Merge pull request #208 from lhopki01/master

kylemanna · web-flow · commit be165e209e42 · 2017-01-26T22:42:04.000-08:00
Fix issue with connection resetting every hour when using otp.
diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig
@@ -328,6 +328,7 @@ cat $TMP_PUSH_CONFIGFILE >> "$conf"
 if [ -n "${OVPN_OTP_AUTH:-}" ]; then
     echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
     echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
+    echo "reneg-sec 0" >> "$conf"
 fi
 
 echo -e "\n### Extra Configurations Below" >> "$conf"
diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient
@@ -94,6 +94,10 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG
     if [ -n "$OVPN_COMP_LZO" ]; then
         echo "comp-lzo"
     fi
+
+    if [ -n "$OVPN_OTP_AUTH" ]; then
+	echo reneg-sec 0
+    fi
 }
 
 dir="$OPENVPN/clients/$cn"
diff --git a/docs/otp.md b/docs/otp.md
@@ -11,9 +11,11 @@ and use this image to generate user configuration.
 
 In order to enable two factor authentication the following steps are required.
 
-* Generate server configuration with `-2` option
+* Choose a more secure [cipher](https://community.openvpn.net/openvpn/wiki/SWEET32) to use because since [OpenVPN 2.3.13](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13) the default openvpn cipher BF-CBC will cause a renegotiated connection every 64 MB of data
 
-        docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2
+* Generate server configuration with `-2` and `-C $CIPHER` options
+
+        docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 -C $CIPHER
 
 * Generate your client certificate (possibly without a password since you're using OTP)
 
diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh
@@ -17,6 +17,9 @@ SERV_IP=$(ip -4 -o addr show scope global  | awk '{print $4}' | sed -e 's:/.*::'
 # Configure server with two factor authentication
 docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2
 
+# Ensure reneg-sec 0 in server config when two factor is enabled
+docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG cat /etc/openvpn/openvpn.conf | grep 'reneg-sec 0' || abort 'reneg-sec not set to 0 in server config'
+
 # nopass is insecure
 docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
 
@@ -40,6 +43,9 @@ echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt
 # Override the auth-user-pass directive to use a credentials file
 docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn
 
+# Ensure reneg-sec 0 in client config when two factor is enabled
+grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in client config'
+
 #
 # Fire up the server
 #
