[Openvpn-users] OpenVPN Client 2FA problem with Backslash
Hello all,
we are trying to implement 2FA for several existing Firebox SSL VPNs
(which essentially uses OpenVPN on server and client side). The remote
users all use the Windows OpenVPN client. This works perfectly without
2FA, and it works also if you do not need to specify the authentication
domain on user logon. But for the migration it is necessary to do that
as I cannot convert all users at once - the domain you enter in the
username field is then "authpoint" instead of something like
"company.private". In the 2FA process, the OpenVPN client then opens a
text window where you can enter a TOTP token or a "p" for a push
request. This all works with the default domain set, but not when
specifying a domain with a backslash:
Thu Mar 10 10:35:31 2022 VERIFY OK: depth=0, O=WatchGuard_Technologies,
OU=Fireware, CN=Fireware SSLVPN Server
Thu Mar 10 10:35:31 2022 Control Channel: TLSv1.2, cipher TLSv1.2
ECDHE-RSA-CHACHA20-POLY1305, peer certificate: 2048 bit RSA, signature:
RSA-SHA256
Thu Mar 10 10:35:31 2022 [Fireware SSLVPN Server] Peer Connection
Initiated with [AF_INET]1.2.3.4:443
Thu Mar 10 10:35:32 2022 MANAGEMENT: >STATE:1646904932,GET_CONFIG,,
Thu Mar 10 10:35:32 2022 SENT CONTROL [Fireware SSLVPN Server]:
'PUSH_REQUEST' (status=1)
Thu Mar 10 10:35:32 2022 AUTH: Received control message:
AUTH_FAILED,CRV1:R,E:1796:Yoirtuqeprtiqrew4==:*Type "p" to receive a
push notification or type your one-time password*
Thu Mar 10 10:35:32 2022 SIGUSR1[soft,auth-failure] received, process
restarting
Thu Mar 10 10:35:32 2022 MANAGEMENT:
>STATE:1646904932,RECONNECTING,auth-failure,
Thu Mar 10 10:35:32 2022 Restart pause, 5 second(s)
*Thu Mar 10 10:35:40 2022 Previous command sent to management failed:
ERROR: Options warning: Bad backslash ('\') usage in TCP:0: remember
that backslashes are treated as shell-escapes and if you need to pass
backslash characters as part of a Windows filename, you sho*
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'username "Auth"
"*authpoint\UserName*"'
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'password [...]'
This sounds like I need to escape the backslash, but if I do this the
Auth fails completely before the 2FA part comes into the picture. I fear
that the normal user authentication part and the 2FA code treat
backslashes differently... how can I get this going, if at all? Should I
contact the openvpn-devel list for this?
Best regards and thank you for hints,
Jakob Curdes
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Client 2FA problem with Backslash
Hi there,
On 10/03/22 11:51, Jakob Curdes wrote:
Hello all,
we are trying to implement 2FA for several existing Firebox SSL VPNs
(which essentially uses OpenVPN on server and client side). The remote
users all use the Windows OpenVPN client. This works perfectly without
2FA, and it works also if you do not need to specify the
authentication domain on user logon. But for the migration it is
necessary to do that as I cannot convert all users at once - the
domain you enter in the username field is then "authpoint" instead of
something like "company.private". In the 2FA process, the OpenVPN
client then opens a text window where you can enter a TOTP token or a
"p" for a push request. This all works with the default domain set,
but not when specifying a domain with a backslash:
Thu Mar 10 10:35:31 2022 VERIFY OK: depth=0,
O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
Thu Mar 10 10:35:31 2022 Control Channel: TLSv1.2, cipher TLSv1.2
ECDHE-RSA-CHACHA20-POLY1305, peer certificate: 2048 bit RSA,
signature: RSA-SHA256
Thu Mar 10 10:35:31 2022 [Fireware SSLVPN Server] Peer Connection
Initiated with [AF_INET]1.2.3.4:443
Thu Mar 10 10:35:32 2022 MANAGEMENT: >STATE:1646904932,GET_CONFIG,,
Thu Mar 10 10:35:32 2022 SENT CONTROL [Fireware SSLVPN Server]:
'PUSH_REQUEST' (status=1)
Thu Mar 10 10:35:32 2022 AUTH: Received control message:
AUTH_FAILED,CRV1:R,E:1796:Yoirtuqeprtiqrew4==:*Type "p" to receive a
push notification or type your one-time password*
Thu Mar 10 10:35:32 2022 SIGUSR1[soft,auth-failure] received, process
restarting
Thu Mar 10 10:35:32 2022 MANAGEMENT:
>STATE:1646904932,RECONNECTING,auth-failure,
Thu Mar 10 10:35:32 2022 Restart pause, 5 second(s)
*Thu Mar 10 10:35:40 2022 Previous command sent to management failed:
ERROR: Options warning: Bad backslash ('\') usage in TCP:0: remember
that backslashes are treated as shell-escapes and if you need to pass
backslash characters as part of a Windows filename, you sho*
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'username "Auth"
"*authpoint\UserName*"'
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'password [...]'
