When `--proto` is `UDP` connection tracking is unreliable

TinCanTech commented 3 years ago

It is possible for a client session to be re-initialised by Opevpn without any notification to external scripts, thus breaking connection tracking.

The log below shows client ub18

Floats: 2021-08-31 16:21:10 us=977899 peer 2 (ub18) floated from 192.168.1.2:4439 to [AF_INET6]::ffff:192.168.1.2:1713
Floats again, after soft reset: (What happened here?)

2021-08-31 16:23:16 us=590443 ub18/192.168.1.2:1713 TLS: soft reset sec=272/272 bytes=569/-1 pkts=9/0
2021-08-31 16:23:44 us=580774 Float requested for peer 2 to 192.168.1.2:2796
2021-08-31 16:23:44 us=580935 peer 2 (ub18) floated from 192.168.1.2:1713 to [AF_INET6]::ffff:192.168.1.2:2796

Is assigned a new session: 2021-08-31 16:23:47 us=814582 ub18/192.168.1.2:2796 TLS: new session incoming connection from [AF_INET6]::ffff:192.168.1.2:2796
Source is re-initialised: 2021-08-31 16:23:47 us=883246 ub18/192.168.1.2:2796 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Is promoted to trusted: 2021-08-31 16:23:47 us=883642 ub18/192.168.1.2:2796 TLS: tls_multi_process: untrusted session promoted to trusted
This leaves the conn-trac record in place and forgets the IP:Port: 5b24..=2A0F..=192.168.1.2=4439 Port 4439 is the original connection as shown in the log.

There is nothing I can do about this except come up with a completely new approach. Currently, the best solution appears to be this:

--setenv UV_tlskey 5b24.. --push-peer-info in the client inline file. This will allow connection tracking to follow tlskey-serial for TLS-Crypt-V2 keys. I'll have to consider other TLS keys .. maybe it's not actually possible at all.

Log of events:

2021-08-31 16:18:55 us=157907 ub18/192.168.1.2:4439 SENT CONTROL [ub18]: 'PUSH_REPLY,topology subnet,route 10.10.101.0 255.255.255.0 net_gateway,route 10.0.0.0 255.0.0.0,route 172.16.0.0 255.240.0.0,route 192.168.0.0 255.255.0.0,route 192.168.1.0 255.255.255.252 net_gateway,explicit-exit-notify 1,comp-lzo no,ping 90,ping-restart 180,route-gateway 192.168.199.9,ifconfig 192.168.199.10 255.255.255.252,peer-id 2,cipher AES-256-GCM,key-derivation tls-ekm' (status=1)

2021-08-31 16:21:10 us=977731 Float requested for peer 2 to 192.168.1.2:1713
2021-08-31 16:21:10 us=977899 peer 2 (ub18) floated from 192.168.1.2:4439 to [AF_INET6]::ffff:192.168.1.2:1713

2021-08-31 16:23:16 us=590443 ub18/192.168.1.2:1713 TLS: soft reset sec=272/272 bytes=569/-1 pkts=9/0
2021-08-31 16:23:44 us=580774 Float requested for peer 2 to 192.168.1.2:2796
2021-08-31 16:23:44 us=580935 peer 2 (ub18) floated from 192.168.1.2:1713 to [AF_INET6]::ffff:192.168.1.2:2796
2021-08-31 16:23:47 us=789671 ub18/192.168.1.2:2796 Control Channel: using tls-crypt-v2 key
2021-08-31 16:23:47 us=789796 ub18/192.168.1.2:2796 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-08-31 16:23:47 us=789846 ub18/192.168.1.2:2796 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-08-31 16:23:47 us=789890 ub18/192.168.1.2:2796 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-08-31 16:23:47 us=789938 ub18/192.168.1.2:2796 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
<EXOK> * Easy-TLS-cryptv2-verify => vars loaded => CN:ub18-v26b => easytls OK => custom_group EasyTLS-v26b OK => tlskey-serial verified OK => Key age 3 days OK => Enabled OK => client passed TLS tests => Created generic_metadata_file => Created client_metadata_file => connection allowed
2021-08-31 16:23:47 us=814484 ub18/192.168.1.2:2796 TLS CRYPT V2 VERIFY SCRIPT OK
2021-08-31 16:23:47 us=814582 ub18/192.168.1.2:2796 TLS: new session incoming connection from [AF_INET6]::ffff:192.168.1.2:2796

