Closed Akkowicz closed 3 years ago
dsommers
commented
3 years ago Does your configuration profile contain --remote-random-hostname ?
You seem to have used openvpn3-as to download an OpenVPN Access Server profile. Can you do openvpn3 config-show --config AS:REDACTED.DOMAIN > as.conf ... and then try to start the connection this way: openvpn2 --config as.conf --verb 6 and provide the output you see?
Akkowicz
commented
3 years ago Does your configuration profile contain --remote-random-hostname?
No :/
then try to start the connection this way: openvpn2 --config as.conf --verb 6 and provide the output you see?
I've managed to start it like this:
sudo openvpn --config as.conf --verb 6 --auth-user-pass --auth-retry interactSudo because of "ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)" and --auth-retry because we have Google Auth TOTP enabled. The tunnel starts fine and works correctly, no issues visible in the logs.
I've also had success with using the config file generated by OpenVPN AS website and openvpn2 client, but when trying to connect with the same profile using the openvpn3 CLI, the following happens:
REDACTED@pop-os:~/Downloads$ openvpn3 session-start --config ./profile-53.ovpn
Using pre-loaded configuration profile './profile-53.ovpn'
Session path: /net/openvpn/v3/sessions/4839a80fs6d98s40acs9ceas4741991374df
Auth User name: REDACTED
Auth Password:
Enter Authenticator Code: 515133
session-start: ** ERROR ** Failed to start new session: Failed calling D-Bus method Connect: GDBus.Error:net.openvpn.v3.sessions.error: Failed communicating with VPN backend: Failed calling D-Bus method Connect: Timeout was reached
From system journal:
Jul 12 11:32:29 pop-os net.openvpn.v3.log[22569]: {tag:10973489817731813246} Network Configuration INFO: Socket protect called for socket 8, remote: '51.89.119.30', tun: '', ipv6: no
Jul 12 11:32:29 pop-os net.openvpn.v3.log[22569]: {tag:14675505194543856749} Client INFO: Connecting
Jul 12 11:32:29 pop-os net.openvpn.v3.log[22569]: {tag:10973489817731813246} Network Configuration INFO: Cleaning up resources for PID 24862.
Jul 12 11:32:32 pop-os openvpn3-servic[24862]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Jul 12 11:32:32 pop-os dbus-daemon[1047]: [system] Rejected send message, 0 matched rules; type="method_return", sender=":1.264" (uid=125 pid=24862 comm="/usr/lib/x86_64-linux-gnu/openvpn3-linux/openvpn3-" label="unconfined") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.262" (uid=125 pid=24852 comm="/usr/lib/x86_64-linux-gnu/openvpn3-linux/openvpn3-" label="unconfined")
Jul 12 11:32:32 pop-os net.openvpn.v3.log[22569]: {tag:14675505194543856749} Client INFO: Starting connection
Jul 12 11:32:32 pop-os net.openvpn.v3.log[22569]: {tag:14675505194543856749} Client VERB1: Username/password provided successfully for 'REDACTED'
Jul 12 11:32:32 pop-os net.openvpn.v3.log[22569]: {tag:14675505194543856749} Client VERB1: Dynamic challenge provided successfully for 'REDACTED'
Jul 12 11:32:49 pop-os systemd[3018]: Started VTE child process 24884 launched by gnome-terminal-server process 5654.
Jul 12 11:32:57 pop-os net.openvpn.v3.log[22569]: {tag:13068056550154888169} Session Manager !! CRITICAL !!: Failed communicating with VPN backend: Failed calling D-Bus method Connect: Timeout was reached
I've also managed to get the tunnel working by using network's manager built-in OpenVPN support, everything works great there, so the issue seems to only occur with the v3 client after beta 14 update on Ubuntu 20.04 and it may have never worked correctly before on 21.04. (When I upgraded to 21.04, the system installed beta 14 of OpenVPN 3 client).
dsommers
commented
3 years ago Okay, so let's clarify a few things of what you have tested.
Using openvpn or NetworkManager - is using the OpenVPN 2.x generation of client. The openvpn3 or openvpn2 command line versions is using the OpenVPN 3 Linux client.
