OpenVPN GUI (SBL/PLAP) setting doesn't work with Dynamic Challenge

[bgironx15]

Hello,

I'm testing the SBL/PLAP on OpenVPN GUI and this is working well so far

Now, I'm testing this with TOTP MFA and noticed that this works when using Static Challenge but doesn't work when using Dynamic Challenge

Some info

• Using OpenVPN Access Server v2.13.1 latest version (VPN Server)
• Using OpenVPN GUI 2.6.10 latest version (VPN Client)

When using Static Challenge

• My OpenVPN Access Server is configured to use TOTP MFA
• My Client Profile (.ovpn file) has this directive on it: static-challenge "Enter Authenticator Code" 1
• I initiated my PC (Windows 10) and stay in the Windows Login Prompt
• Clicked the option to start the VPN Connection
• I received a prompt to enter the Username, Password and TOTP MFA Code
• After this, the VPN is connected

When using Dynamic Challenge

• My OpenVPN Access Server is configured to use TOTP MFA
• My Client Profile (.ovpn file) doesn't have this directive on it: static-challenge "Enter Authenticator Code" 1
• I initiated my PC (Windows 10) and stay in the Windows Login Prompt
• Clicked the option to start the VPN Connection
• I received a prompt to enter the Username and Password only (No further prompt to put the TOTP MFA Code)
• After this, the VPN failed

From OpenVPN Access Server Logs when using Dynamic Challenge

2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 VERIFY OK: depth=0, CN=test1'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_VER=2.6.10'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_PLAT=win'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_TCPNL=1'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_MTU=1600'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_NCP=2'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_PROTO=990'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_HWADDR=XXXXX'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_SSL=OpenSSL_3.2.1_30_Jan_2024'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 peer info: IV_PLAT_VER=10.0,_amd64_executable'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: "2024-04-10 14:24:25 167.0.253.78:55964 TLS: Username/Password authentication deferred for username 'test1' "
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted'
2024-04-10T09:24:25-0500 [stdout#info] VPN Auth Failed: 'challenge' ['CRV1:R,E:PG_P4sEA+Qd1vJ/E9b9:dGVzdDE=:Enter Authenticator Code']
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 167.0.253.78:55964 [test1] Peer Connection Initiated with [AF_INET]167.0.253.78:55964 (via [AF_INET]64.227.9.21%eth0)'
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 MANAGEMENT: CMD \'client-deny 4 1 "AS auth failed" "CRV1:R,E:PG_P4sEA+Qd1vJ/E9b9:dGVzdDE=:Enter Authenticator Code"\''
2024-04-10T09:24:25-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:25 MULTI: connection rejected: AS auth failed, CLI:CRV1:R,E:PG_P4sEA+Qd1vJ/E9b9:dGVzdDE=:Enter Authenticator Code'
2024-04-10T09:24:26-0500 [stdout#info] [OVPN 1] OUT: '2024-04-10 14:24:26 167.0.253.78:55964 Delayed exit in 5 seconds'
2024-04-10T09:24:26-0500 [stdout#info] [OVPN 1] OUT: "2024-04-10 14:24:26 167.0.253.78:55964 SENT CONTROL [UNDEF]: 'AUTH_FAILED,CRV1:R,E:PG_P4sEA+Qd1vJ/E9b9:dGVzdDE=:Enter Authenticator Code' (status=1)"
2024-04-10T09:24:26-0500 [stdout#info] [OVPN 1] OUT: "2024-04-10 14:24:26 167.0.253.78:55964 SENT CONTROL [test1]: 'AUTH_FAILED,CRV1:R,E:PG_P4sEA+Qd1vJ/E9b9:dGVzdDE=:Enter Authenticator Code' (status=1)"