<EXOK> * EasyTLS-verify => vars loaded => CN:Easy-TLS v26b CA => Stage-1 file created => connection allowed
2021-08-31 16:23:47 us=861942 ub18/192.168.1.2:2796 VERIFY SCRIPT OK: depth=1, C=00, ST=home, L=tct, O=easy-tls, OU=Easy-TLS test v26b, CN=Easy-TLS v26b CA, emailAddress=tct@easytls.net
2021-08-31 16:23:47 us=862405 ub18/192.168.1.2:2796 VERIFY OK: depth=1, C=00, ST=home, L=tct, O=easy-tls, OU=Easy-TLS test v26b, CN=Easy-TLS v26b CA, emailAddress=tct@easytls.net
<EXOK> * EasyTLS-verify => vars loaded => CN:ub18-v26b => Stage-1 file deleted => init conn (g1) => generic metadata loaded => init conn (c1) => client metadata loaded => init full_x509_serial_match OK => generic_ext_md_file OK (F1) => client_ext_md_file OK (F1) => full_x509_serial_match OK => Recognised Client cert serial => connection allowed
2021-08-31 16:23:47 us=879321 ub18/192.168.1.2:2796 VERIFY SCRIPT OK: depth=0, C=00, ST=home, L=tct, O=easy-tls, OU=Easy-TLS test v26b, CN=ub18-v26b, emailAddress=tct@easytls.net
2021-08-31 16:23:47 us=879364 ub18/192.168.1.2:2796 VERIFY OK: depth=0, C=00, ST=home, L=tct, O=easy-tls, OU=Easy-TLS test v26b, CN=ub18-v26b, emailAddress=tct@easytls.net
2021-08-31 16:23:47 us=881224 ub18/192.168.1.2:2796 peer info: IV_VER=2.6_git
2021-08-31 16:23:47 us=881257 ub18/192.168.1.2:2796 peer info: IV_PLAT=linux
2021-08-31 16:23:47 us=881274 ub18/192.168.1.2:2796 peer info: IV_NCP=2
2021-08-31 16:23:47 us=881293 ub18/192.168.1.2:2796 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2021-08-31 16:23:47 us=881314 ub18/192.168.1.2:2796 peer info: IV_PROTO=30
2021-08-31 16:23:47 us=881336 ub18/192.168.1.2:2796 peer info: IV_LZ4=1
2021-08-31 16:23:47 us=881357 ub18/192.168.1.2:2796 peer info: IV_LZ4v2=1
2021-08-31 16:23:47 us=881376 ub18/192.168.1.2:2796 peer info: IV_LZO=1
2021-08-31 16:23:47 us=881395 ub18/192.168.1.2:2796 peer info: IV_COMP_STUB=1
2021-08-31 16:23:47 us=881418 ub18/192.168.1.2:2796 peer info: IV_COMP_STUBv2=1
2021-08-31 16:23:47 us=881437 ub18/192.168.1.2:2796 peer info: IV_TCPNL=1
2021-08-31 16:23:47 us=881456 ub18/192.168.1.2:2796 peer info: IV_HWADDR=00:15:5d:c9:6e:0c
2021-08-31 16:23:47 us=881476 ub18/192.168.1.2:2796 peer info: IV_SSL=OpenSSL_1.1.1__11_Sep_2018
2021-08-31 16:23:47 us=882991 ub18/192.168.1.2:2796 TLS: Username/Password authentication deferred for username 'ub18' [CN SET]
2021-08-31 16:23:47 us=883065 ub18/192.168.1.2:2796 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1557'
2021-08-31 16:23:47 us=883099 ub18/192.168.1.2:2796 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
2021-08-31 16:23:47 us=883246 ub18/192.168.1.2:2796 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1

***** delay for 7 seconds -- ub18-v26b ub18 *****

2021-08-31 16:23:47 us=883642 ub18/192.168.1.2:2796 TLS: tls_multi_process: untrusted session promoted to trusted
2021-08-31 16:23:47 us=886544 ub18/192.168.1.2:2796 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA256

***** delay for 7 seconds -- ub18-v26b ub18 DONE *****

2021-08-31 16:24:02 us=990060 ub18/192.168.1.2:2796 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-08-31 16:24:02 us=990199 ub18/192.168.1.2:2796 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-08-31 16:24:39 us=603692 event_wait : Interrupted system call (fd=-1,code=4)
2021-08-31 16:24:39 us=603767 SENT CONTROL [ub18]: 'RESTART' (status=1)
2021-08-31 16:24:39 us=603800 SENT CONTROL [arch]: 'RESTART' (status=1)
2021-08-31 16:24:39 us=603825 SENT CONTROL [deb10]: 'RESTART' (status=1)
<EXOK> * EasyTLS-client-disconnect => vars loaded => CN:ub18-v26b => X509 serial matched => client_ext_md_file loaded => disconnection success => conn-trac: unregistered => 5b24c22d9b73b01fed9268bdbaa5c2a7b2c08cd8d31255669ac548b0552e65f2=2A0FEC19858D73B6EF36DB69B7F75424=192.168.1.2=2796 => temp-files deleted

TinCanTech commented 3 years ago

After a major re-write of easytls-cryptv2-verify.sh and client-connect/disconnect, conntrac is considerably more reliable.

TinCanTech commented 3 years ago

Changes seem to be worse than before ..

TinCanTech commented 3 years ago

Turns out Openvpn has a bug: https://community.openvpn.net/openvpn/ticket/160#comment:19

TinCanTech commented 3 years ago

I applied a rebased version of JJK's patch:

tct@home:~/openvpn/master$ git diff
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 22357cfb..bccb82a7 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -557,6 +557,9 @@ setenv_stats(struct context *c)
 static void
 multi_client_disconnect_setenv(struct multi_instance *mi)
 {
+   /* setenv incoming cert common name for script */
+   setenv_str (mi->context.c2.es, "common_name", tls_common_name (mi->context.c2.tls_multi, true));
+
     /* setenv client real IP address */
     setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));

tct@home:~/openvpn/master$

and it works.

TinCanTech commented 3 years ago

Even with a patched version, Openvpn sometimes omits common_name altogether for --client-disconnect. It looks like this bug is going to be around for a long time.

I have added code to catch and record disconnect failures, and also try a regexp method to remove the errant record.

TinCanTech commented 3 years ago

Easy-TLS is a fully functional workaround to https://community.openvpn.net/openvpn/ticket/160

Closed: 9864cfab1f9dcc7712333db69daa4a2d7b815601

TinCanTech / easy-tls

When `--proto` is `UDP` connection tracking is unreliable #224