ovpn-dco icon indicating copy to clipboard operation
ovpn-dco copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

DCO not working with FIPS deployment

Open aaronwmorris opened this issue 9 months ago • 7 comments
trafficstars

Recently, I have been testing OpenVPN with a FIPS compliant deployment. I have a full automated deployment process via Ansible to ensure the deployments are repeatable.

The deployment was to a Ubuntu Pro 20.04 FIPS compliance server. Once everything was configured, I was able to connect to the VPN and fully authenticate, however, no data would flow through the VPN. The control channel appeared fully functional, but data was not egressing from the DCO module. Only after disabling DCO would data flow correctly.

Building the DCO module (using dkms) appears to work fine. The module loads into the kernel with no unusual error messages.

This is not blocking me, I just wanted to open an issue. I could find no reference to the DCO and FIPS combination.

aaronwmorris avatar Jan 22 '25 23:01 aaronwmorris

Thanks a lot for your report! Did you happen to have the output of dmesg while DCO was not working? DCO uses the kernel crypto API, so my best guess is that something was being blocked at the kernel level.

ordex avatar Jan 23 '25 07:01 ordex

Also please include a log of OpenVPN so we have an idea what is going on. Internal testing on other FIPS enabled distros like RHEL did not show these issues.

schwabe avatar Jan 23 '25 08:01 schwabe

Server OS: Ubuntu 20.04 with FIPS

uname

Linux openvpn-fips-test02 5.4.0-1021-gcp-fips #21+fips1-Ubuntu SMP Mon Dec 13 21:03:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

package info

ii  openvpn                              2.6.13-focal0                           amd64        virtual private network daemon
ii  openvpn-auth-ldap                    2.0.4-1ubuntu2                          amd64        OpenVPN LDAP authentication module
ii  openvpn-dco-dkms                     0.2.20241216-focal0                     all          DCO (Data-Channel Offload) kernel module for OpenVPN)

OpenVPN server log of connection:

Connection Attempt MULTI: multi_create_instance called
38.1.2.3:62906 Re-using SSL/TLS context
38.1.2.3:62906 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
38.1.2.3:62906 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
38.1.2.3:62906 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
38.1.2.3:62906 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
38.1.2.3:62906 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
38.1.2.3:62906 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1300 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
38.1.2.3:62906 peer info: IV_VER=2.6.12
38.1.2.3:62906 peer info: IV_PLAT=linux
38.1.2.3:62906 peer info: IV_TCPNL=1
38.1.2.3:62906 peer info: IV_MTU=1600
38.1.2.3:62906 peer info: IV_NCP=2
38.1.2.3:62906 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
38.1.2.3:62906 peer info: IV_PROTO=990
38.1.2.3:62906 peer info: IV_LZO_STUB=1
38.1.2.3:62906 peer info: IV_COMP_STUB=1
38.1.2.3:62906 peer info: IV_COMP_STUBv2=1
38.1.2.3:62906 PLUGIN_CALL: POST /usr/local/lib/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
38.1.2.3:62906 TLS: Username/Password authentication deferred for username 'USER_REDACTED' [CN SET]
38.1.2.3:62906 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
38.1.2.3:62906 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
38.1.2.3:62906 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer temporary key: 521 bits EC, curve secp521r1
38.1.2.3:62906 [USER_REDACTED] Peer Connection Initiated with [AF_INET6]::ffff:38.1.2.3:62906
38.1.2.3:62906 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [0_0000_] 1737671715:7 1737671715:6 t=1737671715[0] r=[0,64,15,1,1] sl=[57,7,64,528]
38.1.2.3:62906 PUSH: Received control message: 'PUSH_REQUEST'
38.1.2.3:62906 PUSH: Received control message: 'PUSH_REQUEST'
USER_REDACTED/38.1.2.3:62906 MULTI_sva: pool returned IPv4=172.19.202.66, IPv6=(Not enabled)
USER_REDACTED/38.1.2.3:62906 MULTI: Learn: 172.19.202.66 -> USER_REDACTED/38.1.2.3:62906
USER_REDACTED/38.1.2.3:62906 MULTI: primary virtual IP for USER_REDACTED/38.1.2.3:62906: 172.19.202.66
USER_REDACTED/38.1.2.3:62906 Data Channel MTU parms [ mss_fix:1196 max_frag:0 tun_mtu:1300 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
USER_REDACTED/38.1.2.3:62906 Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
USER_REDACTED/38.1.2.3:62906 Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
USER_REDACTED/38.1.2.3:62906 Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
USER_REDACTED/38.1.2.3:62906 Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
USER_REDACTED/38.1.2.3:62906 SENT CONTROL [USER_REDACTED]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,route 172.18.173.128 255.255.255.192,route 172.19.202.64 255.255.255.192,inactive 7200 1024000,redirect-gateway def1 bypass-dhcp,block-outside-dns,dhcp-option DNS 172.19.202.65,route-gateway 172.19.202.65,topology subnet,ping 20,ping-restart 300,ifconfig 172.19.202.66 255.255.255.192,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1300' (status=1)
USER_REDACTED/38.1.2.3:62906 Data Channel: cipher 'AES-256-GCM', peer-id: 0
USER_REDACTED/38.1.2.3:62906 Timers: ping 20, ping-restart 600
USER_REDACTED/38.1.2.3:62906 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt

Kernel module messages

[   20.819840] ovpn_dco_v2: loading out-of-tree module taints kernel.
[   20.819915] ovpn_dco_v2: module verification failed: signature and/or required key missing - tainting kernel
[   20.820441] OpenVPN data channel offload (ovpn-dco) 0.2.20241216 -- (C) 2020- OpenVPN, Inc.

aaronwmorris avatar Jan 23 '25 22:01 aaronwmorris

can you post the full server log? dmesg does not report any error - so it may even be that something else is breaking before reaching DCO at all. Please ensure server has verb 4

ordex avatar Jan 24 '25 08:01 ordex

We explicitly tested Ubutnu Pro with FIPS enabled and DCO and it just works fine in our tests.

schwabe avatar Jan 24 '25 10:01 schwabe

Believe it or not, what I have posted is the extent of what is logged. I believe the logging is set to 4 already. There are no odd or suspicious messages in the log.

I have not noticed any other kernel or openvpn messages that indicate any errors.

aaronwmorris avatar Jan 26 '25 04:01 aaronwmorris

@aaronwmorris full server log. Like from the startup and all messages of the server.

schwabe avatar Jan 26 '25 08:01 schwabe

I am closing this ticket as we are not going to add any new feature to ovpn-dco. Development has moved to the ovpn-net-next repository. Here we will only merge bug fixes.

ordex avatar Oct 17 '25 12:10 ordex