ocserv add 10 points to the load balancer ip for a failed login
Description of problem:
I have this setup
client (tcp, ip: 1.129.29.201) --> proxy server (running haproxy and ip: 78.109.194.177) --> France (running ocser)
In case of login failure, ocserv adds 10 points to the load balancer ip not the client ip. I have enabled send-proxy-v2 option in haproxy. Logs:
Jul 28 08:18:38 v2202307203190234471 ocserv[9745]: ocserv[9745]: main:78.109.194.177:46896 updating remote IP to 1.129.29.201
Jul 28 08:18:38 v2202307203190234471 ocserv[9745]: ocserv[9745]: main: added 1 points (total 3) for IP '1.129.29.201' to ban list
Jul 28 08:18:38 v2202307203190234471 ocserv[14498]: worker: 78.109.194.177 sending message 'session info' to main
Jul 28 08:18:38 v2202307203190234471 ocserv[14498]: ocserv[14498]: worker: 78.109.194.177 proxy-hdr: peer is 78.109.194.177
Jul 28 08:18:38 v2202307203190234471 ocserv[14498]: ocserv[14498]: worker: 78.109.194.177 User-agent: 'OpenConnect VPN Agent (Java) v7.08-unknown'
Jul 28 08:18:38 v2202307203190234471 ocserv[14498]: ocserv[14498]: worker: 78.109.194.177 Detected OpenConnect v4 or newer
Jul 28 08:18:38 v2202307203190234471 ocserv[14498]: ocserv[14498]: worker: 78.109.194.177 Platform: 'android' (mobile)
Jul 28 08:18:38 v2202307203190234471 ocserv[14498]: ocserv[14498]: worker: 78.109.194.177 Device-type: 'android'
Jul 28 08:18:38 v2202307203190234471 ocserv[9745]: main:78.109.194.177:46896 main received worker's message 'session info' of 105 bytes
Jul 28 08:18:38 v2202307203190234471 ocserv[9745]: main:78.109.194.177:46896 updating remote IP to 1.129.29.201
Jul 28 08:18:38 v2202307203190234471 ocserv[9745]: main: added 1 points (total 3) for IP '1.129.29.201' to ban list
...
...
Jul 28 08:18:44 v2202307203190234471 ocserv[9745]: ocserv[9745]: main: added 10 points (total 10) for IP '78.109.194.177' to ban list
Jul 28 08:18:44 v2202307203190234471 ocserv[9745]: main: added 10 points (total 10) for IP '78.109.194.177' to ban list
Jul 28 08:18:46 v2202307203190234471 ocserv[9745]: ocserv[9745]: main:1.129.29.201:63657 worker terminated
It adds 10 to the load balancer ip not the main client ip.
Version of ocserv used:
ocserv 1.2.1
Client used:
'OpenConnect VPN Agent (Java) v7.08-unknown'
Distributor of ocserv
Ubuntu 22.04.2 LTS
How reproducible:
Follow the setup outlined here https://ocserv.gitlab.io/www/recipes-ocserv-multihost.html
- launch two vpses vps1 (haproxy, mode tcp) ---> vps2 (ocserv, enable accept proxy protocol)
- connect using a mobile/computer and enter wrong credentials. Check
occtl show ip ban pointsoutput
Actual results:
IP score
1.129.29.201 1
78.109.194.177 10Expected results:
IP score
1.129.29.201 10