Hello Eric, thanks a lot for the answer.
It works almost perfectly, only it doesn't disconnect the client on token expiry. Server closes the connection but viscosity still shows it's connected. Do you have any ideas for that?
Configs below (private info replaced with Xes)
# details:
os: Amazon Linux 2 64bit
openvpn version:
openvpn-2.4.7-1.el7.x86_64 (from epel repo)
OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
viscosity:
1.7.14 (1480) (registered)
server.conf
Code: Select allport 443
proto udp4
dev tun0
topology subnet
server 172.27.65.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
tls-crypt /etc/openvpn/server.tlsauth
remote-cert-eku "TLS Web Client Authentication"
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
explicit-exit-notify
status /var/log/openvpn-status.log
verb 3
username-as-common-name
client-cert-not-required
reneg-sec 10
auth-gen-token 20
auth-user-pass-verify /etc/openvpn/openvpn_otp_auth.py via-env
script-security 3
client.conf
Code: Select allclient
pull
tls-client
proto udp
remote vpn.xxx.xxx 443 udp
resolv-retry infinite
dev tun
nobind
auth-nocache
topology subnet
user nobody
group nobody
auth-user-pass
explicit-exit-notify
static-challenge "Activate your YubiKey" 0
remote-cert-eku "TLS Web Server Authentication"
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
XXXX
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
</ca>
log file, verb 3:
Code: Select all
### first connect/authentication
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:58658, sid=50c047a9 622deb27
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_VER=2.4.6
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_PLAT=mac
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_PROTO=2
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_NCP=2
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_LZ4=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_LZ4v2=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_LZO=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_COMP_STUB=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_COMP_STUBv2=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_TCPNL=1
Mar 28 11:48:14 openvpn[32160]: Thu Mar 28 11:48:14 2019 XX.XX.XX.XX:58658 peer info: IV_GUI_VER=Viscosity_1.7.14_1480
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 TLS: Username/Password authentication succeeded for username 'pmazanec' [CN SET]
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1541'
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 XX.XX.XX.XX:58658 [pmazanec] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:58658
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 pmazanec/XX.XX.XX.XX:58658 MULTI_sva: pool returned IPv4=172.27.65.2, IPv6=(Not enabled)
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 pmazanec/XX.XX.XX.XX:58658 MULTI: Learn: 172.27.65.2 -> pmazanec/XX.XX.XX.XX:58658
Mar 28 11:48:15 openvpn[32160]: Thu Mar 28 11:48:15 2019 pmazanec/XX.XX.XX.XX:58658 MULTI: primary virtual IP for pmazanec/XX.XX.XX.XX:58658: 172.27.65.2
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 PUSH: Received control message: 'PUSH_REQUEST'
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 SENT CONTROL [pmazanec]: 'PUSH_REPLY,compress lz4-v2,route-gateway 172.27.65.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.27.65.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,auth-token' (status=1)
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 28 11:48:16 openvpn[32160]: Thu Mar 28 11:48:16 2019 pmazanec/XX.XX.XX.XX:58658 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
### key regeneration #1 - token auth succeeded
Mar 28 11:48:25 openvpn[32160]: Thu Mar 28 11:48:25 2019 pmazanec/XX.XX.XX.XX:58658 TLS: soft reset sec=0 bytes=72/-1 pkts=1/0
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_VER=2.4.6
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PLAT=mac
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PROTO=2
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_NCP=2
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4v2=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZO=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUB=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUBv2=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_TCPNL=1
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_GUI_VER=Viscosity_1.7.14_1480
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 TLS: Username/auth-token authentication succeeded for username 'pmazanec' [CN SET]
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1541'
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 28 11:48:26 openvpn[32160]: Thu Mar 28 11:48:26 2019 pmazanec/XX.XX.XX.XX:58658 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
### key regeneration #2 - token expired, viscosity still connected
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 TLS: soft reset sec=0 bytes=76/-1 pkts=2/0
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_VER=2.4.6
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PLAT=mac
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PROTO=2
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_NCP=2
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4v2=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZO=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUB=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUBv2=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_TCPNL=1
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_GUI_VER=Viscosity_1.7.14_1480
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 Auth-token for client expired
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1541'
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 28 11:48:36 openvpn[32160]: Thu Mar 28 11:48:36 2019 pmazanec/XX.XX.XX.XX:58658 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
### key regeneration #3 - token expired, viscosity still connected, openvpn_otp_auth.py exited with `1` (??)
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XX.XX.XX.XX:58658 [2]
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 TLS: soft reset sec=0 bytes=0/-1 pkts=0/0
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_VER=2.4.6
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PLAT=mac
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_PROTO=2
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_NCP=2
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZ4v2=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_LZO=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUB=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_COMP_STUBv2=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_TCPNL=1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 peer info: IV_GUI_VER=Viscosity_1.7.14_1480
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 TLS Auth Error: Auth Username/Password verification failed for peer
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1541'
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mar 28 11:48:46 openvpn[32160]: Thu Mar 28 11:48:46 2019 pmazanec/XX.XX.XX.XX:58658 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Mar 28 11:48:56 openvpn[32160]: Thu Mar 28 11:48:56 2019 pmazanec/XX.XX.XX.XX:58658 TLS: soft reset sec=0 bytes=0/-1 pkts=0/0
Mar 28 11:48:56 openvpn[32160]: Thu Mar 28 11:48:56 2019 pmazanec/XX.XX.XX.XX:58658 SIGTERM[soft,auth-control-exit] received, client-instance exiting