Hi Selva,
then I misunderstood it. I’m using just ’client-auth-nt’ from the beginning, but now I supply ’END’, not that it matters (the management-notes.txt was not that clear to me in this case). Yes, this is a bridged setup. Currently the openvpn server supplies the IP address. The server.conf looks like this: dev tap dev-type tap port 443 proto tcp # Certificates and ciphers ca my-root-ca.crt cert my-server.crt key my-server.key # This file should be kept secret tls-crypt tls-crypt.key dh dh2048.pem ecdh-curve secp521r1 cipher AES-256-GCM ncp-ciphers AES-256-GCM # TLS 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 # TLS 1.3 tls-ciphersuites TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256 tls-version-min 1.2 auth-nocache auth SHA512 auth-gen-token 14400 #keepalive 10 120 ping 60 persist-key persist-tun topology subnet server-bridge 10.14.12.1 255.255.252.0 10.14.14.1 100.14.14.254 # Logging status /var/log/openvpn/openvpn-status.log status-version 1 log-append /var/log/openvpn/openvpn.log verb 3 mute 20 verify-client-cert none username-as-common-name client-to-client up "/etc/openvpn/server/bridge-addif.sh br0 ens33" # to be able to call up/down script script-security 2 management /etc/openvpn/server/.server-auth-socket unix management-client-auth #plugin /lib64/openvpn/plugins/openvpn-plugin-auth-pam-viper.so "openvpn login USERNAME password PASSWORD 'Enter PASSCODE' OTP" mute-replay-warnings push "redirect-gateway def1" #push "redirect-gateway def1 bypass-dhcp bypass-dns" push "dhcp-option DNS 172.12.18.65" push "dhcp-option DNS 172.12.18.66" push "dhcp-option DOMAIN mydomain.intra" push "dhcp-option PROXY_HTTP 10.0.0.13 8080" push "dhcp-option PROXY_HTTPS 10.0.0.13 8080" push "dhcp-option PROXY_AUTO_CONFIG_URL http://172.12.51.15/proxy.pac"; push "dhcp-option ip-win32 adaptive -3 28800" push "route 89.135.151.38 255.255.255.255 100.114.12.1" push "ping 60" With this config, the connection establishes, but seemingly no traffic can go through the tunnel; the gw is not pingable. In the logs all looks good (still using just client-auth-nt). However, if I enable plugin auth in the config and comment out management-client-auth everything starts to work as is should. Weird. Cheers, Tom From: Selva Nair [mailto:selva.n...@gmail.com] Sent: Thursday, April 2, 2020 12:33 AM To: Dajka Tamás <vi...@vipernet.hu> Cc: openvpn users list <openvpn-users@lists.sourceforge.net> Subject: Re: [Openvpn-users] management-auth breaks data-channel? Hi, On Wed, Apr 1, 2020 at 4:39 PM Dajka Tamás <vi...@vipernet.hu <mailto:vi...@vipernet.hu> > wrote: Hi Selva, you were right, I did forget the closing ’END’. Somehow I failed to notice it in your script. I do not think you carefully read what I wrote :) I use "client-auth-nt" in my script and do not send "END" -- its not required.. "END" is needed with "client-auth" which you stated to be using . Also see management-notes.txt in the repo (its there somewhere in the community website as well). That said, Now I have it, but the config still does not work: CLIENT_PUBLIC_IP:57516 TLS: Username/Password authentication deferred for username 'mysecretuser' [CN SET] CLIENT_PUBLIC_IP:57516 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 CLIENT_PUBLIC_IP:57516 [mysecretuser] Peer Connection Initiated with [AF_INET]CLIENT_PUBLIC_IP:57516 CLIENT_PUBLIC_IP:57516 PUSH: Received control message: 'PUSH_REQUEST' MANAGEMENT: CMD 'client-auth-nt 3 0' MANAGEMENT: CMD 'END' mysecretuser/CLIENT_PUBLIC_IP:57516 MULTI: no dynamic or static remote --ifconfig address is available for mysecretuser/CLIENT_PUBLIC_IP:57516 This is a bridged setup, right? How are you assigning IPs to clients? dhcp ? mysecretuser/CLIENT_PUBLIC_IP:57516 SENT CONTROL [mysecretuser]: 'PUSH_REPLY,redirect-gateway def1,route-gateway dhcp,ip-win32 dynamic 0 3600,ping 60,route-gateway dhcp,ping 10,ping-restart 120,peer-id 0,cipher AES-256-GCM,auth-token' (status=1) mysecretuser/CLIENT_PUBLIC_IP:57516 Key [AF_INET]CLIENT_PUBLIC_IP:57516 [0] not initialized (yet), dropping packet. mysecretuser/CLIENT_PUBLIC_IP:57516 Key [AF_INET]CLIENT_PUBLIC_IP:57516 [0] not initialized (yet), dropping packet. mysecretuser/CLIENT_PUBLIC_IP:57516 Key [AF_INET]CLIENT_PUBLIC_IP:57516 [0] not initialized (yet), dropping packet. What else did I miss? can't say. Something else may be wrong in the configs or your script. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
