OpenVPN
Rejection of non-printable characters in server response vs newlines
Recently for OpenVPN 2.6.11 server responses containing non-printable characters (including new lines) have been rejected by OpenVPN.
I have to connect to a Watchguard VPN server, which appears to add a newline to the AUTH_FAILED challenge response message. Our IT team have configured the message, but did not add the newline character. This must be being added by Watchguard.
AUTH_FAILED,CRV1:R,E:292:dXhhYzAwOQ==:Please enter the code from your authenticator [newline]
I notice that the new line characters were explicitly rejected by the recent update. I expect this is deliberate and Watchguard will need to change, but thought i would flag it here in case newlines can be permitted.
- OS: Arch Linux
- OpenVPN version: 2.6.11
Do you know how Watchguard does this on the server side to include the newlines? Is that a custom OpenVPN implementation or something that uses OpenVPN 2.x?
Sorry, i don't know much about Wireguard -- i'm just connecting to it via OpenVPN. This is their recommended method on Linux, but i don't see anything about versions on the help pages. It looks like it's closed source (or at least i didn't find any sources).
In ubuntu 22 with open vpn 2.5.9 and in Windows 10 / 11 with version 2.6.11, we are unable to connect to the VPN server with Microsoft 2fa activated. If we downgrade to another version, the connection is established.
2024-07-09 09:56:17 SENT CONTROL [Fireware SSLVPN Server]: 'PUSH_REQUEST' (status=1) 2024-07-09 09:56:17 WARNING: Received control with invalid characters: 41555448 5f464149 4c45442c 43525631 3a522c45 3a363038 3a596d64 76626d6b 3d3a456e 74657220 596f7572 204d6963 726f736f 66742076 65726966 69636174 696f6e20 636f6465 0a00 2024-07-09 09:56:22 SENT CONTROL [Fireware SSLVPN Server]: 'PUSH_REQUEST' (status=1) 2024-07-09 09:56:22 Connection reset, restarting [-1] 2024-07-09 09:56:22 Closing DCO interface 2024-07-09 09:56:22 SIGUSR1[soft,connection-reset] received, process restarting 2024-07-09 09:56:22 MANAGEMENT: >STATE:1720511782,RECONNECTING,connection-reset,,,,,
On our server side, this is the message we see:
2024-07-16 12:31:40 WG-2 admd Authentication of SSLVPN user [[email protected]] from 31.221.147.24 was rejected, Timeout, user did not reply to challenge in time msg_id="1100-0005" 2024-07-16 12:31:45 WG-2 admd Authentication of SSLVPN user [[email protected]] from 31.221.147.24 was rejected, Timeout, user did not reply to challenge in time msg_id="1100-0005"
¿Could be this caused by the update to solve the security issue? https://ubuntu.com/security/CVE-2024-5594
Hi,
On Tue, Jul 16, 2024 at 11:41:20PM -0700, sistemas_vicomtech wrote:
In ubuntu 22 with open vpn 2.5.9 and in Windows 10 / 11 with version 2.6.11, we are unable to connect to the VPN server with Microsoft 2fa activated. If we downgrade to another version, the connection is established.
2.6.12 will be released in the next days, and be more tolerant on incoming control channels with trailing CR/newline characters.
¿Could be this caused by the update to solve the security issue? https://ubuntu.com/security/CVE-2024-5594
Yes. Apologies for that.
gert
-- Gert Doering - Munich, Germany @.***
Is this issue resolved in v2.6.12, I was initially in v2.0.9 and I got the same issue with 2fa activated. In server, the log was like below while sending challenge text.
WARNING: Received control with invalid characters: 43525f52 4553504f 4e53452c 4e6a6377 4e545131 4e513d3d 0a00
I have upgraded from v2.0.9 to 2.6.12-0ubuntu0.24.04.1, but the same issue persists, I am using OpenVPN client Version 3.5.1.
That warning message looks like the buggy bugfix from 2.6.11 - are you sure you're running 2.6.12?
Yes! below is the version I am currently using
OpenVPN 2.6.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10 DCO version: N/A Originally developed by James Yonan Copyright (C) 2002-2024 OpenVPN Inc <[email protected]>