Saved Passwords will try to reconnect until a user is locked out.

[JeffB]

I'm using the Duo Radius Auth Proxy to provide 2FA on our VPN connection.  The way this accomplishes 2FA when all your have to work with is a username and password dialog box is that it overloads the password field with password,token.    So for example when connecting I could check my authenticator and put in password,123456  according to the TOTP on my authenticator.   In this use case it makes no sense to check the save my password box.

Duo also offers a push authentication, where you put in password,push in the password box.  This causes a push to the Duo App which you approve.  My users often wish to save this password to their keychain.

The problem arises that when a user connects with a saved password they are expecting the push and approve it.  But then they go to sleep, or are otherwise AFK and while they are gone the VPN connection blips and causes a reconnect.  Tunnelblick will automatically reconnect with the saved credentials, the vpn will send a push that the user misses because they are sleeping.  after 60 seconds it times out. And Tunnelblick tries again, and again and again, until Duo locks the account because of too many failures.  Now Tunnelblick will stop trying present the dialog box.    

I don't know why a auth timeout failure caused tunnelblick to reconnect but an account locked out failure causes it to give up. It would be much better if we had an option to cause tunnelblick to present the dialog box, password filled in, when it sees this auth timeout failure instead of retrying and locking the user out when they are AFK.

[jkbull...gmail.com]

Thanks for your report.

First, can you clarify the following:

 

Duo also offers a push authentication, where you put in password,push in the password box.  This causes a push to the Duo App which you approve.  My users often wish to save this password to their keychain.

Do you mean that (assuming the password is "ABC") your users have Tunnelblick save "ABC,push" as their password, and that when Tunnelblick supplies that to OpenVPN, OpenVPN asks the Duo server to authenticate, and that request causes the Duo server to

1. Use ABC as the password;
   and
   
2. Send a message to a Duo app on the user's computer that pops up a window asking for the 2FA token, and the app then either sends the user's response or a timed-out notification to the server, and the server then sends a response to OpenVPN?

If not, please give a detailed description of what each component of this system is doing.

Second, please clarify "Now Tunnelblick will stop trying present the dialog box" (after a lockout), what do you mean? If Tunnelblick is using the saved username/password it shouldn't present a dialog box at all, so what dialog box is it presenting? (And is it "trying" to present a dialog box and somehow failing, or is it actually presenting a dialog box?)

[JeffB]

Yes you're pretty correct but I'll explain it in detail to fill in any gaps.

I have a standard radius server on my network that can authenticate users.

The duo auth proxy is a service that I run on my network that is configured to query the standard radius servers

I'm using an OpenVPN server with the radius plugin included and uses auth-user-pass in the config.

When a user enters their password in the VPN client, if the password was ABC then they enter ABC,push.   There are several other things they could put after the comma.  For example ,phone causes Duo to ring your phone and press 1 to verify.   You can also get a TOTP number out of the Duo app and put that after the comma.

When the user submits their login credentials the The OpenVPN server passes ABC,push on to the Duo Auth Proxy.  The Duo auth proxy splits the password and sends ABC to my standard radius servers, if the standard radius authenticates the password then the Duo auth proxy will do an API call to the Duo service for 2 factor verification, 

In the case of a Duo push, the the auth proxy sends the push api call.  It then waits for for the Duo service to send a mobile push to your phone, for you to verify the push in the Duo app, and for the service to return the result.   If you don't respond in time either the Auth-proxy times out  the API call and returns some kind of failure.  Or the OpenVPN radius plugin times out and returns some kind of error.   I'm going to have to see if I can determine which part, and what the error might be.  But what I do know it is a different error than if the Duo auth proxy returns a denial because the duo service says the account is locked out.

If I choose to not remember the password in Tunnelblick; when the VPN disconnects it does not try to reconnect it displays the login credentials dialog.

If I do choose to remember the password in Tunnelblick;  when the VPN disconnects it does try to reconnect, This spawns a push.  If the user is ready for it they can verify it and it works.  If they are sleeping or otherwise not responding to the pushes, Tunnelblick will try to authenticate over and over, It sends a push, waits a minute, the something i mention above times out and it sends another push. After too many not responded to pushes in a row Duo will lock the account and return a denial which Tunnelblick does recognize and it stops trying and displays the login credentials dialog.

[jkbull...gmail.com]

Do your Tunnelblick clients have "Keep connected" checked in Tunnelblick's "Advanced" settings? I think that's one way this sort of thing can happen. (That checkbox causes Tunnelblick to restart OpenVPN in the event of an OpenVPN crash or other unexpected event.)

Otherwise, I think it is a question of getting OpenVPN to pass on to Tunnelblick the fact that the authorization failed. It sounds like it is doing that if the account is locked, but not if the account wasn't locked.

The log in Tunnelblick's "VPN Details" window would be helpful in seeing what Tunnelblick is doing, and the following Terminal command will cause Tunnelblick to do extra logging to the Console Log for the VPN authentication, which might also help:

defaults write net.tunnelblick.tunnelblick DB-AU -bool YES

To remove the extra logging, use 

defaults delete net.tunnelblick.tunnelblick DB-AU

Keep in mind that Tunnelblick actually is just a wrapper for OpenVPN; it is Tunnelblick's imbedded OpenVPN that is talking to your OpenVPN server, not Tunnelblick. 

[JeffB]

The Duo Auth proxy sends a radius deny.  but the client only gets at TLS timeout.   I guess this explains why tunnelblick reconnects.   I'll try to look into this particular openvpn radius implementation and see what i can find out.