This sounds like I need to escape the backslash, but if I do this the
Auth fails completely before the 2FA part comes into the picture. I
fear that the normal user authentication part and the 2FA code treat
backslashes differently... how can I get this going, if at all? Should
I contact the openvpn-devel list for this?
before getting into whether this is a bug or not : most Windows-based
authentication systems also accept authpoint/Username (i.e. forward slash).
Other than that, this does seem to be one for the -devel list, as I
suspect that in manage.c the "parse_line" call does not differentiate
between file paths (for which \\ is needed) and a "domain\username" call.
Alternatively, you might be able to get away with specifying
username@FQDN as well.
HTH,
JJK
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Client 2FA problem with Backslash
Am 10.03.2022 um 12:22 schrieb Jan Just Keijser:
Thu Mar 10 10:35:32 2022 Restart pause, 5 second(s)
*Thu Mar 10 10:35:40 2022 Previous command sent to management failed:
ERROR: Options warning: Bad backslash ('\') usage in TCP:0: remember
that backslashes are treated as shell-escapes and if you need to pass
backslash characters as part of a Windows filename, you sho*
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'username "Auth"
"*authpoint\UserName*"'
Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'password [...]'
This sounds like I need to escape the backslash, but if I do this the
Auth fails completely before the 2FA part comes into the picture. I
fear that the normal user authentication part and the 2FA code treat
backslashes differently... how can I get this going, if at all?
Should I contact the openvpn-devel list for this?
before getting into whether this is a bug or not : most
Windows-based authentication systems also accept authpoint/Username
(i.e. forward slash).
Other than that, this does seem to be one for the -devel list, as I
suspect that in manage.c the "parse_line" call does not differentiate
between file paths (for which \\ is needed) and a "domain\username" call.
Alternatively, you might be able to get away with specifying
username@FQDN as well.
Hello Jan, hello all,
thank you for these ideas - I had already tried the forward slash,
without success. I now also tried "@", but this does not work either; I
suspect the server side (i.e. the WatchGaurd auth module) does not
understand the login then. Ok, so I will ask on the -devel list. If I
have a solution I will add it here. Thank you.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Client 2FA problem with Backslash
On Thu, Mar 10, 2022 at 6:14 AM Jakob Curdes wrote: > Hello all, > > we are trying to implement 2FA for several existing Firebox SSL VPNs > (which essentially uses OpenVPN on server and client side). The remote > users all use the Windows OpenVPN client. This works perfectly without 2FA, > and it works also if you do not need to specify the authentication domain > on user logon. But for the migration it is necessary to do that as I cannot > convert all users at once - the domain you enter in the username field is > then "authpoint" instead of something like "company.private". In the 2FA > process, the OpenVPN client then opens a text window where you can enter a > TOTP token or a "p" for a push request. This all works with the default > domain set, but not when specifying a domain with a backslash: > If you are using OpenVPN-GUI for Windows, looks like a bug. I guess, by text window, you mean the challenge-response dialog that the GUI pops up for 2FA. Username is first input in the username/password dialog and that seems to succeed with the backslash in it. You should be able to see that the username is passed to management with the backslash replaced by "\\" (escaped). Then the challenge response dialog is shown when AUTH_FAILED with challenge is received where the user types the response. In that round the username is submitted again and that seems to be failing. Looks like a bug in the GUI -- we are not expanding the string when submitted from that dialog. generally we use ManagementCommandFromInput() to submit user input and that does the escaping, but for this username which is not input by user but passed in by the server, we send it directly without escaping. Will fix if that is indeed the case. As a quick fix, username@domain instead of domain\username may work with your server. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN Client 2FA problem with Backslash
Hello Selva, hello all, If you are using OpenVPN-GUI for Windows, looks like a bug. I guess, by text window, you mean the challenge-response dialog that the GUI pops up for 2FA. Yes exactly. Username is first input in the username/password dialog and that seems to succeed with the backslash in it. You should be able to see that the username is passed to management with the backslash replaced by "\\" (escaped). Then the challenge response dialog is shown when AUTH_FAILED with challenge is received where the user types the response. In that round the username is submitted again and that seems to be failing. Looks like a bug in the GUI -- we are not expanding the string when submitted from that dialog. generally we use ManagementCommandFromInput() to submit user input and that does the escaping, but for this username which is not input by user but passed in by the server, we send it directly without escaping. Will fix if that is indeed the case. This sounds like a perfect description of what I am seeing. I can send you complete logs off-list. As a quick fix, username@domain instead of domain\username may work with your server. Sadly no, the authentication is passed back by the embedded openvpn server to the WatchGuard Auth engine, which seems to choke one verything but "\" . This is no problem when you have just one authentication method, as then you just specify the username. But when using AD directly as well as the 2FA servive "AuthPoint", in a transition period, you cannot do this with the OpenVPN client as you would prepend the AD domain or the "authpoint" domain to the username, which then leads to the error in the second auth round. Best regards, Jakob Curdes ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
