Access Server On Google Cloud Platform

Access Server release notes for 1.8.5 (changes made since 1.8.4)

* Fixed cross-site request forgery vulnerability (CSRF) in Admin web interface.  This could potentially be exploited to modify Admin web interface settings if an administrative user visits a maliciously crafted web page while logged into the Admin web interface (Credit: Charlie Eriksen).

* Fixed DNS issue on Mac OS X 10.8 computers where, if DNS was pushed by the Access Server, it would not release upon disconnect on the client side.

* Adjustments to licensing system made to accommodate easier reactivation for environments where alterations to hardware parameters are expected - cloud computing, Amazon EC2, HA clusters, etc.

* Introduced new Debian and openSUSE builds.

 

 

Access Server release notes for 1.8.4 (changes made since 1.8.3)

* Added beta version of unicode-enabled Access Server.

* Updated bundled OpenSSL to 1.0.1c and enabled AES-NI crypto
acceleration by default on systems that support it.

* Updated bundled LZO to 2.06.

* Added checkbox on Server Network Settings page to protect against
BEAST vulnerability (enabled by default) in unpatched client
browsers. When enabled, force RC4 cipher for SSLv3, TLSv1.0,
and TLSv1.1. TLSv1.2 may use other ciphers. SSLv2 is disabled.

* Disable SSL/TLS renegotiation in web server.

* Don't crash on startup if a user record in user properties references
a nonexistent group via conn_group attribute. Instead, operate as if
no group reference was specified for the user.

* Fixed UI clipping issue on Windows client when large font sizes
are used.

* PAM authentication changes:

Implement account management after successful authentication
via pam_acct_mgmt() method.

Define the following PAM attributes for authentication and
account management:

PAM_SERVICE : set to service name
PAM_USER & PAM_RUSER : set to username
PAM_RHOST : set to client IP address

Also Log more detailed PAM error text on authentication failure.

These changes allow IP address filtering to be enabled in
/etc/pam.d/openvpnas :

account required pam_access.so

Then IP address filter criteria can be defined in
/etc/security/access.conf, e.g. :

+ : testa : 1.2.3.0/24
- : testa : ALL

* Added authentication failure lockout policy

By default, repeated authentication failures by non-bootstrap users
(the bootstrap user is the original Access Server admin user) will
result in the user being temporarily banned from further login
attempts. Note that only non-VPN logins (such as web logins) are
subject to the lockout policy. VPN logins, since they also require
a client certificate and private key, are not well-suited for use
as an attack vector to brute-force passwords, therefore they are
excluded from the lockout policy.

Relevant parameters:

vpn.server.lockout_policy.n_fails (integer, default=3) -- number of
failures after which user will be locked out.

vpn.server.lockout_policy.reset_time (integer, default=900) --
reenable locked out users after this time period.

vpn.server.lockout_policy.max_history (integer, default=10000) --
maximum size of lockout dictionary. If dictionary exceeds this
size, it will be purged.

Excluded from lockout policy:

* Bootstrap user logins (the bootstrap user is defined in
/usr/local/openvpn_as/etc/as.conf under the key
boot_pam_users.0)

* VPN logins

* Added reroute_dns_partial client backend setting for Mac client.
If true, only DNS requests for domains in the Default Domain Suffix
set declared on AS will be routed to AS; other DNS requests will be
resolved locally.

To enable, enter these commands on Mac client from a root shell:

# cd /Library/Frameworks/OpenVPN.framework/Versions/Current/bin
# ./capicli -k reroute_dns_partial -v true setpreference

To disable:

# cd /Library/Frameworks/OpenVPN.framework/Versions/Current/bin
# ./capicli -k reroute_dns_partial -v false setpreference

* Implemented non-blocking syslog module. When syslog logging is
enabled in as.conf by

SYSLOG=true

the non-blocking syslog module will be loaded by default. When
loaded, all log lines to be sent to the syslog will first be
written to an in-memory queue, where a worker thread will then
send the lines to syslog at the rate that syslog can accept
them. The queue has a default maximum backlog of 1000 lines.
If this backlog is exceeded because the Access Server is logging
at a greater rate than syslog can process, some log lines may be
dropped, and a message "NOTE: logging overflow occurred" will
be logged at the next available opportunity.

