OpenVPN not connecting with auth-user-pass

[yoopernc]

I am trying to apply a VPN Profile containing auth-user-pass, but OpenVPN is not prompting for the Username/Password. I should note that this process works if I am using OpenVPN in a Work Profile on the device. However, this issue is related to using OpenVPN in the Personal/System space. Also, if I set up the OpenVPN Profile after the device is provisioned and online, the process below works. It only fails during provisioning.

General information

1. Android Version 10
2. Android Vendor/Custom ROM - N/A
3. Device - Samsung Galaxy S20 5G
4. Version of the app - 0.7.29 downloaded from github

Description of the issue

I'm running my company's provisioning software to setup this device. One thing that is being added is a VPN connection using OpenVPN. When I pass in the certs and private key, this works fine. But when I add auth-user-pass, along with resolv-retry infinite and setenv CLIENT_CERT 0 to the profile, and then call addNewVPNProfile and startProfile. I never get anything back from OpenVPN at this point. I have traces in my IOpenVPNStatusCallback, and expect to see connection status there, but nothing arrives.

I have a WiFi connection, and I know that the VPN Server is active and awaiting connections, as proven by the fact that I can set the VPN Profile after provisioning.

Are there any logs that I can enable to learn more about what OpenVPN is expecting and/or doing at this point? Are there log entries in adb logcat that I can search for to get more information?

[schwabe]

What does the normal OpenVPN for Android Log show?

[yoopernc]

Unfortunately, during device provisioning, I do not have access to that. What I see when it works is the two OpenVPN permissions followed by the Username/Password entry screen. After that, the IOpenVPNStatusCallback gets the following in the state and level parameters:

• WAIT; LEVEL_CONNECTING_NO_SERVER_REPLY_YET
• AUTH; LEVEL_CONNECTING_SERVER_REPLIED
• GET_CONFIG; LEVEL_CONNECTING_SERVER_REPLIED
• ASSIGN_IP; LEVEL_CONNECTING_SERVER_REPLIED
• ADD_ROUTES; LEVEL_CONNECTING_SERVER_REPLIED
• CONNECTED; LEVEL_CONNECTED

When it fails, I never see any of the above statuses.

At which time, we call disconnect(), and finish our device provisioning. Once the device reboots, I can then start OpenVPN and tap on the Profile Name to connect to the VPN Server. At that time, I can see the OpenVPN log messages.

[schwabe]

So do you pass auth-user-pass without credentials so the app should popup a message asking fore the credentials or <auth-user-pass>\nuser\pass\</auth-user-pass> with embedded credentials?

[yoopernc]

This is using auth-user-pass without credentials in the VPN Profile. We would like OpenVPN to prompt for user/pass and then come back with successful or failed connection. If failed, we would like OpenVPN to prompt for user/pass again, in case it was entered incorrectly. If successful, we'll disconnect and complete our provisioning. Then the user can connect to VPN after the device has rebooted.

Edit: Actually, if I receive an AUTH_FAILED in the StatusCallback, I will initiate another connection request with the same profile to prompt the user for the correct Username and Password.

[schwabe]

The reason is probably that VPNs started by the external service the initial check step that checks some erros and also checks if it needs to ask for username password. Is this started by the external service or by a user tapping on a VPN profile?

[yoopernc]

This is started using the IOpenVPNAPIService and IOpenVPNAPICallback interfaces. Basically, I'm creating a new ServiceConnection(), and upon receipt of onServiceConnected, I request permissions, and then addNewVPNProfile. After this, I may or may not try to connect using startProfile to verify the configuration works. I hope this helps.