Page MenuHomeVyOS Platform
Create Task
Maniphest T4241

ocserv openconnect looks broken in recent bulds of 1.3 Equuleus
Closed, ResolvedPublicBUG
Actions

Description

In recent rolling builds of 1.3 Equuleus something looks broken in openconnect vpn. Clients are unable to connect. HTTPs connection to an end-point throws '404 Not Found' error instead of expected XML served.

My config:

# show vpn openconnect 
 authentication {
     mode radius
     radius {
         server 172.16.xxx.xxx {
             key ******
         }
         source-address 192.168.xxx.xxx
     }
 }
 listen-ports {
     tcp 443
     udp 443
 }
 network-settings {
     client-ip-settings {
         subnet 192.168.xxx.0/24
     }
     name-server 172.16.xxx.xxx
     name-server 172.16.xxx.xxx
     push-route 172.16.xxx.0/24
 }
 ssl {
     ca-cert-file /config/auth/rootca.pem
     cert-file /config/auth/cert-chain.pem
     key-file /config/auth/key.pem
 }

I also checked by switching to local authentication. Same thing.

ocserv process looks running and listening. But client connections are not possible. I observe this behavior in every build starting from the mid of January. Going back to mid-December build restores the functionality.

Client's log contains:

2022-02-13 13:52:47 | 70000ffbc000 | Failed to parse HTTP response 'HTTP/1.57679 404 Not found'

Details

Difficulty level
Unknown (require assessment)
Version
1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

dutty created this task.Feb 13 2022, 1:04 PM
dutty updated the task description. (Show Details)Feb 13 2022, 1:55 PM
dutty updated the task description. (Show Details)Feb 13 2022, 2:08 PM
Viacheslav added a subscriber: Viacheslav.Feb 13 2022, 5:07 PM

Which version?

dutty added a comment.EditedFeb 13 2022, 5:46 PM

@Viacheslav As I said: every rolling version of VyOS 1.3 branch starting from mid-January. I built ISO several times during this month. Last one I tried today (built today). All of them behave like this in my two different routers. Last time ocserv worked was middle of December build.

Viacheslav added a comment.EditedFeb 16 2022, 5:48 PM

I don't see any issues with LTS 1.3.0

set vpn openconnect authentication mode 'radius'
set vpn openconnect authentication radius server 192.168.122.11 key 'vyoskey'
set vpn openconnect network-settings client-ip-settings subnet '192.0.5.0/24'
set vpn openconnect ssl ca-cert-file '/config/auth/ca.crt'
set vpn openconnect ssl cert-file '/config/auth/server.crt'
set vpn openconnect ssl key-file '/config/auth/server.key'

Check session:

vyos@r4:~$ show openconnect-server sessions 
interface    username    ip         remote IP      RX         TX         state      uptime
-----------  ----------  ---------  -------------  ---------  ---------  ---------  --------
sslvpn0      vyos        192.0.5.9  192.168.122.1  304 bytes  152 bytes  connected  1m:23s
vyos@r4:~$ 
vyos@r4:~$ show version 

Version:          VyOS 1.3.0
Release train:    equuleus

Built by:         Sentrium S.L.
Built on:         Sun 19 Dec 2021 12:59 UTC
Build UUID:       ff458f8a-3ef7-453c-a7f9-4aeb6d03012e

Confirmed than issue in other versions, for example in VyOS 1.3-stable-202202150442

Feb 16 19:46:03 r4 ocserv[2409]: main:192.168.122.1:44480 user disconnected (reason: unspecified, rx: 0, tx: 0)
Feb 16 19:46:03 r4 ocserv[2409]: main:192.168.122.1:44482 user disconnected (reason: unspecified, rx: 0, tx: 0)
^C

It has broken for both radius and local authentication

Viacheslav changed the task status from Open to Confirmed.Feb 16 2022, 5:48 PM
Viacheslav triaged this task as High priority.
pasik added a subscriber: pasik.Feb 16 2022, 6:09 PM
Viacheslav added a comment.Feb 16 2022, 7:14 PM

Can be related
Found out some strange things, client address was banned:

ocserv[2072]: main: added 1 points (total 1) for IP '192.168.122.1' to ban list


sudo occtl -s /run/ocserv/occtl.socket

> show ip ban points
            IP          score
 192.168.122.1             14
> 


> unban ip 192.168.122.1
IP '192.168.122.1' was unbanned
> unban ip 192.168.122.1
IP '192.168.122.1' was unbanned
> unban ip 192.168.122.1
IP '192.168.122.1' was unbanned
> show ip ban points
            IP          score
 192.168.122.1              0
>
Viacheslav added a comment.Feb 16 2022, 9:12 PM

Install official pkg solve the issue

wget http://ftp.de.debian.org/debian/pool/main/o/ocserv/ocserv_0.12.2-3_amd64.deb
dpkg -i *.deb
`

Most likely we should to revert commit https://github.com/vyos/vyos-build/commit/2e1eac5980720d060834540e717f4f8a1189b9b0 which was in T3934

Viacheslav edited projects, added VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus.Feb 16 2022, 11:25 PM
Viacheslav added a comment.Feb 17 2022, 10:28 AM

CI job for re-build pkg ocserv should fix this issue.

Viacheslav changed the task status from Confirmed to Needs testing.Feb 17 2022, 10:34 AM
dutty added a comment.Feb 17 2022, 7:16 PM

I just built ISO from the 1.3 branch and tried (1.3-rolling-202202171824). ocserv works normal. The issue is probably resolved.
Thank you.

Viacheslav closed this task as Resolved.Feb 17 2022, 7:18 PM
Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.

@dutty Thanks for confirming.

dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).Mar 21 2022, 11:58 AM
dmbaturin mentioned this in 1.3.1.Jun 11 2022, 8:40 AM
Viacheslav mentioned this in T4625: Update ocserv to current revision (1.1.6).Aug 29 2022, 12:10 PM
dmbaturin mentioned this in 1.3.3.Sep 22 2022, 10:56 AM