The backlog currently defaults to 1000 lines but can be changed
by the SYSLOG_BACKLOG as.conf parameter as such:

SYSLOG_BACKLOG=100000

* Added the option to use the iptables MASQUERADE target instead of
SNAT for outgoing source-NAT of client traffic.

vpn.server.nat.masquerade (boolean, default=false) -- if true, use
MASQUERADE target; if false, use SNAT.

* Added optional common name obfuscation to client certs, to prevent
the username being leaked during SSL/TLS handshake (the SSL/TLS
standard specifies that client certs be transmitted in the clear
-- some users have expressed concerned that this could leak
information to a Man in the Middle, such as the username, if the
username is used as the common name of the client certificate).

To enable common name obfuscation, add the following to as.conf
and restart AS:

obfuscate_certs=true

When enabled, common name obfuscation will generate client certs
having a common name of clientSN where SN = cert serial number
(normally, the common name is set to the username).

-----------------

Access Server 1.8.3.237

* DB robustness fixes, especially when using MySQL as DB provider

* Updated SQLAlchemy to 0.7.3 (SQLAlchemy is the ORM used by the
Access Server).

* Added VPN protocol override menu in Windows and Mac clients so
that UDP or TCP transport may be explicitly specified.

* Reduced the verbosity of client logging.

* For windows tray client, double-clicking on tray launch
icon when the tray is already running will execute the
following command:

ovpncli -a -m tray connect

This will initiate a connection to the resident profile.
It will do nothing if the number of resident profiles
is not equal to one.

* Added a command for the AS to refresh all AS-owned iptables rules
in the event that other software has wiped the rules.

./sacli --restart_mode=iptables start

The Access Server marks its own rules with "AS0_" (either in the
chain or the target) and will never modify other rules that
don't contain this tag. However, if other Linux software
assumes that it has total control of the iptables store, it might
wipe these rules. By running the above command, any rules added
by other software will be retained, but all of the Access Server
AS0_ rules will be re-added.

* In Mac client, incorporate new Mac tun/tap driver from Nov 1 2011.

* Added support for SuSE Linux (use the RedHat builds when
installing on SuSE).

* Many updates to Command Line documentation in
/usr/local/openvpn_as/doc/cli.txt including:
1. How to enable/Disable NAT
2. Documented vpn.server.session_ip_lock key
3. Documented new keys to control OpenVPN daemon port forwarding
4. Documented client configuration settings on the server that
can be used to control the "look and feel" of the client.

* Fixed issue in Mac client where a failure to register the OpenVPN
Connect client as an Applescript login item makes the client
inoperable. This build attempts to work around the problem by
making the error non-fatal.

* In Windows client, make sure that the TAP adaper is at the top of
the Windows binding list, as defined in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage\Bind

-----------------

Access Server 1.8.3.221

* Added extra connection details to tray client tooltip such as VPN
IP address, and on Mac added a new Customize menu item "Extra
tooltip details" that will add bandwidth info to tooltip.

* Fixed issue where usernames containing '@' might be truncated.

* By default, no longer emit replay warnings to server log file.

* Fixed server restart deadlock when thousands of clients are
connected, and "./sacli start" or Admin UI server restart is
attempted after a configuration change was made that would
require that all clients be forced to reconnect.

* Updated Mozilla trusted CA list that is bundled with client
(used for certificate trust validation on Windows only --
Mac client uses Keychain).

* On client, when scanning the system cert store for the External PKI
client cert, ignore any certs that cause exceptions when loaded via
OpenSSL.

* Mac client can now adaptively search in both System and User
keychain stores for External PKI client certificate/key. The
System keychain will be searched first, then User. To enable on
the server:

./sacli --user __DEFAULT__ --key cli_cert_store --value "both" UserPropPut

* Server performance enhancements for use cases involving thousands
of concurrent clients:

(a) Moved multi-daemon load balancer to separate process.