Can you run a few more commands and re-test the openvpn3 approach? First ensure no openvpn3 based sessions are running:
$ openvpn3 sessions-list
Then increase the log level, which must be done as root:
# openvpn3-admin log-service --log-level 6
# openvpn3-admin netcfg-service --config-set log-level 6
# killall -INT openvpn3-service-netcfgThen use two terminal windows, where you in the first start this command line:
$ openvpn3 log --log-level 6 --config AS:REDACTEDAnd as the same user running the command line above, run this in a second terminal:
$ openvpn3 session-start --config AS:REDACTEDPlease provide the full log output of the openvpn3 log command. I need the full log context from where the session starts to connect until the failure happens to understand where it might fail.
Akkowicz
commented
3 years ago Thank you for your response and sorry for confusion, I've done the steps that you've listed and I'm attaching the information that I've managed to gather.
Using the profile imported by openvpn3-as:
~$ openvpn3 log --log-level 6 --config AS:OUR.VPN.DOMAIN
Waiting for session to start ... Done
Attaching to session /net/openvpn/v3/sessions/a89a9872s0abas47d0s993cs8e500a0234ae
2021-07-12 13:00:21 >> Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/1ed8be73x659ax40bbxa90cxe40fd4615bce
2021-07-12 13:00:21 Client INFO: Starting connection
2021-07-12 13:00:21 Client VERB1: Username/password provided successfully for 'myvpn.username'
2021-07-12 13:00:21 Client DEBUG: Using DNS resolver scope: global
2021-07-12 13:00:21 Client DEBUG: [Connect] DCO flag: disabled
2021-07-12 13:00:21 >> Connection, Client connecting
2021-07-12 13:00:21 Client DEBUG: OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit OVPN-DCO
2021-07-12 13:00:21 Client DEBUG: Frame=512/2048/512 mssfix-ctrl=1250
2021-07-12 13:00:21 Client DEBUG: UNUSED OPTIONS
12 [verb] [3]
2021-07-12 13:00:21 Client VERB2: Resolving
2021-07-12 13:00:21 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:21 Client VERB1: Waiting for server response
2021-07-12 13:00:21 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:21 Client DEBUG: TCP recv EOF
2021-07-12 13:00:21 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:21 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:26 Client INFO: Reconnecting
2021-07-12 13:00:26 >> Connection, Client reconnect
2021-07-12 13:00:26 Client VERB2: Resolving
2021-07-12 13:00:26 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:26 Client VERB1: Waiting for server response
2021-07-12 13:00:26 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:26 Client DEBUG: TCP recv EOF
2021-07-12 13:00:26 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:26 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:31 Client INFO: Reconnecting
2021-07-12 13:00:31 >> Connection, Client reconnect
2021-07-12 13:00:31 Client VERB2: Resolving
2021-07-12 13:00:31 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:31 Client VERB1: Waiting for server response
2021-07-12 13:00:31 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:31 Client DEBUG: TCP recv EOF
2021-07-12 13:00:31 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:31 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:36 Client INFO: Reconnecting
2021-07-12 13:00:36 >> Connection, Client reconnect
2021-07-12 13:00:36 Client VERB2: Resolving
2021-07-12 13:00:36 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:36 Client VERB1: Waiting for server response
2021-07-12 13:00:36 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:36 Client DEBUG: TCP recv EOF
2021-07-12 13:00:36 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:36 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:41 Client INFO: Reconnecting
2021-07-12 13:00:41 >> Connection, Client reconnect
2021-07-12 13:00:41 Client VERB2: Resolving
2021-07-12 13:00:41 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:41 Client VERB1: Waiting for server response
2021-07-12 13:00:41 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:41 Client DEBUG: TCP recv EOF
2021-07-12 13:00:41 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:41 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:46 Client INFO: Reconnecting
2021-07-12 13:00:46 >> Connection, Client reconnect
2021-07-12 13:00:46 Client VERB2: Resolving
2021-07-12 13:00:46 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:46 Client VERB1: Waiting for server response
2021-07-12 13:00:46 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:46 Client DEBUG: TCP recv EOF
2021-07-12 13:00:46 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:46 Client DEBUG: Client terminated, restarting in 5000 ms...
