NetworkManager-openvpn does not honor auth-token pushed by the server
I've been testing NetworkManager-openvpn for connecting to an OpenVPN Access Server (from openvpn.net). Testing with Fedora 29, which includes NetworkManager-openvpn 1.8.10 and openvpn 2.4.7. On the OpenVPN AS end, I'm using user-locked profiles that require user/password authentication.
Initial connection works just fine, but whenever OpenVPN AS requires re-authentication, it never works correctly. Re-authentication could be required for many reasons, these are the ones I've run across in my testing: (1) Session expiration time has been reached (OpenVPN AS default is 24 hrs), (2) net connection down long enough for the session token inactivity timeout to be hit (OpenVPN AS default is 5 mins), or (3) OpenVPN AS server is rebooted.
When re-authentication is required for whatever reason, these syslog entries appear:
Mar 10 07:16:50 XXX nm-openvpn[16875]: AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate
Mar 10 07:16:50 XXX nm-openvpn[16875]: SIGUSR1[soft,auth-failure (auth-token)] received, process restarting
At this point, NetworkManager-openvpn never seems to properly perform the required re-authentication, and NM falsely claims the VPN is still running. It'll stay in this state indefinitely until the user manually disconnects the (non-working) connection, at which point this will be logged:
Mar 10 08:26:41 XXX nm-openvpn[16875]: ERROR: could not read Auth username/password/ok/string from management interface
Mar 10 08:26:41 XXX nm-openvpn[16875]: Exiting due to fatal error
Reconnection works properly when using openvpn directly from the command line, and not using NetworkManager.