Bug 13641

Summary: OpenVPN OTP: client did not ask for token
Product: IPFire Reporter: Daniel Weismüller <daniel.weismueller>
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: NEW --- QA Contact:
Severity: - Unknown -    
Priority: - Unknown - CC: michael.tremer
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 13633    
Attachments: client 2.5.10 log from windows
client 2.6.10 log from windows
client 2.5.9 log from ubuntu cli
Ubuntu 22.04.4 client log
Ubuntu-22.04.4 with CU169 and auth-user-pass in client
Log from connection OTP enabled and added auth-user-pass to client config
Log from connection with pw on cert and OTP enabled and added auth-user-pass to client config

Description Daniel Weismüller 2024-04-01 11:43:22 UTC
Created attachment 1506 [details]
client 2.5.10 log from windows

The openvpn client did not ask for otp token.
Tested it with core182 an Ubuntu 22.4 LTS (openvpn 2.5.9).
I tried the cli and the network manager. 

I also tried it with Windows10 (openvpn 2.5.10 and openvpn 2.6.10)

If I make a config without otp every client is able to connect.
Comment 1 Daniel Weismüller 2024-04-01 11:44:19 UTC
Created attachment 1507 [details]
client 2.6.10 log from windows
Comment 2 Michael Tremer 2024-04-01 11:56:49 UTC
@Adolf: Did you encounter any of these problems doing your recent OpenVPN testing, too?
Comment 3 Adolf Belka 2024-04-01 12:07:47 UTC
(In reply to Michael Tremer from comment #2)
> @Adolf: Did you encounter any of these problems doing your recent OpenVPN
> testing, too?

No, but I didn't use OTP. None of my clients, Network Manager on Linux and OpenVPN for Android on my mobile phone work with OTP.

If the problemn experienced by @Daniel is because of Windows then I also don't have any Windows systems.

The only thing I have never tested out in the past is trying OTP with running openvpn as the client from the command line.

I could give that a try but I don't know if OTP would be expected to work in that situation.
Comment 4 Daniel Weismüller 2024-04-01 12:12:01 UTC
Bug 13109 describes something similar, but even with this information I could not create a configuration with otp enabled.
Comment 5 Daniel Weismüller 2024-04-01 12:13:51 UTC
(In reply to Adolf Belka from comment #3)
> (In reply to Michael Tremer from comment #2)
> > @Adolf: Did you encounter any of these problems doing your recent OpenVPN
> > testing, too?
> 
> No, but I didn't use OTP. None of my clients, Network Manager on Linux and
> OpenVPN for Android on my mobile phone work with OTP.
> 
> If the problemn experienced by @Daniel is because of Windows then I also
> don't have any Windows systems.
> 
> The only thing I have never tested out in the past is trying OTP with
> running openvpn as the client from the command line.
> 
> I could give that a try but I don't know if OTP would be expected to work in
> that situation.

I first tried it with the Ubuntu machines. Only tried it with the windows machines to rule out that this is a client problem
Comment 6 Adolf Belka 2024-04-01 12:16:17 UTC
Hi @Daniel, what client did you use on Ubuntu and which Ubuntu version. I could then look at creating an Ubuntu vm and test it out.
Comment 7 Daniel Weismüller 2024-04-01 12:22:12 UTC
Created attachment 1508 [details]
client 2.5.9 log from ubuntu cli
Comment 8 Daniel Weismüller 2024-04-01 12:25:51 UTC
(In reply to Adolf Belka from comment #6)
> Hi @Daniel, what client did you use on Ubuntu and which Ubuntu version. I
> could then look at creating an Ubuntu vm and test it out.

I use Ubuntu 22.4 LTS.

apt list openvpn 
Auflistung… Fertig
openvpn/jammy-updates,now 2.5.9-0ubuntu0.22.04.2 amd64  [installiert]
Comment 9 Adolf Belka 2024-04-01 16:27:59 UTC
Created attachment 1509 [details]
Ubuntu 22.04.4 client log

I have tested otp out with an Arch Linux client with

openvpn 2.6.10
openssl 3.2.1

and also with Ubuntu 22.04.4 client with

openvpn 2.5.9
openssl 3.0.2

I got the same messages as @daniel from both connection attempts.