Session closedIn client window: (it doesn't ask me for 2FA)
~$ openvpn3 session-start --config AS:OUR.VPN.DOMAIN
Using pre-loaded configuration profile 'AS:OUR.VPN.DOMAIN'
Session path: /net/openvpn/v3/sessions/a89a9872s0abas47d0s993cs8e500a0234ae
Auth User name: myvpn.username
Auth Password:
session-start: ** ERROR ** Failed to connect: Connection, Client reconnect
Using the profile file downloaded from OpenVPN AS WEB UI: (the one that works correctly in openvpn v2.x clients)
~$ openvpn3 log --log-level 6 --config ./profile-53.ovpn
Waiting for session to start ... Done
Attaching to session /net/openvpn/v3/sessions/10235fc0s3bbfs45cdsbaacs1640a3e3c353
2021-07-12 13:10:57 >> Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/fd972649xc7fax4a74xb50exe658f4ab8120
2021-07-12 13:10:57 Client INFO: Starting connection
2021-07-12 13:10:57 Client VERB1: Username/password provided successfully for 'myvpn.username'
2021-07-12 13:10:57 Client DEBUG: Using DNS resolver scope: global
2021-07-12 13:10:57 Client DEBUG: [Connect] DCO flag: disabled
2021-07-12 13:10:57 >> Connection, Client connecting
2021-07-12 13:10:57 Client DEBUG: OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit OVPN-DCO
2021-07-12 13:10:57 Client DEBUG: Frame=512/2048/512 mssfix-ctrl=1250
2021-07-12 13:10:57 Client DEBUG: UNUSED OPTIONS
1 [up] [/etc/openvpn/scripts/update-systemd-resolved]
2 [down] [/etc/openvpn/scripts/update-systemd-resolved]
3 [down-pre]
15 [verb] [3]
2021-07-12 13:10:57 Client VERB2: Resolving
2021-07-12 13:10:57 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:10:57 Client VERB1: Waiting for server response
2021-07-12 13:10:57 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:10:57 Client INFO: Connecting
2021-07-12 13:10:57 >> Connection, Client connecting
2021-07-12 13:10:57 Client DEBUG: Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCP_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2021-07-12 13:10:57 Client DEBUG: Creds: Username/Password
2021-07-12 13:10:57 Client DEBUG: Peer Info:
IV_VER=3.git:HEAD:fce979ec
IV_PLAT=linux
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_GUI_VER=OpenVPN 3/Linux v14_beta/3.git:HEAD:fce979ec linux x86_64 64-bit
IV_SSO=openurl
IV_HWADDR=9067504b559a35f2905a039185daa2b37bd73637ca213885c7d5d2d5c6e9c5b8
IV_SSL=OpenSSL 1.1.1j 16 Feb 2021
2021-07-12 13:10:57 Client DEBUG: VERIFY OK: depth=1, /CN=OpenVPN CA, signature: RSA-SHA256
2021-07-12 13:10:57 Client DEBUG: VERIFY OK: depth=0, /CN=OpenVPN Server, signature: RSA-SHA256
2021-07-12 13:10:57 Client DEBUG: SSL Handshake: peer certificate: CN=OpenVPN Server, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
2021-07-12 13:10:57 Client DEBUG: Session is ACTIVE
2021-07-12 13:10:57 Client VERB2: Retrieving configuration from server
2021-07-12 13:10:57 Client DEBUG: Sending PUSH_REQUEST to server...
