google-authenticator with openvpn fails on 16.04

Bug #1576588 reported by vibeweb
122
This bug affects 24 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Won't Fix
Medium
Unassigned
Bionic
Fix Released
Undecided
Unassigned

Bug Description

We are using a standard https://openvpn.net/ community server, with 2-factor authentication via Google Authenticator enabled

This has worked with latest version of openvpn in 14.04 (all through only via the terminal)

When doing a fresh install of 16.04, and initiating the vpn from the terminal with: openvpnvpn client-config.ovpn it ends with this error:

Fri Apr 29 10:12:27 2016 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Fri Apr 29 10:12:27 2016 AUTH: Received control message: AUTH_FAILED,Google Authenticator Code must be a number
Fri Apr 29 10:12:27 2016 SIGTERM[soft,auth-failure] received, process exiting

We have noticed that the user/password + google authenticator dialog has changed from the old one

Enter Auth Username: ****
Enter Auth Password: ****************
CHALLENGE: Enter Google Authenticator Code
Response: ******

All info is now hidden with asterisks, where only the password was in the old version

We suspect something wrongly happens when parsing the google-authenticator response

Thank you

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Alexandr (mogost) wrote :

All has been said. I can confirm the problem.

Revision history for this message
Alexandr (mogost) wrote :

There is no problem if you connect from tty1.

Revision history for this message
vibeweb (vibeweb) wrote :

the tty1 idea is good, but in most cases nowadays its my experience that the graphical interface is crashing if you switch back and forth between ttys

So it is not really a viable workaround

Revision history for this message
Jacob Damkjaer (jacobdamkjaer) wrote :

I have an urgent need for this to be fixed. Anything I can do?

Robie Basak (racb)
Changed in openvpn (Ubuntu):
importance: Undecided → High
Revision history for this message
Jacob Damkjaer (jacobdamkjaer) wrote :

I tried doing this with tty1 and it simply crashes the graphical interface. Anyone got an alternative?

Revision history for this message
momico (momico) wrote :

Any workaround ? This is a blocker.

Revision history for this message
Alexandr (mogost) wrote :

Only one workaround. Use tty if you have no problem with crashing graphical interface.

Revision history for this message
Jacob Damkjaer (jacobdamkjaer) wrote :

If you install the latest openvpn from source, this problem is solved. My new problem is that it gets to this: "Sat May 14 22:42:49 2016 Initialization Sequence Completed", but no connection.

From what I've read, getting this far means that openvpn has started "working", but I can't seem to reach the stuff I'm supposed to be able to reach. And I can't figure out why.

Revision history for this message
vibeweb (vibeweb) wrote :

Comment #10 should ofcourse have been in english

Compiling from source is not a viable solution, especially for a security-critical product as openvpn

Revision history for this message
Jacob Damkjaer (jacobdamkjaer) wrote :

Thanks for the info. I did not know that made any difference, not that I necessarily understand why, but then that isn't my job I suppose. So I guess I'm back to square one.

Revision history for this message
phazei (phazei) wrote :

I found this temporary solution here:
http://stackoverflow.com/a/37413149/65985

Basically, go into your ovpn file and change the verbosity:
old: verb 3
new: verb 4

Worked for me

Revision history for this message
Reece (reece) wrote :

@phazei's suggestion to change verbosity worked for me too.

Revision history for this message
Miguel Mendoza (mmendozatrc) wrote :

Ditto for the verbosity fix mentioned by @phazei. Just upgraded from Ubuntu Trusty to Xenial over the weekend so this quick workaround was much appreciated.

Revision history for this message
Pavel Serikov (pavelsr) wrote :

Hi folks, looks like I have a same problem. After upgrade Ubuntu to xenial OpenVPN refusing to connect:

AUTH: Received control message: AUTH_FAILED

Same configuration works fine at Ubuntu 14.04. LTS

But changing verbosity level and updating OpenVPN from PPA to latest 2.4.0 version haven't helped me.

Any ideas ?

Revision history for this message
Pavel Serikov (pavelsr) wrote :

Case fixed, there was unprintable symbol in file where my login and password was stored.
So latest OpenVPN works fine at Ubuntu xenial!

Revision history for this message
Edwin de Jong (dibbeke) wrote :

Want to confirm that @phazei verbosity fix solves the problem. Shouldn't the fix be back-ported to 16.10? It seems a pretty major bug.

Revision history for this message
Joshua Powers (powersj) wrote :

Hi! Thanks for all the comments and work on this bug. As someone who uses a VPN everyday to get my job done I can imagine how frustrating having this break would be. As far as the "fix", modifying the verbosity of a package may get you around the issue (i.e. a workaround), but I do not believe that is an actual fix for the issue.

I see mentions to versions from PPA, if you are installing from OpenVPN's PPA, then it means the issue is not even fixed upstream, therefore the first step here is to report this to OpenVPN. I did a quick search of the OpenVPN bug tracker and did not see any bugs reported with "authenticator", "google", or "tfa" in the summary of any bug (open or closed).

Can someone, preferably someone using OpenVPN's PPA, who is seeing the issue please file a bug with them and report the number back here please?

Revision history for this message
Anders Hall (a.hall) wrote :

Hi Edwin, did you test this with 16.04? I cant upgrade to 17.XX, for various reasons, and would like to upgrade my client (openvpn 2.3.10) and test the verb config fix. Currently, if I change to verb 4 the auth process fails with "Exiting due to fatal error". With default verb 3 i get the "AUTH_FAILED,Google Authenticator Code must be a number" error. How did you upgrade the client?

Revision history for this message
Anders Hall (a.hall) wrote :

Answer for my own question, for reference (https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos):

1)
sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update
apt-get dist-upgrade

2)
change to verb 4 and now google auth works IF i run openvpn with sudo privileges

Revision history for this message
Nish Aravamudan (nacc) wrote :

Is it possible these issues were due to the fallout (which I think has all been fixed) with Google changing their authentication?

Revision history for this message
Raviteja (rlokineni) wrote :

It's been one year since it was reported. Anyone working on this?

Revision history for this message
Joshua Powers (powersj) wrote :

Please see comments #19 and #22.

Revision history for this message
Andrey (kaiser666666) wrote :

sudo apt-get install openvpn easy-rsa
....
easy-rsa is already the newest version (2.2.2-2).
....
Do you want to continue? [Y/n] Y
....

after reinstalling work as expected

Revision history for this message
naisanza (naisanza) wrote :

@phazei's find on changing `verb 3` to `verb 4` works, but why? What does `verb` have to do with openvpn taking in input?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hi,

this bug has no config files attached, nor log files. Could someone who is still experiencing the problem please provide those?

Changed in openvpn (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openvpn (Ubuntu) because there has been no activity for 60 days.]

Changed in openvpn (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Neeraj Khandelwal (me.neerajkhandelwal) wrote :

We faced the same issue on Ubuntu 16.04.3 LTS. No workaround.

Revision history for this message
Andrejs Hanins (ahanins) wrote :

I'm on 18.04.4 LTS and a workaround to change "verb 3" to "verb 4" does not help. Still the following in the logs:

nm-openvpn[26570]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:<some base 64 here>:Enter Google Authenticator Code

nm-openvpn[26570]: SIGUSR1[soft,auth-failure] received, process restarting

And NM runs in a loop.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

@ahanins or @me.neerajkhandelwal,

Could any of you provide the config files @ahasenack has asked ?

Meanwhile, I'll re-flag this as incomplete again.

Changed in openvpn (Ubuntu):
status: Expired → Incomplete
Changed in openvpn (Ubuntu Xenial):
status: New → Incomplete
Changed in openvpn (Ubuntu Bionic):
status: New → Fix Released
Changed in openvpn (Ubuntu):
status: Incomplete → Fix Released
importance: High → Medium
importance: Medium → Undecided
Changed in openvpn (Ubuntu Xenial):
importance: Undecided → Medium
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you all for your reports, but sadly there was no further engagement here.
Andreas and Rafael have asked for more details, config files and such to be able to recreate this.

Therefore this can not be acted on as is - in addition Xenial is now in ESM and no more getting normal SRU updates.

On the other hand the feedback on the case also stopped as there were no further people chiming in with new updates.

Therefore, sorry, but I'll have to set it to Won't Fix for the Xenial task.

If you have information how to recreate this (in later releases) please comment here to give this case some new life.

Changed in openvpn (Ubuntu Xenial):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.