(b) OpenVPN daemons now communicate real-time usage stats to load
balancer via an efficient shared memory implementation rather
than using interprocess messaging.

(c) Server-side routes added on behalf of clients are now added
and deleted efficiently using an AF_NETLINK socket rather than
calling /sbin/route.

(d) Live iptables modifications made during normal server operation
are now performed by writing commits to the stdin pipe of a
resident /sbin/iptables-restore process rather than calling
/sbin/iptables.

(e) Other miscellaneous improvements guided by server profiling.

(f) Above changes should improve responsiveness of Admin UI during
high server load.

-----------------

Access Server 1.8.3.209

* Fixed issue where autologin profiles were wrongly asking for
credentials when connected via the tray client.

* Connecting an autologin profile will now explictly mark it
for autoconnect on future system reboots. Explicitly
disconnecting the profile from the tray will disable
autoconnect.

* Fixed issue where tray client would delete a profile if it
received an error from the server indicating that the profile
certificate had been revoked.

* Misc tray client stability fixes.

* Added ovpncli command line tool. This tool is a complete
command-line client. Run ovpncli -h to see options and examples.

* On Mac client, added Customize menu for (a) selecting color vs.
black & white icons, and (b) controlling whether connection
duration is shown in the toolbar.

* Fixed profile generation issue on server that could emit this error:
generate client config: [('rsa routines', 'RSA_sign', 'digest
too big for rsa key')] (OpenSSL.crypto.Error)

* Added a server-side flag to relax comparisons between
client username and DB/cert username so that a
case-insensitive match is permitted. This feature
is sometimes needed on LDAP-based configurations that
are upgraded to 1.8 or higher from pre-1.8 verions.

To enable case-insensitive matching, define the
config key vpn.server.user_ci=true. This can be
done with the following commands:

cd /usr/local/openvpn_as/scripts
./sacli -k vpn.server.user_ci -v true ConfigPut
./sacli start

-----------------

Access Server 1.8.3.206

* Misc tray client stability fixes.

* Fixed issue where client code that implements group property
prop_block_local was not correctly calculating the two halves
of the client-side LAN subnet if the gateway was in the
upper half.

* Fix tray client bug where exiting the app caused the
service-mode bit on autologin profiles to be reset.

* Fixed tray client notifications on Mac OSX 10.5.

* In tray client, added fine-grained progress indication between
Connecting and Connected states:
1. In tray icon, arc over keyhole acts as a progress bar.
2. Tooltip will show fine-grained status.

* ./sacli vpnstatus (and GetVPNStatus API method) will now return
username info for clients (in addition to common name).

-----------------

Access Server 1.8.3.200

* Added AS setting to control whether session tokens are locked
to a client IP address or free to roam.

vpn.server.session_ip_lock (bool, default=false) -- If true,
session tokens are locked to the IP address that originally
authenticated them. If false (default), session tokens are
free to roam independently of IP address.

For example, to turn off session_ip_lock so that session tokens
can roam, use this command:

./sacli -k vpn.server.session_ip_lock -v false ConfigPut

* Fixed bug where "./sacli start" was sometimes wrongly
returning an error status when no error occurred.

1. Based on OSS software

Access Server is based on open source software. This means you can
create clients for whatever platform or device without restrictions,
develop a UI using the management interface while at the same time
interoperate with all of the more advanced features of OpenVPN AS such
as multi-factor authentication.

2. Challenge/Response authentication

This functionality allows Access Server users to develop their own
authentication modules that can initiate an authentication
challenge/response sequence. This means that the authentication module
can ask the user any number of questions, and get their responses back,
in order to decide whether or not to allow access. All Access Server
clients have integrated support for this functionality, which operates
on top of the existing OpenVPN auth system. This functionality can be
supported by any OpenVPN client, not just the AS clients.

3. Single sign-on capability

By using custom authentication modules it's possible to implement
single-sign on, where signing into the VPN automatically
pre-authenticates the web applications that end-users need to access
through the VPN. For example, the auth module can query an LDAP server
to get authentication status.  If authentication succeeds, it can obtain
a session token from LDAP and transmit it (via the OpenVPN control
channel) to a Python script running on the client, which can then (for
example) set a cookie in the web browser.  This can  all be done in a
few lines of custom code, because the AS makes the LDAP API available to
the customer module, as well as a data transmission API that allows
transmission of arbitrary data to client-side python scripts via the
OpenVPN control channel.

