Bug 13035

Summary: After update to 2.27 Core-Update 172 - openvpn fails, AUTH_FAILED, wrong configuration generated
Product: IPFire Reporter: Stefan Bauer <sb>
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: CLOSED WORKSFORME QA Contact:
Severity: - Unknown -    
Priority: - Unknown - CC: adolf.belka, michael.tremer
Version: 2   
Hardware: unspecified   
OS: Unspecified   

Description Stefan Bauer 2023-02-08 08:35:41 UTC 
After updating to 2.27 Core-Update 172 and adding a roadwarrior user without password, the connection fails with:

openvpn --config 1TO-IPFire.ovpn
Wed Feb  8 09:10:13 2023 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Wed Feb  8 09:10:13 2023 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Wed Feb  8 09:10:13 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]anonymizied:1194
Wed Feb  8 09:10:13 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Feb  8 09:10:13 2023 UDP link local: (not bound)
Wed Feb  8 09:10:13 2023 UDP link remote: [AF_INET]anonymizied:1194
Wed Feb  8 09:10:13 2023 TLS: Initial packet from [AF_INET]anonymizied:1194, sid=286cf74a 7edf7e93
Wed Feb  8 09:10:13 2023 VERIFY OK: anonymizied
Wed Feb  8 09:10:13 2023 VERIFY KU OK anonymizied
Wed Feb  8 09:10:13 2023 Validating certificate extended key usage
Wed Feb  8 09:10:13 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Feb  8 09:10:13 2023 VERIFY EKU OK anonymizied
Wed Feb  8 09:10:13 2023 VERIFY X509NAME OK:  anonymizied
Wed Feb  8 09:10:13 2023 VERIFY OK:  anonymizied
Wed Feb  8 09:10:14 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Wed Feb  8 09:10:14 2023 [anonymizied] Peer Connection Initiated with [AF_INET]anonymizied:1194
Wed Feb  8 09:10:15 2023 SENT CONTROL [anonymizied]: 'PUSH_REQUEST' (status=1)
Wed Feb  8 09:10:16 2023 AUTH: Received control message: AUTH_FAILED
Wed Feb  8 09:10:16 2023 SIGTERM[soft,auth-failure] received, process exiting

TOTP/2FA was _NOT_ ticked on server side for this connection, however there are also snippets in the auto-generated configuration:

auth-token-user USER
auth-token TOTP
auth-retry interact

Is this a known bug?
Comment 1 Michael Tremer 2023-02-09 15:13:50 UTC 
(In reply to Stefan Bauer from comment #0)
> TOTP/2FA was _NOT_ ticked on server side for this connection, however there
> are also snippets in the auto-generated configuration:
> 
> auth-token-user USER
> auth-token TOTP
> auth-retry interact

You will always need these lines. Otherwise the authentication would fail.
Comment 2 Stefan Bauer 2023-02-10 08:04:28 UTC 
Well, then there is no working openvpn in my setup since update to CU 172.

I'm not using OTP/2FA (not checked).

Tried with setting a password for the roadwarrior and without.
Tried with several openvpn community clients (windows 10) 2.5.7-2.6.0)

If it works for you, can you please share your client version?

Thank you.
Comment 3 Adolf Belka 2023-02-10 08:42:52 UTC 
Here is a working .ovpn profile from my Core Update 172 system.

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1470
remote ipfire.domain.zone.org 1190
pkcs12 phoebevm.p12
cipher AES-256-GCM
auth SHA512
tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name ipfire.domain.zone.org name
mssfix 0
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact

The only thing I changed was the domain name specified.
Comment 4 Stefan Bauer 2023-02-10 08:44:17 UTC 
are you using 2fa?
Comment 5 Adolf Belka 2023-02-10 09:20:04 UTC 
(In reply to Stefan Bauer from comment #4)
> are you using 2fa?

No.

That profile works fine with both an Android phone client and a Linux laptop client.
Comment 6 Adolf Belka 2023-03-23 12:56:59 UTC 
Is this bug, that you cannot create an OpenVPN connection without 2FA since Core Update 172, still valid.

What happened with your test of the working .ovpn profile that I shared.
Comment 7 Adolf Belka 2023-04-25 21:34:49 UTC 
As there has been no further feedback on this bug for two months I am closing it.

If it is still a problem then please re-open it and provide additional information.