Opened 3 years ago

Last modified 18 months ago

#1440 new Bug / Defect

Problem reconnecting when dynamic challenge and password file are used.

Reported by: N-Mi Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.5.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: tct, Selva Nair


I recently set up new VPN servers running OpenVPN CE on Debian (version 2.5.1-3 on server side).

Authentication is handled using a service connected to the management socket (management-client-auth is set on the server). Login/password is used to authenticate users, and a dynamic challenge is used to provide MFA.

I'm connecting from a Linux Laptop running Debian, running openvpn in a terminal. I tried with Debian's provided version (2.5.1), and newest version available in Openvpn's repository (2.5.4-bullseye0). Login and password are stored in a file referenced by the option "auth-user-pass client-config.pwd"

When performing initial connection, everything works as expected :

  • first connection fails with a reason starting with "AUTH_FAILED,CRV1:"
  • a retry is done by the client, prompting the user with the challenge prompt
  • user enters OTP code
  • authentication success
  • session is established

So far, so good...

Then, if a deconnection occurs (by restarting openvpn service on the server, tried also by disconnecting wi-fi on the laptop), it takes a random time to re-establish connection :

  • client reconnects and tries to re-send the initial challenge response
  • auth fails because the user has to go through first authentication step (login/pass), which is expected
  • new connection is done by providing login/pass automatically (using "auth-user-pass client-config.pwd").
  • connection fails with a reason starting with "AUTH_FAILED,CRV1:"
  • challenge prompt is displayed but....
  • ...client starts connecting to the server instantly without letting the user entering OTP code
  • authentication fails because the answer given to the challenge is an empty string
  • client retries login/pass, then empty challenge answer, for a random amount of attempts
  • miraculously, the clients prompts for challenge answer, and lets the user enter the OTP code
  • authentication success
  • session is established

If I use only "auth-user-pass" in client config to enter manually the login/pass, everything works as expected. The issue occurs only when using a file to provide login/pass.

Attachments (2)

bug_openvpn.log (138.9 KB) - added by N-Mi 3 years ago.
client logs with verb 5
client_config.ovpn (578 bytes) - added by N-Mi 3 years ago.
client config

Download all attachments as: .zip

Change History (4)

Changed 3 years ago by N-Mi

Attachment: bug_openvpn.log added

client logs with verb 5

Changed 3 years ago by N-Mi

Attachment: client_config.ovpn added

client config

comment:1 Changed 3 years ago by tct

Cc: tct added

comment:2 Changed 18 months ago by Gert Döring

Cc: Selva Nair added

Could you re-test with 2.6_beta2 or with 2.5.8? There were a number of fixes related to auth-user-pass and auth-token handling/caching, and these might also affect CRV1 (or not). Thanks.

Note: See TracTickets for help on using tickets.