2FA Seems to be Broken
Description
When trying to connect to an OpenVPN Access Server with 2FA enabled (static-challenge "..." 1
) I get prompted with two pop-ups, one for the password and then a second one asking for the OTP token. However, although both the information are correctly entered the authentication fails.
When I perform the same connection via openvpn --config config.ovpn --cert cert.pem --key user.key
I get prompted with
Enter Auth Username: <username>
🔐 Enter Auth Password: *****************
CHALLENGE: Enter Google Authenticator Code <code>
and the connection is successfully established.
Related Issues
I am aware #12 (closed) and of several other issues in different Bug Trackers targeting this topic. However, unfortunately it seems that there does not exist any solution to this problem yet.
In Ubuntu-1322728#22 a user seems to experience a very similar error. At least from his provided log it looks related.
System Info
- OS: Fedora Linux 36 (Workstation Edition)
- OS Type: 64-bit
- GNOME Version: 42.2
- NetworkManager Version: 1.38.0-2.fc36
As I am running a Fedora System and previously experienced problems with the NetworkManager-OpenvVPN plugin and SELinux, it is set to permissive mode.
Logs
Output of journalctl -u NetworkManager.service
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for>
Jun 23 15:15:09 : OpenVPN 2.5.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 31 2022
Jun 23 15:15:09 : library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10
Jun 23 15:15:09 : NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 23 15:15:09 : TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Jun 23 15:15:09 : UDP link local: (not bound)
Jun 23 15:15:09 : UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Jun 23 15:15:09 : NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jun 23 15:15:09 : [dserv100.demo-umts.de] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Jun 23 15:15:10 : AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_f3VmNDLPzQG8DVwZ:dnNjaGFyZg==:Enter Authenticator Code
Jun 23 15:15:10 : SIGUSR1[soft,auth-failure] received, process restarting
Jun 23 15:15:25 : NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 23 15:15:25 : TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Jun 23 15:15:25 : UDP link local: (not bound)
Jun 23 15:15:25 : UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Jun 23 15:15:25 : [dserv100.demo-umts.de] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Jun 23 15:15:25 : AUTH: Received control message: AUTH_FAILED
Jun 23 15:15:25 : SIGUSR1[soft,auth-failure] received, process restarting
Jun 23 15:15:33 : NetworkManager[1421]: <warn> [1655990133.0302] vpn[0x557877a8c9e0,b3b763ee-5928-45d0-a7c8-cda638d90d69,"SWE"]: secrets: failed to request VPN secrets #4: User canceled the>
Jun 23 15:15:33 : ERROR: could not read Auth username/password/ok/string from management interface
Jun 23 15:15:33 : Exiting due to fatal error