4. Running scripts securely on clients

Access Server has a much more flexible model for client-side script
execution than OpenVPN (OSS). For one, the AS allows scripts to be
pushed to clients, but includes many safeguards (such as script signing)
to prevent abuse of this capability.  AS allows Python scripts to be
pushed to any AS client regardless of what OS it is running. If AS
client is being used, it is guaranteed that a Python 2.6 interpreter is
always available.

Furthermore, it is possible to execute scripts in the context of the
desktop user instead of the root context of the OpenVPN daemon. In fact,
this turns this script-pushing capability into "Secure Application
Delivery". This can also be used for things like single sign-on.

5. MacOS X Keychain and Windows Crypto API integration

AS clients fully support the both MacOS X keychain and Windows Crypto
API for key storage. This feature improves security of AS because no
OpenVPN client configuration file contains the private key. This support
is configuration-free in the sense that the appropriate certificate and
private key are selected by scanning the keystore for keys signed by the
OpenVPN CA cert. From administrator perspective both MacOS X and Windows
keychains look the same, i.e. their differences have been abstracted away.

6. MacOS X integration

There are a number of ways that the AS Mac client goes beyond the
OpenVPN (OSS) client:

1. Full Keychain support
2. Solid support for pushed DNS servers
3. Integration with OS X SystemConfiguration framework for
generating VPN Connect/Disconnect events
4. A real desktop client (instead of a Java applet).

7. Load balancing/failover capabilities

AS is tightly integrated with UCARP for failover. Configuration sync
takes place between the primary and backup nodes, so only a single node
needs to be managed. The backup node will kick in immediately with the
current configuration if the primary node fails.

8. API support

AS has a full XML-RPC API with hundreds of methods that can control and
monitor every aspect of the AS. Even the AS client is fully API driven.
In fact, even the AS web client is simply an Ajax app that interacts
with the OpenVPN backend via a client-side XML-RPC API. This API can be
used for a number of other things.

9. Multi-daemon support

The AS knows how to instantiate multiple OpenVPN daemons on a given box
and load balance between them to get maximum performance from all CPUs.
This is tricky to do with OpenVPN (OSS) by itself.

10.  Adaptive protocol support

AS can be configured to have OpenVPN daemons listening on both TCP and
UDP ports. Further, the client will adaptively try UDP first, then fall
back to TCP if that fails. All this is fully automatic.

11.  Web-free VPN

AS has a mode where all web functionality can be completely disabled on
both server and client. This means AS can be run with only the OpenVPN
TCP and UDP ports open to the internet, and the AS client can be used
without touching a browser. This avoids having to take browser-related
security issues into account.

12. Bundled profiles

Using OpenVPN (OSS) in large deployments can be cumbersome as one needs
to distribute configuration files to clients somehow. Access Server
allows an executable installer to be bound with the client configuration
file for a user. In practice, one can easily generate a DMG installer
for Mac or an MSI installer for Windows that already has the user's
config file attached to it.

13. Universal bundled profiles

Because the Access Server clients allow the user's certificate and
private key to be located in the system certificate store (Crypto API on
Windows or Keychain on Mac), it's possible to make an OpenVPN client
configuration that is universal in the sense that you can give the same
configuration file to every user. This feature, in combination with
bundled profiles, allows one to have a single installer that can be
deployed to all client machines running the same operating system.
Further, there is no security-sensitive information in the installer,
because the profile that is bound to it lacks any private key.

14. CRL support

AS support for CRLs goes beyond what OpenVPN (OSS) offers. One can
modify the CRL file on the fly and the changes take effect immediately.
It's also possible to include CRLs for multiple branches in the cert
chain. In fact the AS will even bump off a user that is already
connected, if a real-time change to the CRL revokes their certificate.

15. Local subnet blocking

This feature allows clients to block off access to the local subnet
except for the gateway.