Superbil / tunnelblick

Automatically exported from code.google.com/p/tunnelblick
1 stars 0 forks source link

Since 3.1 Tunnelblick does not prompt for username/password again when user authentication fails #165

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Open a VPN connection that requires username/password authentication
2. Enter a wrong password
3. Instead of asking again for username/password, in 3.1 the connection is just 
dropped, in 3.1.1 an error is displayed that an exception has occurred and the 
connection got dropped.

What is the expected output?

Before 3.1 Tunnelblick asked again for username/password when authentication 
failed.

What do you see instead?

With 3.1 the connection silently gets dropped. In 3.1.1 an error message is 
displayed saying that connection has been unexpectedly been dropped.

What version of Tunnelblick are you using? On what version of OS X?
 3.1 respectively 3.1.1 on 10.6.5

Logs when authentication fails:
2010-12-20 22:18:39 AUTH: Received AUTH_FAILED control message
2010-12-20 22:18:39 TCP/UDP: Closing socket

Original issue reported on code.google.com by stefan.k...@gtempaccount.com on 20 Dec 2010 at 9:31

GoogleCodeExporter commented 9 years ago
Thanks for this report.

I will not be able to look into it for several days, but it will be a high 
priority.

Original comment by jkbull...@gmail.com on 21 Dec 2010 at 9:24

GoogleCodeExporter commented 9 years ago
Short answer: add "auth-user interact" to your configuration file.

Please respond as to whether or not this helps you.

Background:

OpenVPN has an "auth-retry" option that can appear in the client configuration 
file (the .conf or .ovpn file). This option cannot be pushed from the server.

If this option does not appear or is "auth-retry none", this causes OpenVPN to 
exit with a fatal error. That's what you are seeing.

If this option is set to "auth-retry interact", the user will be told of the 
problem and will be able to reenter the username/password. If the 
username/password came from the Keychain, the user will be asked if they want 
to remove the saved username/password from the Keychain before retrying.

If this option is set to "auth-retry nointeract", the user will not be told of 
the problem (other than via the log) and OpenVPN will retry. This is used for 
"unattended" operation, where the authorization may fail due to network or 
other transient problems.

I think your client configuration file does not include "auth-retry interact". 
That would cause the behavior you are seeing.

Original comment by jkbull...@gmail.com on 26 Dec 2010 at 9:41

GoogleCodeExporter commented 9 years ago
There is also a situation where the username/password are incorrect, but the 
server doesn't send that information back to the client, but instead resets the 
connection again and again. (This may be an attempt on the part of the server 
to deal with what it thinks is an attack.)

The OpenVPN client only sees the reset of the connection and sees nothing to 
indicate that the username/password are incorrect. The repeated resets cause 
the OpenVPN client to continually try to reconnect until the user manually 
disconnects.

There is nothing that Tunnelblick can do about this behavior; it is entirely up 
to the OpenVPN server.

Original comment by jkbull...@gmail.com on 27 Dec 2010 at 12:52

GoogleCodeExporter commented 9 years ago
auth-retry interact

in the client config file fixed the problem. I wasn't aware of this new option 
that came in with OpenVPN 2.1.

Thanks for the quick response of for the great work on Tunnelblick! :)

Original comment by stefan.k...@gtempaccount.com on 27 Dec 2010 at 4:22