The attachment is the log from the Ubuntu 22.04.4 vm client
Comment 10 Adolf Belka 2024-04-01 16:39:19 UTC
Forgot to mention that the test was done with a server running CU184.
Comment 11 Adolf Belka 2024-04-01 17:42:40 UTC
I have installed a Core Update 169 IPFire system with the first installation of OTP functionality.

I then tried the same OTP connection with both arch linux and ubuntu-22.04.4 and got the same result in both cases as when using IPFire CU184

This is making me wonder if the otp functionality ever worked with the openvpn client cli input?
Unfortunately I never tried it out back in July 2022 when the otp functionality was introduced.
Comment 12 Daniel Weismüller 2024-04-02 08:58:31 UTC
I'm sure it worked. 
I've tested it with Michael when he has implemented it.

There was only a problem if you use both otp and password protction on PKCS12 file. See Bug 13255.

Maybe something changed on the client side because at this time I used openvpn 2.5.5.
Comment 13 Adolf Belka 2024-04-02 10:24:38 UTC
(In reply to Daniel Weismüller from comment #12)
> I'm sure it worked. 
> I've tested it with Michael when he has implemented it.
> 
> There was only a problem if you use both otp and password protction on
> PKCS12 file. See Bug 13255.
> 

Ah. All my testing yesterday was with a certificate with a password. I always use a password so I just did that automatically.

I will repeat my testing with a password-less certificate.
Comment 14 Adolf Belka 2024-04-02 11:25:39 UTC
Created attachment 1510 [details]
Ubuntu-22.04.4 with CU169 and auth-user-pass in client

I have made some progress.

With the CU169 server, I added auth-user-pass into the client .ovpn file and still with a certificate with a password.

The attached command line log shows that I was first asked for the cert password.

Then the auth failed then it had a 5 second pause and then it asked for the One Time Token.

I provided that and it asked again for the cert password.

I provided the password and the connection was successfully made (Initialization Sequence Completed) and I was able to successfully ping and the connection was shown as connected on the server and the graphs and the logs for RW gave output.

I will now try the same approach with the CU184 server using the same client that worked above and see if that works.
Comment 15 Adolf Belka 2024-04-02 12:02:09 UTC
The connection also worked with a CU184 server using a client with a password and after adding the auth-user-pass line to the client .ovpn

The only issue is that you have to enter the cert password twice as the Challenge One Time Toke request is only provided after the first cert password has been requested and the Auth status comes back as failed.

So as long as auth-user-pass has been added to the client .ovpn file then the connection can be successfully made, albeit with having to enter the cert password twice.

The client for both cases used OpenVPN-2.5.9 with OpenSSL-3.0.2
Comment 16 Adolf Belka 2024-04-02 12:10:32 UTC
It also worked with my Arch Linux openvpn client on the command line as long as the auth-user-pass entry is in the .ovpn file.

The Arch Linux client is using OpenVPN-2.6.10 with OpenSSL-3.2.1
Comment 17 Michael Tremer 2024-04-08 17:10:34 UTC
*** Bug 13255 has been marked as a duplicate of this bug. ***
Comment 18 Daniel Weismüller 2024-04-09 12:40:16 UTC
Created attachment 1517 [details]
Log from connection OTP enabled and added auth-user-pass to client config

added "auth-user-pass" to the client config 

The client gets the message AUTH failed wait 5 seconds and then asks for the token.
Comment 19 Daniel Weismüller 2024-04-09 12:49:16 UTC
Created attachment 1518 [details]
Log from connection with pw on cert and OTP enabled and added auth-user-pass to client config

Log from connection OTP enabled and added auth-user-pass to client config

added "auth-user-pass" to the client config 

The client ask for the passord of the certificate.
After that gets the message AUTH failed wait 5 seconds and then asks for the token.
Then the client ask again for the password of the certificate 

finally connects
Comment 20 Michael Tremer 2024-04-12 14:40:50 UTC
Then we have a bug somewhere, because on the server side, this is configured optionally:

> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=html/cgi-bin/ovpnmain.cgi;hb=76ba16aef070d5efd10325b8a34a134ec04dcaf2#l367