Problem connecting with OpenVPN

fbnatvista · 2024-05-14 07:33:29

Hi,

From about a week, after upgrading packages, I cannot no longer connect with networkmanager and OpenVPN.

My OpenVPN server user OTP.

I re-downloaded the OpenVPN client file and readded to NetworkManager from config pannel but that does not help. When I start the connection it ask for OTP, then timeout after a bit of time.

I managed to connect by command line adding to my OpenVPN file this lines:

auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact
data-ciphers "AES-256-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305"

This is my OpenVPN file

dev tun
client
proto tcp
<ca>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***
-----END PRIVATE KEY-----
</key>
remote-cert-eku "TLS Web Server Authentication"
remote *** 443
redirect-gateway def1
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
auth SHA256
float
reneg-sec 28800
nobind
mute-replay-warnings
auth-user-pass
tls-version-min 1.2
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact
data-ciphers "AES-256-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305""
;remember_connection 0
;auto_reconnect 1

This is the NetworkManager log when I try to connect

May 14 09:23:52 ws23 NetworkManager[13661]: <info>  [1715671432.2954] vpn[0x581debaaad50,66c9f478-db05-4b45-84d2-2992d66bd8ab,"client"]: starting openvpn
May 14 09:23:52 ws23 NetworkManager[13661]: <info>  [1715671432.2961] audit: op="connection-activate" uuid="66c9f478-db05-4b45-84d2-2992d66bd8ab" name="client" pid=13845 uid=1000 result="success"
May 14 09:23:52 ws23 nm-openvpn[13893]: OpenVPN 2.6.10 [git:makepkg/ba0f62fb950c56a0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Mar 20 2024
May 14 09:23:52 ws23 nm-openvpn[13893]: library versions: OpenSSL 3.3.0 9 Apr 2024, LZO 2.10
May 14 09:23:52 ws23 nm-openvpn[13893]: DCO version: N/A
May 14 09:23:52 ws23 nm-openvpn[13893]: WARNING: No server certificate verification method has been enabled.  See [url]http://openvpn.net/howto.html#mitm[/url] for more info.
May 14 09:23:52 ws23 nm-openvpn[13893]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 14 09:23:52 ws23 nm-openvpn[13893]: TCP/UDP: Preserving recently used remote address: [AF_INET]***:443
May 14 09:23:52 ws23 nm-openvpn[13893]: Attempting to establish TCP connection with [AF_INET]***:443
May 14 09:23:52 ws23 nm-openvpn[13893]: TCP connection established with [AF_INET]***:443
May 14 09:23:52 ws23 nm-openvpn[13893]: TCPv4_CLIENT link local: (not bound)
May 14 09:23:52 ws23 nm-openvpn[13893]: TCPv4_CLIENT link remote: [AF_INET]***:443
May 14 09:23:52 ws23 nm-openvpn[13893]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
May 14 09:23:53 ws23 nm-openvpn[13893]: [Fireware SSLVPN Server] Peer Connection Initiated with [AF_INET]***:443
May 14 09:23:54 ws23 nm-openvpn[13893]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:1285:Qml0c2VydmljZQ==:Type your one-time password
MaMay 14 09:24:53 ws23 NetworkManager[13661]: <warn>  [1715671493.0962] vpn[0x581debaaad50,66c9f478-db05-4b45-84d2-2992d66bd8ab,"client"]: connect timeout exceeded
May 14 09:24:53 ws23 nm-openvpn[13893]: ERROR: could not read Auth username/password/ok/string from management interface
May 14 09:24:53 ws23 nm-openvpn[13893]: Exiting due to fatal error

My suspect is that NetworkManager cannot not longer retrive the OTP from the input modal dialog when open when I start connection, but is just a suspect.

This are my networkmanager packages

glib-networking 1:2.80.0-1
haskell-network 3.1.4.0-20
haskell-network-byte-order 0.1.7-2
haskell-network-uri 2.6.4.2-31
kde-network-meta 24.02-2
kdenetwork-filesharing 24.02.2-1
network-manager-sstp 1.3.2-1
networkmanager 1.46.0-2
networkmanager-fortisslvpn 1.4.0-4
networkmanager-l2tp 1.20.14-1
networkmanager-openconnect 1.2.10-1
networkmanager-openvpn-git 1.11.0.r1.g595fe7d-1
networkmanager-pptp 1.2.12-3
networkmanager-qt 6.2.0-1
networkmanager-qt5 5.115.0-1
networkmanager-strongswan 1.6.0-1
networkmanager-vpnc 1.2.8-3
qt5-networkauth 5.15.13-1
qt6-networkauth 6.7.0-1

Last edited by fbnatvista (2024-05-14 14:15:15)

-thc · 2024-05-14 13:00:41

Please use code tags to post outputs or file contents.

