mehdizj2000
commented
2 years ago this version is broken: openvpn3-17-2.beta1.fc35 I had to downgrade it to version openvpn3-16-1.beta1.fc35
Closed mehdizj2000 closed 2 years ago
mehdizj2000
commented
2 years ago this version is broken: openvpn3-17-2.beta1.fc35 I had to downgrade it to version openvpn3-16-1.beta1.fc35
mleguevel
commented
2 years ago Yep, same problem here on ubuntu, when using the latest version (V17_beta) available in the repo:
deb https://swupdate.openvpn.net/community/openvpn3/repos focal mainI'm authenticating with 2FA and I had the User authentication failed error after entering the OTP. It's working as well after downgrading to the following version:
OpenVPN 3/Linux v16_beta (openvpn3)
OpenVPN core 3.git:HEAD:b47c72b4 linux x86_64 64-bit
dsommers
commented
2 years ago Can you please provide logs? Try using the openvpn2 command provided by this project and add --verb 6 as the last argument to the command line.
There is nothing really standing out in regards changes which should affect 2FA authentication. But there might be a side-effect of another not directly related change. Logs might shed some light to this issue.
taily-khucnaykhongquantrong
commented
2 years ago Can you please provide logs? Try using the
openvpn2command provided by this project and add--verb 6as the last argument to the command line.There is nothing really standing out in regards changes which should affect 2FA authentication. But there might be a side-effect of another not directly related change. Logs might shed some light to this issue.
Here is my logs:
Press CTRL-C to stop the connection
2021-12-22 11:40:25.279990 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CFG_OK) config_path=/net/openvpn/v3/configuration/da142e42x7a1cx42cbx9c41xd27ea5fa39ed
2021-12-22 11:40:25.280061 [LOG] Starting connection
2021-12-22 11:40:25.280091 [LOG] Username/password provided successfully for 'tailt5'
2021-12-22 11:40:25.280114 [LOG] Using DNS resolver scope: global
2021-12-22 11:40:25.280137 [LOG] [Connect] DCO flag: disabled
2021-12-22 11:40:25.280162 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CONN_CONNECTING)
2021-12-22 11:40:25.280189 [LOG] OpenVPN core 3.git:HEAD:7765540e linux x86_64 64-bit OVPN-DCO
2021-12-22 11:40:25.280211 [LOG] Frame=512/2048/512 mssfix-ctrl=1250
2021-12-22 11:40:25.280232 [LOG] UNUSED OPTIONS
17 [verb] [6]
2021-12-22 11:40:25.280257 [LOG] Resolving
2021-12-22 11:40:25.283791 [LOG] Contacting 120.138.70.212:443 via TCP
2021-12-22 11:40:25.283844 [LOG] Waiting for server response
2021-12-22 11:40:25.302210 [LOG] Connecting to [ovpn.vng.com.vn]:443 (120.138.70.212) via TCP
2021-12-22 11:40:25.313132 [LOG] Connecting
2021-12-22 11:40:25.313208 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CONN_CONNECTING)
2021-12-22 11:40:25.313293 [LOG] Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2021-12-22 11:40:25.313332 [LOG] Creds: Username/Password
2021-12-22 11:40:25.313384 [LOG] Peer Info:
IV_VER=3.git:HEAD:7765540e
IV_PLAT=linux
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OpenVPN 3/Linux v17_beta/3.git:HEAD:7765540e linux x86_64 64-bit
IV_SSO=openurl,webauth
IV_HWADDR=f630dc0165c00e85153711a36e47d6f04ed1a44c58a28049be552fc3bb4cf8ac
IV_SSL=OpenSSL 1.1.1j 16 Feb 2021
IV_BS64DL=1
2021-12-22 11:40:25.347717 [LOG] VERIFY OK: depth=1, /CN=OpenVPN CA, signature: RSA-SHA256
2021-12-22 11:40:25.347965 [LOG] VERIFY OK: depth=0, /CN=OpenVPN Server, signature: RSA-SHA256
2021-12-22 11:40:25.420577 [LOG] SSL Handshake: peer certificate: CN=OpenVPN Server, 2048 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
2021-12-22 11:40:25.420816 [LOG] Session is ACTIVE
2021-12-22 11:40:25.421076 [LOG] Retrieving configuration from server
2021-12-22 11:40:25.421297 [LOG] Sending PUSH_REQUEST to server...
2021-12-22 11:40:26.422564 [LOG] Sending PUSH_REQUEST to server...
