Summary: | OpenVPN OTP: client did not ask for token | ||
---|---|---|---|
Product: | IPFire | Reporter: | Daniel Weismüller <daniel.weismueller> |
Component: | --- | Assignee: | Assigned to nobody - feel free to grab it and work on it <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | - Unknown - | ||
Priority: | - Unknown - | CC: | michael.tremer |
Version: | 2 | ||
Hardware: | unspecified | ||
OS: | Unspecified | ||
Bug Depends on: | |||
Bug Blocks: | 13633 | ||
Attachments: |
client 2.5.10 log from windows
client 2.6.10 log from windows client 2.5.9 log from ubuntu cli Ubuntu 22.04.4 client log Ubuntu-22.04.4 with CU169 and auth-user-pass in client Log from connection OTP enabled and added auth-user-pass to client config Log from connection with pw on cert and OTP enabled and added auth-user-pass to client config |
Created attachment 1507 [details]
client 2.6.10 log from windows
@Adolf: Did you encounter any of these problems doing your recent OpenVPN testing, too? (In reply to Michael Tremer from comment #2) > @Adolf: Did you encounter any of these problems doing your recent OpenVPN > testing, too? No, but I didn't use OTP. None of my clients, Network Manager on Linux and OpenVPN for Android on my mobile phone work with OTP. If the problemn experienced by @Daniel is because of Windows then I also don't have any Windows systems. The only thing I have never tested out in the past is trying OTP with running openvpn as the client from the command line. I could give that a try but I don't know if OTP would be expected to work in that situation. Bug 13109 describes something similar, but even with this information I could not create a configuration with otp enabled. (In reply to Adolf Belka from comment #3) > (In reply to Michael Tremer from comment #2) > > @Adolf: Did you encounter any of these problems doing your recent OpenVPN > > testing, too? > > No, but I didn't use OTP. None of my clients, Network Manager on Linux and > OpenVPN for Android on my mobile phone work with OTP. > > If the problemn experienced by @Daniel is because of Windows then I also > don't have any Windows systems. > > The only thing I have never tested out in the past is trying OTP with > running openvpn as the client from the command line. > > I could give that a try but I don't know if OTP would be expected to work in > that situation. I first tried it with the Ubuntu machines. Only tried it with the windows machines to rule out that this is a client problem Hi @Daniel, what client did you use on Ubuntu and which Ubuntu version. I could then look at creating an Ubuntu vm and test it out. Created attachment 1508 [details]
client 2.5.9 log from ubuntu cli
(In reply to Adolf Belka from comment #6) > Hi @Daniel, what client did you use on Ubuntu and which Ubuntu version. I > could then look at creating an Ubuntu vm and test it out. I use Ubuntu 22.4 LTS. apt list openvpn Auflistung… Fertig openvpn/jammy-updates,now 2.5.9-0ubuntu0.22.04.2 amd64 [installiert] Created attachment 1509 [details]
Ubuntu 22.04.4 client log
I have tested otp out with an Arch Linux client with
openvpn 2.6.10
openssl 3.2.1
and also with Ubuntu 22.04.4 client with
openvpn 2.5.9
openssl 3.0.2
I got the same messages as @daniel from both connection attempts.
The attachment is the log from the Ubuntu 22.04.4 vm client
Forgot to mention that the test was done with a server running CU184. I have installed a Core Update 169 IPFire system with the first installation of OTP functionality. I then tried the same OTP connection with both arch linux and ubuntu-22.04.4 and got the same result in both cases as when using IPFire CU184 This is making me wonder if the otp functionality ever worked with the openvpn client cli input? Unfortunately I never tried it out back in July 2022 when the otp functionality was introduced. I'm sure it worked. I've tested it with Michael when he has implemented it. There was only a problem if you use both otp and password protction on PKCS12 file. See Bug 13255. Maybe something changed on the client side because at this time I used openvpn 2.5.5. (In reply to Daniel Weismüller from comment #12) > I'm sure it worked. > I've tested it with Michael when he has implemented it. > > There was only a problem if you use both otp and password protction on > PKCS12 file. See Bug 13255. > Ah. All my testing yesterday was with a certificate with a password. I always use a password so I just did that automatically. I will repeat my testing with a password-less certificate. Created attachment 1510 [details]
Ubuntu-22.04.4 with CU169 and auth-user-pass in client
I have made some progress.
With the CU169 server, I added auth-user-pass into the client .ovpn file and still with a certificate with a password.
The attached command line log shows that I was first asked for the cert password.
Then the auth failed then it had a 5 second pause and then it asked for the One Time Token.
I provided that and it asked again for the cert password.
I provided the password and the connection was successfully made (Initialization Sequence Completed) and I was able to successfully ping and the connection was shown as connected on the server and the graphs and the logs for RW gave output.
I will now try the same approach with the CU184 server using the same client that worked above and see if that works.
The connection also worked with a CU184 server using a client with a password and after adding the auth-user-pass line to the client .ovpn The only issue is that you have to enter the cert password twice as the Challenge One Time Toke request is only provided after the first cert password has been requested and the Auth status comes back as failed. So as long as auth-user-pass has been added to the client .ovpn file then the connection can be successfully made, albeit with having to enter the cert password twice. The client for both cases used OpenVPN-2.5.9 with OpenSSL-3.0.2 It also worked with my Arch Linux openvpn client on the command line as long as the auth-user-pass entry is in the .ovpn file. The Arch Linux client is using OpenVPN-2.6.10 with OpenSSL-3.2.1 *** Bug 13255 has been marked as a duplicate of this bug. *** Created attachment 1517 [details]
Log from connection OTP enabled and added auth-user-pass to client config
added "auth-user-pass" to the client config
The client gets the message AUTH failed wait 5 seconds and then asks for the token.
Created attachment 1518 [details]
Log from connection with pw on cert and OTP enabled and added auth-user-pass to client config
Log from connection OTP enabled and added auth-user-pass to client config
added "auth-user-pass" to the client config
The client ask for the passord of the certificate.
After that gets the message AUTH failed wait 5 seconds and then asks for the token.
Then the client ask again for the password of the certificate
finally connects
Then we have a bug somewhere, because on the server side, this is configured optionally:
> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=html/cgi-bin/ovpnmain.cgi;hb=76ba16aef070d5efd10325b8a34a134ec04dcaf2#l367
|
Created attachment 1506 [details] client 2.5.10 log from windows The openvpn client did not ask for otp token. Tested it with core182 an Ubuntu 22.4 LTS (openvpn 2.5.9). I tried the cli and the network manager. I also tried it with Windows10 (openvpn 2.5.10 and openvpn 2.6.10) If I make a config without otp every client is able to connect.