Don't retry vpn connection after tls-error

0

I have several cellular devices which establish always-on openvpn tunnels to a server which is always listening for incoming openvpn connection requests. Sometimes the cellular devices are delivered to my customers with bad date/time setups (e.g. Jan 1 1970), so TLS verification fails because openvpn on the cellular device thinks the CA certificate isn't valid yet. That's all fine with me, except that openvpn repeatedly attempts to reconnect at 2 second intervals, and cellular bandwidth is expensive. Using tcpdump, I'm seeing more than 2KB/s network traffic between the server and the cellular device. I want openvpn to quit (not restart) on the cellular client if it rejects the server's CA certificate. Is this possible?

Server config:

dev tun1
topology subnet
mode server
tls-server
push "topology subnet"
ifconfig 10.0.1.1 255.255.255.0
ifconfig-pool 10.0.1.200 10.0.1.254 255.255.255.0
push "route-gateway 10.0.1.1"
route 10.0.2.0 255.255.255.0 10.0.1.12
push "route 10.0.2.0 255.255.255.0"
port 1194
proto udp
persist-key
persist-tun
comp-lzo
ca /etc/openvpn/ssl/tmvca-cacert.pem
cert /etc/openvpn/ssl/principal-cert.pem
key /etc/openvpn/ssl/principal-key.pem
dh /etc/openvpn/ssl/dh1024.pem
client-config-dir /etc/openvpn/ccd
#client-connect /usr/local/bin/cc.py
client-to-client
user nobody
group nogroup
keepalive 10 120
status /var/log/openvpn/vpn1.log
verb 3
tls-verify /usr/local/bin/tls-verify.py
script-security 2

Cellular client config:

client
remote 198.74.60.142 1194
nobind
keepalive 10 120
resolv-retry infinite
proto udp
mssfix 1400
persist-key
persist-tun
dev tun
ns-cert-type server
ca /etc/config/openvpn/gw1-ca.crt
cert /etc/config/openvpn/gw1-public.crt
key /etc/config/openvpn/gw1-private.key
dh /etc/config/openvpn/gw1-dh.pem
comp-lzo
verb 3
syslog openvpn-gw
script-security 2
up "echo $script_type $signal"
writepid "/var/run/openvpn-gw.pid"
tls-remote principal

Cellular client output:

<28>Jan  1 18:14:23 openvpn-gw[3202]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
<28>Jan  1 18:14:23 openvpn-gw[3202]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<29>Jan  1 18:14:23 openvpn-gw[3202]: LZO compression initialized
<29>Jan  1 18:14:23 openvpn-gw[3202]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
<29>Jan  1 18:14:23 openvpn-gw[3202]: Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
<29>Jan  1 18:14:23 openvpn-gw[3202]: Local Options hash (VER=V4): '41690919'
<29>Jan  1 18:14:23 openvpn-gw[3202]: Expected Remote Options hash (VER=V4): '530fdded'
<29>Jan  1 18:14:23 openvpn-gw[3202]: Socket Buffers: R=[163840->131072] S=[163840->131072]
<29>Jan  1 18:14:23 openvpn-gw[3202]: UDPv4 link local: [undef]
<29>Jan  1 18:14:23 openvpn-gw[3202]: UDPv4 link remote: 198.74.60.142:1194
<27>Jan  1 18:14:24 openvpn-gw[3202]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
<29>Jan  1 18:14:54 openvpn-gw[3202]: TLS: Initial packet from 198.74.60.142:1194, sid=38c1dcd3 f194273b
<27>Jan  1 18:14:55 openvpn-gw[3202]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CA/ST=ON/L=Cambridge/O=TMV_Control_Systems_Inc./OU=IT/CN=tmvca
<27>Jan  1 18:14:55 openvpn-gw[3202]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
<27>Jan  1 18:14:55 openvpn-gw[3202]: TLS Error: TLS object -> incoming plaintext read error
<27>Jan  1 18:14:55 openvpn-gw[3202]: TLS Error: TLS handshake failed
<29>Jan  1 18:14:55 openvpn-gw[3202]: TCP/UDP: Closing socket
<29>Jan  1 18:14:55 openvpn-gw[3202]: SIGUSR1[soft,tls-error] received, process restarting
<29>Jan  1 18:14:55 openvpn-gw[3202]: Restart pause, 2 second(s)
<28>Jan  1 18:14:57 openvpn-gw[3202]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
<28>Jan  1 18:14:57 openvpn-gw[3202]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<29>Jan  1 18:14:57 openvpn-gw[3202]: Re-using SSL/TLS context
<29>Jan  1 18:14:57 openvpn-gw[3202]: LZO compression initialized
<29>Jan  1 18:14:57 openvpn-gw[3202]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
<29>Jan  1 18:14:57 openvpn-gw[3202]: Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
<29>Jan  1 18:14:57 openvpn-gw[3202]: Local Options hash (VER=V4): '41690919'
<29>Jan  1 18:14:57 openvpn-gw[3202]: Expected Remote Options hash (VER=V4): '530fdded'
<29>Jan  1 18:14:57 openvpn-gw[3202]: Socket Buffers: R=[163840->131072] S=[163840->131072]
<29>Jan  1 18:14:57 openvpn-gw[3202]: UDPv4 link local: [undef]
<29>Jan  1 18:14:57 openvpn-gw[3202]: UDPv4 link remote: 198.74.60.142:1194
<29>Jan  1 18:14:57 openvpn-gw[3202]: TLS: Initial packet from 198.74.60.142:1194, sid=944e1fb2 c074a030
<27>Jan  1 18:14:58 openvpn-gw[3202]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CA/ST=ON/L=Cambridge/O=TMV_Control_Systems_Inc./OU=IT/CN=tmvca
<27>Jan  1 18:14:58 openvpn-gw[3202]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
<27>Jan  1 18:14:58 openvpn-gw[3202]: TLS Error: TLS object -> incoming plaintext read error
<27>Jan  1 18:14:58 openvpn-gw[3202]: TLS Error: TLS handshake failed
<29>Jan  1 18:14:58 openvpn-gw[3202]: TCP/UDP: Closing socket
<29>Jan  1 18:14:58 openvpn-gw[3202]: SIGUSR1[soft,tls-error] received, process restarting
<29>Jan  1 18:14:58 openvpn-gw[3202]: Restart pause, 2 second(s)

Isaac Sutherland

Posted 2014-06-20T15:56:18.617

Reputation: 266

Answers

0

I think what you're looking for is the --tls-exit option. From the openvpn man page:

   --tls-exit
          Exit on TLS negotiation failure.

Steffan Karger

Posted 2014-06-20T15:56:18.617

Reputation: 551

Asked: 2014-06-20T15:56:18.617

Viewed: 1 306 times

Active: 2014-12-11T22:10:23.233