2021-12-22 11:40:26.431088 [LOG] OPTIONS:
0 [explicit-exit-notify]
1 [topology] [subnet]
2 [route-delay] [5] [30]
3 [dhcp-pre-release]
4 [dhcp-renew]
5 [dhcp-release]
6 [route-metric] [101]
7 [ping] [5]
8 [ping-restart] [300]
9 [socket-flags] [TCP_NODELAY]
10 [auth-token] ...
11 [compress] [stub]
12 [redirect-private] [def1]
13 [redirect-private] [bypass-dhcp]
14 [redirect-private] [autolocal]
15 [route-gateway] [10.79.0.1]
16 [route] [192.168.0.0] [255.255.0.0]
17 [route] [10.0.0.0] [255.0.0.0]
18 [dhcp-option] [DNS] [10.60.30.17]
19 [dhcp-option] [DNS] [10.60.30.18]
20 [dhcp-option] [DOMAIN] [vng.com.vn]
21 [dhcp-option] [DISABLE-NBT]
22 [register-dns]
23 [block-ipv6]
24 [ifconfig] [10.79.61.197] [255.255.128.0]
2021-12-22 11:40:26.431733 [LOG] Session token: [redacted]
2021-12-22 11:40:26.431846 [LOG] PROTOCOL OPTIONS:
cipher: BF-CBC
digest: SHA1
key-derivation: OpenVPN PRF
compress: COMP_STUB
peer ID: -1
control channel: tls-auth enabled
2021-12-22 11:40:26.458778 [LOG] Unknown pushed DHCP option: [dhcp-option] [DISABLE-NBT]
2021-12-22 11:40:26.464143 [LOG] Session name: 'ovpn.vng.com.vn'
2021-12-22 11:40:26.507084 [LOG] Connected via tun
2021-12-22 11:40:26.507334 [LOG] Per-Key Data Limit: 48000000/48000000
2021-12-22 11:40:26.507403 [LOG] Client exception in transport_recv: crypto_alg: BF-CBC: bad cipher for data channel use
2021-12-22 11:40:26.507495 [LOG] Client terminated, restarting in 2000 ms...
2021-12-22 11:40:28.508341 [LOG] Resolving
2021-12-22 11:40:28.536367 [LOG] Contacting 120.138.70.212:443 via TCP
2021-12-22 11:40:28.536748 [LOG] Waiting for server response
2021-12-22 11:40:28.551173 [LOG] Connecting to [ovpn.vng.com.vn]:443 (120.138.70.212) via TCP
2021-12-22 11:40:28.554534 [LOG] Connecting
2021-12-22 11:40:28.554641 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CONN_CONNECTING)
2021-12-22 11:40:28.554759 [LOG] Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2021-12-22 11:40:28.554869 [LOG] Creds: Username/SessionID
2021-12-22 11:40:28.554923 [LOG] Peer Info:
IV_VER=3.git:HEAD:7765540e
IV_PLAT=linux
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OpenVPN 3/Linux v17_beta/3.git:HEAD:7765540e linux x86_64 64-bit
IV_SSO=openurl,webauth
IV_HWADDR=f630dc0165c00e85153711a36e47d6f04ed1a44c58a28049be552fc3bb4cf8ac
IV_SSL=OpenSSL 1.1.1j 16 Feb 2021
IV_BS64DL=1
2021-12-22 11:40:28.622374 [LOG] VERIFY OK: depth=1, /CN=OpenVPN CA, signature: RSA-SHA256
2021-12-22 11:40:28.622599 [LOG] VERIFY OK: depth=0, /CN=OpenVPN Server, signature: RSA-SHA256
2021-12-22 11:40:28.661518 [LOG] SSL Handshake: peer certificate: CN=OpenVPN Server, 2048 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
2021-12-22 11:40:28.661935 [LOG] Session is ACTIVE
2021-12-22 11:40:28.662126 [LOG] Retrieving configuration from server
2021-12-22 11:40:28.662289 [LOG] Sending PUSH_REQUEST to server...
2021-12-22 11:40:29.662693 [LOG] Sending PUSH_REQUEST to server...
2021-12-22 11:40:29.780207 [LOG] SESSION_AUTH_FAILED
2021-12-22 11:40:29.780431 [LOG] Client terminated, restarting in 2000 ms...
