Opened 3 years ago
Last modified 21 months ago
#1440 new Bug / Defect
Problem reconnecting when dynamic challenge and password file are used.
Reported by: | N-Mi | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.5.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | tct, Selva Nair |
Description
I recently set up new VPN servers running OpenVPN CE on Debian (version 2.5.1-3 on server side).
Authentication is handled using a service connected to the management socket (management-client-auth is set on the server). Login/password is used to authenticate users, and a dynamic challenge is used to provide MFA.
I'm connecting from a Linux Laptop running Debian, running openvpn in a terminal. I tried with Debian's provided version (2.5.1), and newest version available in Openvpn's repository (2.5.4-bullseye0). Login and password are stored in a file referenced by the option "auth-user-pass client-config.pwd"
When performing initial connection, everything works as expected :
- first connection fails with a reason starting with "AUTH_FAILED,CRV1:"
- a retry is done by the client, prompting the user with the challenge prompt
- user enters OTP code
- authentication success
- session is established
So far, so good...
Then, if a deconnection occurs (by restarting openvpn service on the server, tried also by disconnecting wi-fi on the laptop), it takes a random time to re-establish connection :
- client reconnects and tries to re-send the initial challenge response
- auth fails because the user has to go through first authentication step (login/pass), which is expected
- new connection is done by providing login/pass automatically (using "auth-user-pass client-config.pwd").
- connection fails with a reason starting with "AUTH_FAILED,CRV1:"
- challenge prompt is displayed but....
- ...client starts connecting to the server instantly without letting the user entering OTP code
- authentication fails because the answer given to the challenge is an empty string
- client retries login/pass, then empty challenge answer, for a random amount of attempts
- miraculously, the clients prompts for challenge answer, and lets the user enter the OTP code
- authentication success
- session is established
If I use only "auth-user-pass" in client config to enter manually the login/pass, everything works as expected. The issue occurs only when using a file to provide login/pass.
Attachments (2)
Change History (4)
Changed 3 years ago by
Attachment: | bug_openvpn.log added |
---|
comment:1 Changed 3 years ago by
Cc: | tct added |
---|
comment:2 Changed 21 months ago by
Cc: | Selva Nair added |
---|
Could you re-test with 2.6_beta2 or with 2.5.8? There were a number of fixes related to auth-user-pass and auth-token handling/caching, and these might also affect CRV1 (or not). Thanks.
client logs with verb 5