2021-07-12 13:10:57 Client DEBUG: AUTH_FAILED
2021-07-12 13:10:57 Client DEBUG: DYNAMIC_CHALLENGE: |CRV1:R,E:PG_CKWCm1HMLEEir/P7:bWF0ZXVzei5wcnp5Ynlsb3dpY3o=:Enter Authenticator Code|
2021-07-12 13:10:57 >> Connection, Configuration requires user input: Dynamic Challenge
2021-07-12 13:10:57 Client DEBUG: Client exception in transport_recv: std::exception
2021-07-12 13:11:27 >> Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/fd972649xc7fax4a74xb50exe658f4ab8120
2021-07-12 13:11:27 Client INFO: Starting connection
2021-07-12 13:11:27 Client VERB1: Username/password provided successfully for 'myvpn.username'
2021-07-12 13:11:27 Client VERB1: Dynamic challenge provided successfully for 'myvpn.username'
2021-07-12 13:11:27 Client DEBUG: Using DNS resolver scope: global
In client window (asks for 2FA, but hangs):
$ openvpn3 session-start --config ./profile-53.ovpn
Using pre-loaded configuration profile './profile-53.ovpn'
Session path: /net/openvpn/v3/sessions/10235fc0s3bbfs45cdsbaacs1640a3e3c353
Auth User name: myvpn.username
Auth Password:
Enter Authenticator Code: 085074
session-start: ** ERROR ** Failed to start new session: Failed calling D-Bus method Connect: Timeout was reached
JorisVanEijden
commented
3 years ago Same issue here on Pop!_os 20.04 after Upgrade: openvpn3:amd64 (13~beta-1+focal, 14~beta+focal)
Looks like the Dynamic Challenge is broken (again).
Log output:
Waiting for session to start ... Done
Attaching to session /net/openvpn/v3/sessions/2aae8cf6s15d6s44b7s907csfd4f33679485
2021-07-12 13:23:41 >> Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/7650d4aaxfce1x4933xa492x5ebc48adb80e
2021-07-12 13:23:41 Client INFO: Starting connection
2021-07-12 13:23:41 Client VERB1: Username/password provided successfully for 'joris.vaneijden'
2021-07-12 13:23:41 Client DEBUG: Using DNS resolver scope: global
2021-07-12 13:23:41 Client DEBUG: [Connect] DCO flag: disabled
2021-07-12 13:23:41 >> Connection, Client connecting
2021-07-12 13:23:41 Client DEBUG: OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit OVPN-DCO
2021-07-12 13:23:41 Client DEBUG: Frame=512/2048/512 mssfix-ctrl=1250
2021-07-12 13:23:41 Client DEBUG: UNUSED OPTIONS
9 [nobind]
11 [rcvbuf] [0]
16 [sndbuf] [0]
18 [verb] [3]
2021-07-12 13:23:41 Client VERB2: Resolving
2021-07-12 13:23:41 Client DEBUG: Contacting xxx.xxx.xxx.xxx:944 via UDP
2021-07-12 13:23:41 Client VERB1: Waiting for server response
2021-07-12 13:23:41 Client DEBUG: Connecting to [REDACTED]:944 (xxx.xxx.xxx.xxx) via UDPv4
2021-07-12 13:23:41 Client INFO: Connecting
2021-07-12 13:23:41 >> Connection, Client connecting
2021-07-12 13:23:41 Client DEBUG: Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
2021-07-12 13:23:41 Client DEBUG: Creds: Username/Password
2021-07-12 13:23:41 Client DEBUG: Peer Info:
IV_VER=3.git:HEAD:fce979ec
IV_PLAT=linux
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OpenVPN 3/Linux v14_beta/3.git:HEAD:fce979ec linux x86_64 64-bit
IV_SSO=openurl
IV_HWADDR=cd47fdfc2c62fbfc4235ca5e2e804a5dd6e8fd973659812c3de864f5664cd660
IV_SSL=OpenSSL 1.1.1f 31 Mar 2020
2021-07-12 13:23:41 Client DEBUG: VERIFY OK: depth=1, /CN=OpenVPN CA, signature: RSA-SHA256
2021-07-12 13:23:41 Client DEBUG: VERIFY OK: depth=0, /CN=OpenVPN Server, signature: RSA-SHA256
2021-07-12 13:23:41 Client DEBUG: SSL Handshake: peer certificate: CN=OpenVPN Server, 2048 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
2021-07-12 13:23:41 Client DEBUG: Session is ACTIVE
2021-07-12 13:23:41 Client VERB2: Retrieving configuration from server
2021-07-12 13:23:41 Client DEBUG: Sending PUSH_REQUEST to server...
