cid kid is received. This command is issued before username and password are verified, and is indeed meant for the management client to do the user/pass authentication.

Subsequent messages like CLIENT:ESTABLISHED should contain the replaced common_name in CLIENT:ENV.

This is explained in the man page of recent versions:

--username-as-common-name
      Use  the  authenticated username as the common-name, rather than the
      common-name from the client certificate. Requires that some form of
      --auth-user-pass verification is in effect. As the replacement  happens after
      --auth-user-pass  verification,  the  verification script or plugin will still receive 
      the common-name from the certificate.

      The common_name environment variable passed to scripts and plugins invoked
      after authentication (e.g, client-connect script) and filenames parsed in client-config
      directory will match the username.

Note the usage authenticated username.

jkroepke commented 7 months ago

Thanks for the clarification.