From OpenVPN GUI Logs when using Dynamic Challenge

2024-04-10 09:18:23 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations. 
2024-04-10 09:18:23 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
2024-04-10 09:18:23 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
2024-04-10 09:18:23 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
2024-04-10 09:18:23 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
2024-04-10 09:18:23 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
2024-04-10 09:18:23 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
2024-04-10 09:18:23 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
2024-04-10 09:18:23 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
2024-04-10 09:18:23 OpenVPN 2.6.10 [git:v2.6.10/ba0f62fb950c56a0] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 20 2024
2024-04-10 09:18:23 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-04-10 09:18:23 library versions: OpenSSL 3.2.1 30 Jan 2024, LZO 2.10
2024-04-10 09:18:23 DCO version: 1.0.1
2024-04-10 09:18:23 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:12345
2024-04-10 09:18:23 Need hold release from management interface, waiting...
2024-04-10 09:18:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50331
2024-04-10 09:18:39 MANAGEMENT: CMD 'state on'
2024-04-10 09:18:39 MANAGEMENT: CMD 'log on all'
2024-04-10 09:18:39 MANAGEMENT: CMD 'echo on all'
2024-04-10 09:18:39 MANAGEMENT: CMD 'bytecount 5'
2024-04-10 09:18:39 MANAGEMENT: CMD 'state'
2024-04-10 09:24:07 MANAGEMENT: Client disconnected
2024-04-10 09:24:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:51065
2024-04-10 09:24:13 MANAGEMENT: CMD 'state on'
2024-04-10 09:24:13 MANAGEMENT: CMD 'log on all'
2024-04-10 09:24:13 MANAGEMENT: CMD 'echo on all'
2024-04-10 09:24:13 MANAGEMENT: CMD 'bytecount 5'
2024-04-10 09:24:13 MANAGEMENT: CMD 'state'
2024-04-10 09:24:13 MANAGEMENT: CMD 'hold off'
2024-04-10 09:24:13 MANAGEMENT: CMD 'hold release'
2024-04-10 09:24:26 MANAGEMENT: CMD 'username "Auth" "test1"'
2024-04-10 09:24:26 MANAGEMENT: CMD 'password [...]'
2024-04-10 09:24:26 TCP/UDP: Preserving recently used remote address: [AF_INET]64.227.9.21:1194
2024-04-10 09:24:26 ovpn-dco device [OpenVPN Connect DCO Adapter] opened
2024-04-10 09:24:26 UDP link local: (not bound)
2024-04-10 09:24:26 UDP link remote: [AF_INET]64.227.9.21:1194
2024-04-10 09:24:26 MANAGEMENT: >STATE:1712759066,WAIT,,,,,,
2024-04-10 09:24:26 MANAGEMENT: >STATE:1712759066,AUTH,,,,,,
2024-04-10 09:24:26 TLS: Initial packet from [AF_INET]64.227.9.21:1194, sid=e94e90ac 36ebaa8e
2024-04-10 09:24:26 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-04-10 09:24:26 VERIFY OK: depth=1, CN=OpenVPN CA2
2024-04-10 09:24:26 VERIFY KU OK
2024-04-10 09:24:26 Validating certificate extended key usage
2024-04-10 09:24:26 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-04-10 09:24:26 VERIFY EKU OK
2024-04-10 09:24:26 VERIFY OK: depth=0, CN=OpenVPN Server
2024-04-10 09:24:26 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2024-04-10 09:24:26 [OpenVPN Server] Peer Connection Initiated with [AF_INET]64.227.9.21:1194
2024-04-10 09:24:26 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-04-10 09:24:26 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-04-10 09:24:27 MANAGEMENT: >STATE:1712759067,GET_CONFIG,,,,,,
2024-04-10 09:24:27 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
2024-04-10 09:24:27 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_P4sEA+Qd1vJ/E9b9:dGVzdDE=:Enter Authenticator Code
2024-04-10 09:24:27 Closing DCO interface
2024-04-10 09:24:27 SIGTERM[soft,auth-failure] received, process exiting
2024-04-10 09:24:27 MANAGEMENT: >STATE:1712759067,EXITING,auth-failure,,,,,

[selvanair]

Looks like your config file is not setup properly for dynamic challenge. OpenVPN is exiting on receiving the dynamic challenge query likely because you do not have auth-retry interact in the config file. This is required for dynamic challenge to work.

Note that for instances started by the GUI it sets this option by default, but when started at boot as in PLAP, it has to be in the config file.

[bgironx15]

I normally use OpenVPN Connect v3 (OpenVPN3) so I don't need to add that line "auth-retry interact" on the Client Profile. That's the reason I didn't have that in my Client Profile when using OpenVPN GUI (OpenVPN2), but it looks like this is needed for Dynamic Challenge on OpenVPN2

I tested with the line "auth-retry interact" and worked

Thanks

[selvanair]

The default in OpenVPN 2 is "auth-retry none" -- I've no idea why. We change that to "interact" when started by OpenVPN-GUI as its clearly an interactive session. For PLAP, I wanted to allow the user to decide how these pre-started sessions should behave.

Based on your report, now I feel it may be useful to automatically set auth-retry to interact when we attach from PLAP screen or at least when interactive authentication is in use.

[lstipakov]

It looks like the most (all?) issues users have with PLAP is due to (lack of) documentation. I just found this one but was wondering if we should put it in community wiki or some repo (openvpn-gui? openvpn-build?).

[lstipakov]

Let's close the ticket, but think what would be the best place to put documentation on PLAP feature. @flichtenheld

[flichtenheld]

It is a openvpn-gui feature so the primary documentation ideally should be there. Then we could include it in the installer or link to it from the Wiki anyway.