13035 – After update to 2.27 Core-Update 172 - openvpn fails, AUTH_FAILED, wrong configuration generated

Bug 13035 - After update to 2.27 Core-Update 172 - openvpn fails, AUTH_FAILED, wrong configuration generated

Summary: After update to 2.27 Core-Update 172 - openvpn fails, AUTH_FAILED, wrong conf...

Status:	CLOSED WORKSFORME

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	- Unknown - - Unknown -
Assignee:	Assigned to nobody - feel free to grab it and work on it
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-02-08 08:35 UTC by Stefan Bauer
Modified:	2023-04-25 21:34 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Bauer 2023-02-08 08:35:41 UTC

After updating to 2.27 Core-Update 172 and adding a roadwarrior user without password, the connection fails with:

openvpn --config 1TO-IPFire.ovpn
Wed Feb  8 09:10:13 2023 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Wed Feb  8 09:10:13 2023 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Wed Feb  8 09:10:13 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]anonymizied:1194
Wed Feb  8 09:10:13 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Feb  8 09:10:13 2023 UDP link local: (not bound)
Wed Feb  8 09:10:13 2023 UDP link remote: [AF_INET]anonymizied:1194
Wed Feb  8 09:10:13 2023 TLS: Initial packet from [AF_INET]anonymizied:1194, sid=286cf74a 7edf7e93
Wed Feb  8 09:10:13 2023 VERIFY OK: anonymizied
Wed Feb  8 09:10:13 2023 VERIFY KU OK anonymizied
Wed Feb  8 09:10:13 2023 Validating certificate extended key usage
Wed Feb  8 09:10:13 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Feb  8 09:10:13 2023 VERIFY EKU OK anonymizied
Wed Feb  8 09:10:13 2023 VERIFY X509NAME OK:  anonymizied
Wed Feb  8 09:10:13 2023 VERIFY OK:  anonymizied
Wed Feb  8 09:10:14 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Wed Feb  8 09:10:14 2023 [anonymizied] Peer Connection Initiated with [AF_INET]anonymizied:1194
Wed Feb  8 09:10:15 2023 SENT CONTROL [anonymizied]: 'PUSH_REQUEST' (status=1)
Wed Feb  8 09:10:16 2023 AUTH: Received control message: AUTH_FAILED
Wed Feb  8 09:10:16 2023 SIGTERM[soft,auth-failure] received, process exiting

TOTP/2FA was _NOT_ ticked on server side for this connection, however there are also snippets in the auto-generated configuration:

auth-token-user USER
auth-token TOTP
auth-retry interact

Is this a known bug?

Comment 1 Michael Tremer 2023-02-09 15:13:50 UTC

(In reply to Stefan Bauer from comment #0)
> TOTP/2FA was _NOT_ ticked on server side for this connection, however there
> are also snippets in the auto-generated configuration:
> 
> auth-token-user USER
> auth-token TOTP
> auth-retry interact

You will always need these lines. Otherwise the authentication would fail.

Comment 2 Stefan Bauer 2023-02-10 08:04:28 UTC

Well, then there is no working openvpn in my setup since update to CU 172.

I'm not using OTP/2FA (not checked).

Tried with setting a password for the roadwarrior and without.
Tried with several openvpn community clients (windows 10) 2.5.7-2.6.0)

If it works for you, can you please share your client version?

Thank you.

Comment 3 Adolf Belka 2023-02-10 08:42:52 UTC

Here is a working .ovpn profile from my Core Update 172 system.

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1470
remote ipfire.domain.zone.org 1190
pkcs12 phoebevm.p12
cipher AES-256-GCM
auth SHA512
tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name ipfire.domain.zone.org name
mssfix 0
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact

The only thing I changed was the domain name specified.

Comment 4 Stefan Bauer 2023-02-10 08:44:17 UTC

are you using 2fa?

Comment 5 Adolf Belka 2023-02-10 09:20:04 UTC

(In reply to Stefan Bauer from comment #4)
> are you using 2fa?

No.

That profile works fine with both an Android phone client and a Linux laptop client.

Comment 6 Adolf Belka 2023-03-23 12:56:59 UTC

Is this bug, that you cannot create an OpenVPN connection without 2FA since Core Update 172, still valid.

What happened with your test of the working .ovpn profile that I shared.

Comment 7 Adolf Belka 2023-04-25 21:34:49 UTC

As there has been no further feedback on this bug for two months I am closing it.

If it is still a problem then please re-open it and provide additional information.