Opened 3 years ago

Last modified 3 years ago

#973 new Bug / Defect

restart network adapter leads to "AUTH_FAILED"

Reported by: chipitsine Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

when some of our users perform powershell command (when openvpn is connected)

Get-NetAdapter? | Restart-NetAdapter?

so, openvpn complains with AUTH_FAILED (and saved password is forgotten)

do not ask why people do wish to Restart-NetAdapter?, I've no idea.
however, I beleive that it should not end with AUTH_FAILED

the worst is that saved password is forgotten

trac#972 is somehow related to this issue. I tried to increase verbosity level

Change History (4)

comment:1 Changed 3 years ago by selvanair

Hard to reproduce without seeing the config. The log will help too. Is auth-token in use?

comment:2 Changed 3 years ago by chipitsine

test config from https://community.openvpn.net/openvpn/ticket/965 should work (it is identical to our production config)

I'll try with trac#965 config soon

yes, auth-token is used. however, I did not mention, I perform

  Get-NetAdapter | Restart-NetAdapter

on the client side, so server keeps assigned token

comment:3 Changed 3 years ago by selvanair

Not surprising if auth-token is in use. IMO, auth-token is not ready for prime time.

When tun aborts the client gets a SIGHUP restart. As reconnection will be a new session, the server will subject it to normal password processing. But the client will retry with the token as the password. Note that token is treated exactly like password on the client-side in the current implementation while the server ties token to a session and all new sessions need the real password the first time.

Instead of restarting the adapter, just try the reconnect button in the GUI (the one at bottom of the status window) and you may find the same behaviour with auth-token enabled.

comment:4 Changed 3 years ago by chipitsine

so, I should either disable auth-tokens or use "auth-retry" as a workaround ?

by " IMO, auth-token is not ready for prime time" you mean that currently auth tokens are designed in a way not very good suited for production usage ?

Note: See TracTickets for help on using tickets.