2021-07-12 13:23:42 Client DEBUG: Sending PUSH_REQUEST to server...
2021-07-12 13:23:42 Client DEBUG: AUTH_FAILED
2021-07-12 13:23:42 Client DEBUG: DYNAMIC_CHALLENGE: |CRV1:R,E:PG_zC61yg/mImAfCxr7:am9yaXMudmFuZWlqZGVu:Enter Authenticator Code|
2021-07-12 13:23:42 >> Connection, Configuration requires user input: Dynamic Challenge
2021-07-12 13:23:42 Client DEBUG: Client exception in transport_recv: std::exception
2021-07-12 13:24:16 >> Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/7650d4aaxfce1x4933xa492x5ebc48adb80e
2021-07-12 13:24:16 Client INFO: Starting connection
2021-07-12 13:24:16 Client VERB1: Username/password provided successfully for 'joris.vaneijden'
2021-07-12 13:24:16 Client VERB1: Dynamic challenge provided successfully for 'joris.vaneijden'
2021-07-12 13:24:16 Client DEBUG: Using DNS resolver scope: globalSession-start output:
Session path: /net/openvpn/v3/sessions/2aae8cf6s15d6s44b7s907csfd4f33679485
Auth User name: joris.vaneijden
Auth Password:
Enter Authenticator Code: 048862
session-start: ** ERROR ** Failed to start new session: Failed calling D-Bus method Connect: Timeout was reachedAfter this all openvpn3 commands become really slow and there appears to be some sort of ghost session:
$ time openvpn3 sessions-list
-----------------------------------------------------------------------------
Path: /net/openvpn/v3/sessions/2aae8cf6s15d6s44b7s907csfd4f33679485
Created: Mon Jul 12 13:23:18 2021 PID: 6681
Owner: jvaneijden Device: (None)
Config name: REDACTED
Status: (No status)
-----------------------------------------------------------------------------
real 1m15.079s
user 0m0.005s
sys 0m0.014s@JorisVanEijden Unfortunately, you do not have the same issue as @Akkowicz is not getting a connection at all, due to:
Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERRORYou on the other hand do get a connection, but are getting a AUTH_FAILED error after having a socket connection established with the server.
Akkowicz
commented
3 years ago When using the profile downloaded from Web UI, I'm getting the same messages as @JorisVanEijden
2021-07-12 13:10:57 >> Connection, Configuration requires user input: Dynamic Challenge
2021-07-12 13:10:57 Client DEBUG: Client exception in transport_recv: std::exception@Akkowicz It's interesting that you don't get the 2FA token question. Do you have static-challenge in your configuration file? If not, then it is expected - as it will query for that after connecting to the Access Server; the server replies with a "dynamic challenge" request. If you have static-challenge, it should ask for that token before connecting.
dsommers
commented
3 years ago I'll run some new Access Server 2FA/OTP tests on Hirsute and will report back.
Akkowicz
commented
3 years ago @Akkowicz It's interesting that you don't get the 2FA token question. Do you have
static-challengein your configuration file? If not, then it is expected - as it will query for that after connecting to the Access Server; the server replies with a "dynamic challenge" request. If you havestatic-challenge, it should ask for that token before connecting.
I have the static-challenge "Enter Authenticator Code" 1 entry in both auto-downloaded profile and the one from Web UI.
I'll run some new Access Server 2FA/OTP tests on Hirsute and will report back.
Thank you! Just to add some more information. we have Access Server version 2.9.1, it was last updated on 2021-06-28, the issue started on 2021-07-09. If you don't find anything during your testing, I'll try to get our company server updated and we'll try 2.9.2 to maybe rule out some server-client version incompatibility.
@JorisVanEijden what is your server version?
JorisVanEijden
commented
3 years ago @JorisVanEijden what is your server version?