Try removing both

auth-token-user USER
auth-token TOTP

They are not meant to be used in this way.

fbnatvista · 2024-05-14 14:08:15

Same result

May 14 16:04:08 ws23 nm-openvpn[97954]: [Fireware SSLVPN Server] Peer Connection Initiated with [AF_INET]***:443
May 14 16:04:09 ws23 nm-openvpn[97954]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:1764:Qml0c2VydmljZQ==:Type your one-time password
May 14 16:04:09 ws23 nm-openvpn[97954]: SIGUSR1[soft,auth-failure] received, process restarting
May 14 16:05:08 ws23 NetworkManager[13661]: <warn>  [1715695508.0963] vpn[0x581debbf5970,612104d5-aca6-49f1-86bd-7418cda9e28a,"client"]: connect timeout exceeded
May 14 16:05:08 ws23 nm-openvpn[97954]: ERROR: could not read Auth username/password/ok/string from management interface
May 14 16:05:08 ws23 nm-openvpn[97954]: Exiting due to fatal error

-thc · 2024-05-14 17:05:03

Do you need username/password and an OTP or only an OTP?

fbnatvista · 2024-05-15 07:11:27

username/password and OTP.

Usually I save username/password in the NetworkManager configuration, so during connection the OTP dialog open and then I fill it.

-thc · 2024-05-15 07:48:12

O.K. Try this:

Remove

auth-retry interact

from your config and add

static-challenge "Enter your OTP" 0

to your config below "auth-user-pass"

fbnatvista · 2024-05-15 09:05:16

Got this error now

May 15 10:59:00 ws23 nm-openvpn[37334]: TCPv4_CLIENT link local: (not bound)
May 15 10:59:00 ws23 nm-openvpn[37334]: TCPv4_CLIENT link remote: [AF_INET]***:443
May 15 10:59:00 ws23 nm-openvpn[37334]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
May 15 10:59:01 ws23 nm-openvpn[37334]: [Fireware SSLVPN Server] Peer Connection Initiated with [AF_INET]***:443
May 15 10:59:02 ws23 nm-openvpn[37334]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:1264:Yml0c2VydmljZQ==:Type your one-time password
May 15 10:59:02 ws23 nm-openvpn[37334]: SIGUSR1[soft,auth-failure] received, process restarting                                                                                                                                       May 15 11:00:01 ws23 NetworkManager[682]: <warn>  [1715763601.0705] vpn[0x654c0ed01f00,4a99868e-859f-4366-836a-abe6bb934fae,"client"]: connect timeout exceeded
May 15 11:00:01 ws23 nm-openvpn[37334]: ERROR: could not read Auth username/password/ok/string from management interface
May 15 11:00:01 ws23 nm-openvpn[37334]: Exiting due to fatal error

After the first timeout if I retry to connect I immediately get

May 15 11:00:49 ws23 NetworkManager[682]: <info>  [1715763649.3341] vpn[0x654c0ed009f0,4a99868e-859f-4366-836a-abe6bb934fae,"client"]: starting openvpn
May 15 11:00:49 ws23 NetworkManager[682]: <info>  [1715763649.3347] audit: op="connection-activate" uuid="4a99868e-859f-4366-836a-abe6bb934fae" name="client" pid=37251 uid=1000 result="success"
May 15 11:00:49 ws23 NetworkManager[682]: <warn>  [1715763649.3975] vpn[0x654c0ed009f0,4a99868e-859f-4366-836a-abe6bb934fae,"client"]: connect: failed to connect interactively: 'GDBus.Error:org.freedesktop.NetworkManager.VPN.Error.BadArguments: property “x-dynamic-challenge-echo:challenge-response” invalid or not supported'

I need to remote the profile from the control panel and import the vpn client file again to have it asking OTP again.
This behavior happen with all config vars I have tested so far in vpn config file.

P.S. Again, the file was working good till some week ago.

Last edited by fbnatvista (2024-05-15 09:05:53)

jaburjak · 2024-05-15 11:48:36

Download the previous (1.10.4-1) version of networkmanager-openvpn from https://archive.archlinux.org/packages/ … r-openvpn/ and downgrade the package. This has happened before, but the Flyspray bug tracker was closed and I can't find the original bug, and I can't report this to the new bug tracker (https://gitlab.archlinux.org/archlinux/ … n/-/issues) unfortunately, as I do not have an account there.

fbnatvista · 2024-05-16 07:23:27

I have tested different versions but without success

Maybe the problem comes from some other package

brama · 2024-05-23 08:57:24

It's this bug: https://gitlab.freedesktop.org/NetworkM … ssues/1536

Which needs a bug reported on the plasma-nm package on bugs.kde.org, so I added one: https://bugs.kde.org/show_bug.cgi?id=487417

fbnatvista · 2024-05-24 09:47:38

Thank you all for the support. I will follow the bug reports.

Arch Linux

#1 2024-05-14 07:33:29

Problem connecting with OpenVPN

#2 2024-05-14 13:00:41

Re: Problem connecting with OpenVPN

#3 2024-05-14 14:08:15

Re: Problem connecting with OpenVPN

#4 2024-05-14 17:05:03

Re: Problem connecting with OpenVPN

#5 2024-05-15 07:11:27

Re: Problem connecting with OpenVPN

#6 2024-05-15 07:48:12

Re: Problem connecting with OpenVPN

#7 2024-05-15 09:05:16

Re: Problem connecting with OpenVPN

#8 2024-05-15 11:48:36

Re: Problem connecting with OpenVPN

#9 2024-05-16 07:23:27

Re: Problem connecting with OpenVPN

#10 2024-05-23 08:57:24

Re: Problem connecting with OpenVPN

#11 2024-05-24 09:47:38

Re: Problem connecting with OpenVPN

Board footer