Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DCO not working with FIPS deployment #76

Open
aaronwmorris opened this issue Jan 22, 2025 · 7 comments
Open

DCO not working with FIPS deployment #76

aaronwmorris opened this issue Jan 22, 2025 · 7 comments
Labels
enhancement New feature or request

Comments

@aaronwmorris
Copy link

Recently, I have been testing OpenVPN with a FIPS compliant deployment. I have a full automated deployment process via Ansible to ensure the deployments are repeatable.

The deployment was to a Ubuntu Pro 20.04 FIPS compliance server. Once everything was configured, I was able to connect to the VPN and fully authenticate, however, no data would flow through the VPN. The control channel appeared fully functional, but data was not egressing from the DCO module. Only after disabling DCO would data flow correctly.

Building the DCO module (using dkms) appears to work fine. The module loads into the kernel with no unusual error messages.

This is not blocking me, I just wanted to open an issue. I could find no reference to the DCO and FIPS combination.
@ordex
Copy link
Member

ordex commented Jan 23, 2025

Thanks a lot for your report!
Did you happen to have the output of dmesg while DCO was not working?
DCO uses the kernel crypto API, so my best guess is that something was being blocked at the kernel level.

@ordex ordex added the enhancement New feature or request label Jan 23, 2025
@schwabe
Copy link
Contributor

schwabe commented Jan 23, 2025

Also please include a log of OpenVPN so we have an idea what is going on. Internal testing on other FIPS enabled distros like RHEL did not show these issues.

@aaronwmorris
Copy link
Author

Server OS:
Ubuntu 20.04 with FIPS

uname

Linux openvpn-fips-test02 5.4.0-1021-gcp-fips #21+fips1-Ubuntu SMP Mon Dec 13 21:03:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

package info

ii  openvpn                              2.6.13-focal0                           amd64        virtual private network daemon
ii  openvpn-auth-ldap                    2.0.4-1ubuntu2                          amd64        OpenVPN LDAP authentication module
ii  openvpn-dco-dkms                     0.2.20241216-focal0                     all          DCO (Data-Channel Offload) kernel module for OpenVPN)

OpenVPN server log of connection:

Connection Attempt MULTI: multi_create_instance called
38.1.2.3:62906 Re-using SSL/TLS context
38.1.2.3:62906 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
38.1.2.3:62906 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
38.1.2.3:62906 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
38.1.2.3:62906 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
38.1.2.3:62906 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
38.1.2.3:62906 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1300 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
38.1.2.3:62906 peer info: IV_VER=2.6.12
38.1.2.3:62906 peer info: IV_PLAT=linux
38.1.2.3:62906 peer info: IV_TCPNL=1
38.1.2.3:62906 peer info: IV_MTU=1600
38.1.2.3:62906 peer info: IV_NCP=2
38.1.2.3:62906 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
38.1.2.3:62906 peer info: IV_PROTO=990
38.1.2.3:62906 peer info: IV_LZO_STUB=1
38.1.2.3:62906 peer info: IV_COMP_STUB=1
38.1.2.3:62906 peer info: IV_COMP_STUBv2=1
38.1.2.3:62906 PLUGIN_CALL: POST /usr/local/lib/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
38.1.2.3:62906 TLS: Username/Password authentication deferred for username 'USER_REDACTED' [CN SET]
38.1.2.3:62906 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
38.1.2.3:62906 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
38.1.2.3:62906 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer temporary key: 521 bits EC, curve secp521r1
38.1.2.3:62906 [USER_REDACTED] Peer Connection Initiated with [AF_INET6]::ffff:38.1.2.3:62906
38.1.2.3:62906 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [0_0000_] 1737671715:7 1737671715:6 t=1737671715[0] r=[0,64,15,1,1] sl=[57,7,64,528]
38.1.2.3:62906 PUSH: Received control message: 'PUSH_REQUEST'
38.1.2.3:62906 PUSH: Received control message: 'PUSH_REQUEST'
USER_REDACTED/38.1.2.3:62906 MULTI_sva: pool returned IPv4=172.19.202.66, IPv6=(Not enabled)
USER_REDACTED/38.1.2.3:62906 MULTI: Learn: 172.19.202.66 -> USER_REDACTED/38.1.2.3:62906
USER_REDACTED/38.1.2.3:62906 MULTI: primary virtual IP for USER_REDACTED/38.1.2.3:62906: 172.19.202.66
USER_REDACTED/38.1.2.3:62906 Data Channel MTU parms [ mss_fix:1196 max_frag:0 tun_mtu:1300 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
USER_REDACTED/38.1.2.3:62906 Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
USER_REDACTED/38.1.2.3:62906 Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
USER_REDACTED/38.1.2.3:62906 Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
USER_REDACTED/38.1.2.3:62906 Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
USER_REDACTED/38.1.2.3:62906 SENT CONTROL [USER_REDACTED]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,route 172.18.173.128 255.255.255.192,route 172.19.202.64 255.255.255.192,inactive 7200 1024000,redirect-gateway def1 bypass-dhcp,block-outside-dns,dhcp-option DNS 172.19.202.65,route-gateway 172.19.202.65,topology subnet,ping 20,ping-restart 300,ifconfig 172.19.202.66 255.255.255.192,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1300' (status=1)
USER_REDACTED/38.1.2.3:62906 Data Channel: cipher 'AES-256-GCM', peer-id: 0
USER_REDACTED/38.1.2.3:62906 Timers: ping 20, ping-restart 600
USER_REDACTED/38.1.2.3:62906 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt

Kernel module messages

[   20.819840] ovpn_dco_v2: loading out-of-tree module taints kernel.
[   20.819915] ovpn_dco_v2: module verification failed: signature and/or required key missing - tainting kernel
[   20.820441] OpenVPN data channel offload (ovpn-dco) 0.2.20241216 -- (C) 2020- OpenVPN, Inc.

@ordex
Copy link
Member

ordex commented Jan 24, 2025

can you post the full server log? dmesg does not report any error - so it may even be that something else is breaking before reaching DCO at all.
Please ensure server has verb 4

@schwabe
Copy link
Contributor

schwabe commented Jan 24, 2025

We explicitly tested Ubutnu Pro with FIPS enabled and DCO and it just works fine in our tests.

@aaronwmorris
Copy link
Author

Believe it or not, what I have posted is the extent of what is logged. I believe the logging is set to 4 already. There are no odd or suspicious messages in the log.

I have not noticed any other kernel or openvpn messages that indicate any errors.

@schwabe
Copy link
Contributor

schwabe commented Jan 26, 2025

@aaronwmorris full server log. Like from the startup and all messages of the server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schwabe @ordex @aaronwmorris