ocserv broken when used with haproxy

Regis McCall regis.mccall2016 at gmail.com
Tue Jun 22 03:09:42 PDT 2021 

Hello,

I installed the latest version of ocserv on rocky linux. I also have a
separate server in a different subnet running HAProxy.

Here is my ocserv.conf:

auth = "radius [config=/etc/radcli/radiusclient.conf]"
acct = "radius [config=/etc/radcli/radiusclient.conf]"

tcp-port = 443
#udp-port = 0
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket

server-cert = /opt/docker/letsencrypt/live/ocvpn.ardentrook.cx/fullchain.pem
server-key = /opt/docker/letsencrypt/live/ocvpn.ardentrook.cx/privkey.pem

mtu = 1400
log-level = 3
isolate-workers = true
max-clients = 16
max-same-clients = 4
keepalive = 32400
dpd = 15
mobile-dpd = 1800
listen-proxy-proto = true
try-mtu-discovery = true
tls-priorities = "SECURE256:%COMPAT"
auth-timeout = 30
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-rekey-time = 14400
cookie-timeout = 172800
rate-limit-ms = 100
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = ardentrook.cx
ipv4-network = 172.16.5.0/25
dns = 172.16.2.220
route = default
tunnel-all-dns = true
ping-leases = true
cisco-client-compat = false
dtls-legacy = false

Here is my haproxy.cfg:
global
   log 127.0.0.1 local2
   maxconn 2048
   pidfile /var/run/haproxy.pid

defaults
   mode    http
   option  tcplog
   option  dontlognull
   option  contstats
   option  http-server-close
   option log-health-checks
   retries 3
   option  redispatch
   timeout connect  5000
   timeout client  10000
   timeout server  10000

   # make sure log-format is on a single line
   log global

frontend httpfront
   mode http
   bind *:80
   redirect scheme https code 301 if !{ ssl_fc }

frontend https-ocserv
   bind 0.0.0.0:443 tfo npn http/1.1
   mode tcp
   timeout connect 5000ms
   option redispatch
   timeout client 200000ms
   timeout server 200000ms
   option tcplog
   option clitcpka
   tcp-request inspect-delay 5s
   tcp-request content accept if { req.ssl_hello_type 1 }

   use_backend vpn_ocserv         if { req_ssl_sni ocvpn.ardentrook.cx }
   use_backend www_mailcow         if { req_ssl_sni mail.ardentrook.cx }
   default_backend tcp_to_https

backend www_mailcow
   mode tcp
   acl mailcow req_ssl_sni -i mail.ardentrook.cx
   timeout connect 5000ms
   option redispatch
   timeout client 200000ms
   timeout server 200000ms
   option tcplog

   use-server mailcow if mailcow

   option tcp-check
   server mailcow 172.16.1.11:443

backend vpn_ocserv
   mode tcp
   acl ocserv req_ssl_sni -i ocvpn.ardentrook.cx

   use-server ocserv if ocserv
   option tcp-check
   server ocserv 172.16.1.2:443 send-proxy-v2

backend tcp_to_https
    mode tcp
    server haproxy-https 127.0.0.1:8443 check

frontend ft_https
    mode http
    # HAProxy will take the fitting certificate from the available ones
    bind *:8443 ssl crt
/opt/docker/letsencrypt/live/ardentrook.cx/ardentrook.cx.pem
    # Spread the requests between backends
    use_backend     emby  if { req_ssl_sni emby.ardentrook.cx }
    default_backend emby

backend emby
    server emby 172.16.3.252:8096 check

Here is what ocserv says:

Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info>  [1624354013.2734]
device (vpns0): state change: config -> ip-config (reason 'none',
sys-iface-state: 'external')
Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info>  [1624354013.2738]
device (vpns0): state change: ip-config -> ip-check (reason 'none',
sys-iface-state: 'external')
Jun 22 05:26:53 ocvpn dbus-daemon[1006]: [system] Activating via
systemd: service name='org.freedesktop.nm_dispatcher'
unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.8'
(uid=0 pid=1082 comm="/usr/sbin/NetworkManager --no-daemon "
label="system_u:system_r:NetworkManager_t:s0")
Jun 22 05:26:53 ocvpn systemd[1]: Starting Network Manager Script
Dispatcher Service...
Jun 22 05:26:53 ocvpn dbus-daemon[1006]: [system] Successfully
activated service 'org.freedesktop.nm_dispatcher'
Jun 22 05:26:53 ocvpn systemd[1]: Started Network Manager Script
Dispatcher Service.
Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info>  [1624354013.2985]
device (vpns0): state change: ip-check -> secondaries (reason 'none',
sys-iface-state: 'external')
Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info>  [1624354013.2990]
device (vpns0): state change: secondaries -> activated (reason 'none',
sys-iface-state: 'external')
Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info>  [1624354013.3012]
device (vpns0): Activation: successful, device activated.
Jun 22 05:27:03 ocvpn systemd[1]: NetworkManager-dispatcher.service: Succeeded.
Jun 22 05:27:17 ocvpn ocserv[6299]: worker[regis]: 172.16.1.12
worker-vpn.c:1543: error parsing CSTP data
Jun 22 05:27:17 ocvpn ocserv[6299]: worker[regis]: 172.16.1.12
worker-vpn.c:2670: tls_mainloop failed -1
Jun 22 05:27:17 ocvpn ocserv[5011]: sec-mod: temporarily closing
session for regis (session: 8S8RBI)
Jun 22 05:27:17 ocvpn ocserv[5010]: main[regis]:174.250.6.6:62176 user
disconnected (reason: unspecified error, rx: 195, tx: 1096)
Jun 22 05:27:17 ocvpn NetworkManager[1082]: <info>  [1624354037.8630]
device (vpns0): state change: activated -> unmanaged (reason
'unmanaged', sys-iface-state: 'removed')
Jun 22 05:27:17 ocvpn dbus-daemon[1006]: [system] Activating via
systemd: service name='org.freedesktop.nm_dispatcher'
unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.8'
(uid=0 pid=1082 comm="/usr/sbin/NetworkManager --no-daemon "
label="system_u:system_r:NetworkManager_t:s0")
Jun 22 05:27:17 ocvpn systemd[1]: Starting Network Manager Script
Dispatcher Service...
Jun 22 05:27:17 ocvpn dbus-daemon[1006]: [system] Successfully
activated service 'org.freedesktop.nm_dispatcher'
Jun 22 05:27:17 ocvpn systemd[1]: Started Network Manager Script
Dispatcher Service.
Jun 22 05:27:17 ocvpn ocserv[5010]: warning: skipping unknown option 'log-level'
Jun 22 05:27:17 ocvpn ocserv[5010]: warning: skipping unknown option
'cookie-rekey-time'
Jun 22 05:27:17 ocvpn ocserv[5010]: note: skipping 'pid-file' config option
Jun 22 05:27:17 ocvpn ocserv[5010]: note: vhost:default: setting
'radius' as primary authentication method
Jun 22 05:27:17 ocvpn ocserv[5010]: note: setting 'radius' as accounting method
Jun 22 05:27:17 ocvpn ocserv[5010]: note: setting 'file' as
supplemental config option
Jun 22 05:27:18 ocvpn ocserv[5010]: main:172.16.1.12:38720 updating
remote IP to 174.250.6.6
Jun 22 05:27:18 ocvpn ocserv[5011]: sec-mod: initiating session for
user 'regis' (session: 8S8RBI)
Jun 22 05:27:18 ocvpn ocserv[5010]: main[regis]:174.250.6.6:62179 new
user session
Jun 22 05:27:21 ocvpn ocserv[5010]: main: pinged 172.16.5.115 and is not in use
Jun 22 05:27:21 ocvpn ocserv[5010]: main[regis]:174.250.6.6:62179 user logged in
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1574]
manager: (vpns0): new Tun device
(/org/freedesktop/NetworkManager/Devices/5)
Jun 22 05:27:21 ocvpn systemd-udevd[6478]: link_config:
autonegotiation is unset or enabled, the speed and duplex are not
writable.
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1755]
device (vpns0): state change: unmanaged -> unavailable (reason
'connection-assumed', sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1807]
device (vpns0): state change: unavailable -> disconnected (reason
'connection-assumed', sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1820]
device (vpns0): Activation: starting connection 'vpns0'
(2ac4818d-90a6-4a2b-b1a5-74e11ab72d9f)
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1824]
device (vpns0): state change: disconnected -> prepare (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1831]
device (vpns0): state change: prepare -> config (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1835]
device (vpns0): state change: config -> ip-config (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1840]
device (vpns0): state change: ip-config -> ip-check (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1870]
device (vpns0): state change: ip-check -> secondaries (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1875]
device (vpns0): state change: secondaries -> activated (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info>  [1624354041.1896]
device (vpns0): Activation: successful, device activated.


I've tried several config options. Haproxy works for everything else
except ocserv. Any suggestions? Haproxy is a necessity.

More information about the openconnect-devel mailing list