2021-12-22 11:40:31.779057 [LOG] Resolving
2021-12-22 11:40:31.792497 [LOG] Contacting 120.138.70.212:443 via TCP
2021-12-22 11:40:31.792822 [LOG] Waiting for server response
2021-12-22 11:40:31.823841 [LOG] Connecting to [ovpn.vng.com.vn]:443 (120.138.70.212) via TCP
2021-12-22 11:40:31.832311 [LOG] Connecting
2021-12-22 11:40:31.832513 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CONN_CONNECTING)
2021-12-22 11:40:31.832662 [LOG] Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2021-12-22 11:40:31.832781 [LOG] Creds: Username/Password
2021-12-22 11:40:31.833122 [LOG] Peer Info:
IV_VER=3.git:HEAD:7765540e
IV_PLAT=linux
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OpenVPN 3/Linux v17_beta/3.git:HEAD:7765540e linux x86_64 64-bit
IV_SSO=openurl,webauth
IV_HWADDR=f630dc0165c00e85153711a36e47d6f04ed1a44c58a28049be552fc3bb4cf8ac
IV_SSL=OpenSSL 1.1.1j 16 Feb 2021
IV_BS64DL=1
2021-12-22 11:40:31.904778 [LOG] VERIFY OK: depth=1, /CN=OpenVPN CA, signature: RSA-SHA256
2021-12-22 11:40:31.905079 [LOG] VERIFY OK: depth=0, /CN=OpenVPN Server, signature: RSA-SHA256
2021-12-22 11:40:31.954898 [LOG] SSL Handshake: peer certificate: CN=OpenVPN Server, 2048 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
2021-12-22 11:40:31.955128 [LOG] Session is ACTIVE
2021-12-22 11:40:31.955496 [LOG] Retrieving configuration from server
2021-12-22 11:40:31.955701 [LOG] Sending PUSH_REQUEST to server...
2021-12-22 11:40:32.954790 [LOG] Sending PUSH_REQUEST to server...
2021-12-22 11:40:33.062235 [LOG] AUTH_FAILED
2021-12-22 11:40:33.062704 [LOG] Authentication failed
2021-12-22 11:40:33.062950 [STATUS] (StatusMajor.CONNECTION, StatusMinor.CONN_AUTH_FAILED) Authentication failed
Session manager initiated disconnect...
Disconnected
cron2
commented
2 years ago Hi,
On Tue, Dec 21, 2021 at 08:41:39PM -0800, LTT wrote:
2021-12-22 11:40:26.507403 [LOG] Client exception in transport_recv: crypto_alg: BF-CBC: bad cipher for data channel use
That's the real issue here, the client does not want to use the (old and no longer considered secure) cipher that the server is offering.
Your server seems to be... ancient. As in "older than 2.4.0", which is generally not a good idea.
But anyway, after this, the client is retrying...
2021-12-22 11:40:28.536367 [LOG] Contacting 120.138.70.212:443 via TCP 2021-12-22 11:40:28.536748 [LOG] Waiting for server response [..] 2021-12-22 11:40:28.662289 [LOG] Sending PUSH_REQUEST to server... 2021-12-22 11:40:29.662693 [LOG] Sending PUSH_REQUEST to server... 2021-12-22 11:40:29.780207 [LOG] SESSION_AUTH_FAILED
... and the server now tells it "your 2FA auth has been used before, so, no, you cannot use that one again".
Now, the best fix would be to upgrade the server to something more recent. If that is not possible, there might be a switch to tell the client "well, BF-CBC is okayish, for now" - I wouldn't know how to configure that on ovpn3, though.
gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany @.***
dsommers
commented
2 years ago This is not unexpected at all. And from the release notes for v17_beta (Release notes in git tag):
Behavior change: Only AEAD ciphers available for data channel by default
As part of the OpenSSL 3 support, non-AEAD ciphers are no longer enabled by default on for the data channel cipher. That means essentially only AES-GCM and, if the TLS library supports it, ChaCha20-Poly1305.
To restore the previous behaviour, the configuration profile must be
imported via openvpn3 config-import and then use an override setting:
This possibility is present only for a limited time, to provide a quick resolution so the server side can be upgraded in a more timely way. But this option WILL be removed in a future release, so don't postpone the server upgrade too long.
I have been using openvpn3 for months using the same ovpn config file and use/pass with no issues.
Today morning I woke up and tried to connect to my VPN server and found out it gives me this error: session-start: ERROR User authentication failed
I tried the same ovpn file and user/pass on my phone using OpenVPN client and it worked fine. It means the VPN server is okay and it is the linux's openvpn3 client that has some issues connecting to it.
Also, I want to know how to get verbose details of starting session so I may able to see what is happening in the background. or even provide a log of the issue.
Here is my openvpn3 client version: OpenVPN 3/Linux v17_beta (openvpn3) OpenVPN core 3.git:HEAD:7765540e linux x86_64 64-bit Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
OS: Fedora 35