Connection loop with Yubikey 5

Got a problem with Viscosity or need help? Ask here!

dario_c

Posts: 2
Joined: Mon Jan 18, 2021 11:20 pm

Post by dario_c » Tue Jan 19, 2021 12:09 am
Hi,

I'm trying to get a connection to my VPN Server (Pfsense Firewall) with Viscosity using Yubikey + Touch for authentication.

Settings are looking good to me. The pkcs11-provider path is set right and the certificate is set via the detect button.

If I try to connect to the vpn server, the yubikey starts to blink(waiting for touch) and viscosity shows status authenticate. After the touch, the conncetion gets closed and the whole process starts again.

So what am I missing?

Here is the log:
Code: Select all
2021-01-18 11:02:34: Viscosity Mac 1.9 (1556)
2021-01-18 11:02:34: Viscosity OpenVPN Engine Started
2021-01-18 11:02:34: Running on macOS 10.15.7
2021-01-18 11:02:34: ---------
2021-01-18 11:02:34: State changed to Connecting
2021-01-18 11:02:34: Checking reachability status of connection...
2021-01-18 11:02:34: Connection is reachable. Starting connection attempt.
2021-01-18 11:02:34: OpenVPN 2.4.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 10 2020
2021-01-18 11:02:34: library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
2021-01-18 11:02:34: PKCS#11: Adding PKCS#11 provider '/Library/OpenSC/lib/opensc-pkcs11.so'
2021-01-18 11:02:35: Resolving address: XXXXXXXXX
2021-01-18 11:02:35: Valid endpoint found: XXXXXXXXX:tcp4-client
2021-01-18 11:02:35: TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX:XX
2021-01-18 11:02:35: Attempting to establish TCP connection with [AF_INET]XXX.XXX.XX [nonblock]
2021-01-18 11:02:37: TCP connection established with [AF_INET]XXXXXXXX:XX
2021-01-18 11:02:37: TCPv4_CLIENT link local: (not bound)
2021-01-18 11:02:37: TCPv4_CLIENT link remote: [AF_INET]XXXXXXXX:XX
2021-01-18 11:02:37: State changed to Authenticating
2021-01-18 11:02:40: [XXXXX-server] Peer Connection Initiated with [AF_INET]XXXXXXXX:XX
2021-01-18 11:02:40: Opened utun device utun10
2021-01-18 11:02:40: /sbin/ifconfig utun10 delete
2021-01-18 11:02:40: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2021-01-18 11:02:40: /sbin/ifconfig utun10 XXXXXXXX:XX XXXXXXXX:XX netmask 255.255.255.0 mtu 1500 up
2021-01-18 11:02:40: Initialization Sequence Completed
2021-01-18 11:02:40: DNS mode set to Split
2021-01-18 11:02:40: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
2021-01-18 11:02:40: Testing address: XXXXXXXX:XX Route points into VPN network
2021-01-18 11:02:40: Route: XXXXXXXX:XX/255.255.255.255 utun10
2021-01-18 11:02:40: Disconnecting connection as it is no longer reachable
2021-01-18 11:02:40: State changed to Disconnecting (Network Change)
2021-01-18 11:02:40: State changed to Connected
2021-01-18 11:02:40: SIGTERM[hard,] received, process exiting
2021-01-18 11:02:40: State changed to getrennt (Process Terminated)


This OpenVPN-Config works under Windows 10 with OpenVPN Client 2.4.9 + Yubikey Touch
Code: Select all
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-disable
auth SHA256
tls-client
client
resolv-retry infinite
remote XXXXXX tcp4
remote XXXXXX tcp4
connect-timeout 5
connect-retry-max 1
reneg-sec 0
verify-x509-name openvpn-server name
remote-cert-tls server
comp-lzo
tun-mtu 1500
auth-nocache
socket-flags TCP_NODELAY
ca XXXXXXXXXX-ca.crt
pkcs11-providers "C:\\PKCS11\\opensc-pkcs11.dll"
pkcs11-id 'piv_II/PKCS\x2315\x20emulated/XXXXXXXXXX/XXXXXXXXXXXXXXX/04'
tls-crypt XXXXXXXXX-tls.key

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Jan 19, 2021 6:10 pm
Hi dario_c,

It appears your VPN connection is disconnecting due to a reachability failure, rather than anything related to the Yubikey. The relevant log lines are:
Code: Select all
2021-01-18 11:02:40: Testing address: XXXXXXXX:XX Route points into VPN network
2021-01-18 11:02:40: Route: XXXXXXXX:XX/255.255.255.255 utun10
2021-01-18 11:02:40: Disconnecting connection as it is no longer reachable
Basically what it means is that the VPN server is pushing a network route that encompasses the external IP address of the VPN server. This causes a routing loop, and the encrypted VPN traffic is being routed into the VPN connection itself. Viscosity is detecting this and disconnecting the VPN connection.

Generally this is caused by a misconfiguration on the OpenVPN server, and your VPN administrator should be able to adjust the pushed routes to resolve the issue. They can either ensure the routes they're pushing do not clash with the external IP address on the OpenVPN server itself, or push a /32 route for the external address to use "net_gateway". This typically isn't an issue if all traffic is being redirected through the VPN connection, as then OpenVPN will automatically create the /32 route.

If you'd prefer to work around the issue on Viscosity's end, you can create the /32 route yourself. To do this create a new route for your connection. Set the Destination to be your server's IP address (i.e. the address you replaced with XXXXXXXXX in the log). Set the Mask to 32. Set the Gateway to Local Network Gateway. Then click Add. For more information please see:
https://www.sparklabs.com/support/kb/ar ... al-network

As for why it works on Windows but not macOS: the two OSes do handle routing slightly differently, so you're likely getting lucky with the routing setup under Windows (or the configurations differ slightly).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

dario_c

Posts: 2
Joined: Mon Jan 18, 2021 11:20 pm

Post by dario_c » Thu Jan 28, 2021 11:53 pm
Thank you very much!
Fixed the routing loop on the OpenVPN Server and it's working now :)

k0k0k0

Posts: 1
Joined: Mon Oct 18, 2021 11:35 pm

Post by k0k0k0 » Mon Oct 18, 2021 11:59 pm
Hi dario,

could you explain how you set up your pfsense? I would like to use a yubikey for the OpenVPN connection too but I don't know where to start.

At the moment I have a client certificate generated on the pfsense and username/password. Thanks!
4 posts Page 1 of 1