Access Server version: 2.8.7
I've downgraded the client to version 13 in the meantime as a workaround. sudo apt install openvpn3=13~beta-1+focal
dsommers
commented
3 years ago Alright, I've just spun up quickly an AS 2.8.5 from Digital Ocean ... And I'm seeing issues when connecting to an account with 2FA/OTP enabled. I don't think this is AS related. There is an unexpected behavior in the v14_beta client.
dsommers
commented
3 years ago A potential change causing this misbehavior as been found (commit f1b1fdcd9461272bb388). Before reverting this change a lot of tests needs to be run across all supported Linux distributions and distro versions, which takes a bit of time.
suratovvlad
commented
3 years ago @dsommers Hello! I have the similar issue on Fedora 34 after update to version 14.
Could you please provide a previous RPM files (for Fedora 34 at least) to downgrade the package? I didn't find previous version on https://copr-be.cloud.fedoraproject.org/results/dsommers/openvpn3/fedora-34-x86_64/
dsommers
commented
3 years ago @suratovvlad We're working on a solution to fix this issue. Just to confirm ... you do also use 2FA based authentication against an Access Server?
suratovvlad
commented
3 years ago @suratovvlad We're working on a solution to fix this issue. Just to confirm ... you do also use 2FA based authentication against an Access Server?
Unfortunately, I don't know how exact it is configured in our company, I just know, that our company uses Two-Factor Authorization with Duo Mobile App for VPN connections
dsommers
commented
3 years ago @suratovvlad As Fedora Copr has removed the old release, I've put together a quick and very preliminary Fedora 34 build for this potential quickfix (reverting a certain commit). Would you be willing to test it out? You need to download the RPMs manually and install them using yum localinstall.
RPMs can be downloaded here: https://koji.fedoraproject.org/koji/taskinfo?taskID=71826786
You will need at least openvpn3-*.rpm, openvpn3-client-*.rpm and openvpn3-selinux-*.rpm.
dsommers
commented
3 years ago @Akkowicz I believe I have also located the issue to the other error you say, with Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR - that seems to be related to misbehavior with the tls-crypt-v2 feature (that didn't really work for a long while, if ever in openvpn3-linux).
I've started to wrap up a small release containing these fixes and will hopefully have something to share later today.
suratovvlad
commented
3 years ago @dsommers Awesome, thank you! I tested provided build, now I am able to connect to corporate VPN with 2FA!
dsommers
commented
3 years ago We are preparing for a v15_beta release by tomorrow; QE is beating the builds this evening/night.
And to set the expectations better ... this release will fix 2 issues:
tls-crypt-v2 usable via openvpn3 command line (openvpn2 and openvpn3-autoload are Python based and requires bigger changes and much more testing testing - that will arrive in a later release)QA efforts put into this release will be focusing on getting connectivity established using various ways of authentication methods (like certs only, only username/password, 2FA, web-auth used by OpenVPN Cloud)
dsommers
commented
3 years ago openvpn3-linux v15_beta has been released: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22630.html
JorisVanEijden
commented
3 years ago I can confirm that running an apt upgrade installs version 15 and solves my issue.
Thank you for the fast response and solution!
tmciver-mackey
commented
3 years ago I also confirm that this fix works. Thanks @dsommers for addressing this so quickly! Excellent work!
isosnovskyi
commented
3 years ago Version 15 doesn't work for me.
Here is logs from journalctl
Actually v.14 worked for me until today.
Starting session like this:
openvpn3 session-start --config ####/client.ovpn.
Installed also openvpn-systemd-resolved.
Following lines added to config:
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
@dsommers Can you take a look, please?
Akkowicz
commented
3 years ago AFAIK openvpn-systemd-resolved is for the legacy openvpn client, the openvpn3 client has support baked in.
From my side, I've had three cases that confirmed that the fix in v15 is working correctly for them.
The only issue that I've spotted is that the v15 is not available for hirsute in repos.
But this is probably reserved for another issue.
After updating my Pop OS (Ubuntu) from 20.04 to 21.04, the following issue appeared:
There were also some messages about D-bus connection timing out. My colleague confirmed a similar problem on standard Ubuntu LTS (20.04) after latest system updates.
My Dbus version:
My OpenVPN3 version:
The following logs can be seen in my system journal:
List of packages upgraded on my colleague's Ubuntu 20.04 which caused the issues: