VPN Connection Failed With 2 Factor Authentication

I'm experiencing the same issue with OpenVPN Access Server + Duo Security. Our server requires both client certificate, username/password and a 2FA token.

The problem seems to be that network-manager-openvpn lacks support for username/password auth combined with challenge response. Expected scenario would be a second dialog asking for 2FA token, similar to what openvpn(1) does when started manually from the command line.

May 6 11:12:38 hostname nm-openvpn[8558]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]x.x.x.x:443
May 6 11:12:40 hostname nm-openvpn[8558]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:<removed>:Duo passcode or second factor:
May 6 11:12:40 hostname NetworkManager[1032]: (nm-openvpn-service:8459): nm-openvpn-WARNING **: Password verification failed
May 6 11:12:40 hostname nm-openvpn[8558]: SIGTERM[soft,auth-failure] received, process exiting
May 6 11:12:40 hostname NetworkManager[1032]: <warn> VPN plugin failed: login-failed (0)

% cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.04
DISTRIB_CODENAME=vivid
DISTRIB_DESCRIPTION="Ubuntu 15.04"

% dpkg -l | grep '^ii network-manager'
ii network-manager 0.9.10.0-4ubuntu15.1 amd64 network management framework (daemon and userspace tools)
ii network-manager-gnome 0.9.10.1-0ubuntu4 amd64 network management framework (GNOME frontend)
ii network-manager-openvpn 0.9.10.0-1ubuntu1 amd64 network management framework (OpenVPN plugin core)
ii network-manager-openvpn-gnome 0.9.10.0-1ubuntu1 amd64 network management framework (OpenVPN plugin GNOME GUI)
ii network-manager-pptp 0.9.10.0-1ubuntu1 amd64 network management framework (PPTP plugin core)
ii network-manager-pptp-gnome 0.9.10.0-1ubuntu1 amd64 network management framework (PPTP plugin GNOME GUI)

Status changed to 'Confirmed' because the bug affects multiple users.

This may not be a limitation of network manager. I hit something similar today while trying to do two-factor auth:

If I use this command line: sudo openvpn --config client.ovpn --auth-retry interact, I am prompted for my username, password, then when auth "fails" I am prompted for my second-factor key. However, if I add this: "--auth-user-pass up" the first part of auth succeeds, but when it "fails" due to the second factor, instead of falling back to "interact" it just fails and tries to auth all over.

Does --auth-user-pass up "override" --auth-retry interact somehow?

See Gnome Network Manager bug: https://bugzilla.gnome.org/show_bug.cgi?id=751842

Attaching a trivial patch that fixed the problem for me. Will push it upstream shortly.

The attachment "fix_2fa.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Now that https://bugzilla.gnome.org/show_bug.cgi?id=751842 has been closed, could you please merge the upstream changes and fix the Ubuntu package, as well?

I manually built the package with the 2fa.patch, but it still doesn't work. NM just ask for my password, it never ask for the 2FA code.

On Windows/Android/iOS clients, I have this line in client configuration:
static-challenge "Please enter 2FA code" 1

NM seem to ignore that line. Nowhere I see a reference to that in the GUI or in the connection configuration file located at /etc/NetworkManager/system-connections.

Work fine when using openvpn --config myconfig.ovpn in CLI.

I believe this is fixed in Ubuntu 18.04. It now prompts for the 2FA code.

@David on 18.04, am not being prompted for 2-factor code.

What the logs look like:

NetworkManager[1237]: INFO: Connected to gateway.
NetworkManager[1237]: Two-factor authentication token:
NetworkManager[1237]: ERROR: Could not authenticate to gateway (No cookie given).
NetworkManager[1237]: INFO: Closed connection to gateway.
NetworkManager[1237]: INFO: Logged out.

For years old bug and still doesn't work on Ubuntu 18.04...

Uhm, I'm using 18.04 and it's kind of working for me.
I have set my password in the VPN configuration, and set not to remember my password.
I first get prompted for my password and a few seconds later I get a second prompt for my Google Authenticator code.

The problem I'm facing is that if I set to remember my password, the last input I entered (2FA code) overwrites the saved password, and next time the old 2FA code is used instead of the password. I will report this to a new ticket, I just wanted to let you know my experience in case it helps you with yours.

Package: network-manager-gnome
Version: 1.8.10-2ubuntu1

Package: network-manager-openvpn
Version: 1.8.2-1

Package: network-manager-openvpn-gnome
Version: 1.8.2-1

In https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1322728/comments/12, I meant I have set my user, but not my password. Sorry for the noise.

Not working on 18.04 for me, neither. @dieresys workaround not working for me (only save user, asks password at connection time, never asks second token)

Status changed to 'Confirmed' because the bug affects multiple users.

Has anyone tried this solution? https://github.com/duosecurity/duo_openvpn

For DUO, just do your normal login, and for password enter <password,duo_passcode>

Hi,

I just tried with the latest 19.10 release and unfortunately, it still doesn't work.

I just tried on 19.10 and have the same issue. Let me know any logs or anything is needed to help debug the issue.

The patch listed here is included in 1.8.2 which is the version in bionic.

Could those having the issue describe they setup, what they are doing and what result they get exactly? Also could you add a 'journalctl -b 0' log after getting the bug?

Hi,

I imported my client configuration using the option "import from a file" (translation from "importer depuis un fichier"). My client configuration contain that line:

static-challenge "Code unique d'authentification" 1

When I look at my connection configuration in /etc/NetworkManager/system-connections, I don't see any reference to the static-challence configuration. I suspect the problem come from there.

So when I try to connect, NM ask me the password, but never the challenge PIN. I tried to enter my PIN when NM request again my password, but it doesn't work either.

In my client logs (first try I enter my password, the second try I enter my 2FA PIN)
oct 31 09:09:52 u1910 NetworkManager[491]: <info> [1572527392.4132] audit: op="connection-activate" uuid="0df2fac7-29f5-4808-b15a-f49f748a8963" name="vpn" pid=1317 uid=1000 result="success"
oct 31 09:09:52 u1910 NetworkManager[491]: <info> [1572527392.4475] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: Started the VPN service, PID 2254
oct 31 09:09:52 u1910 NetworkManager[491]: <info> [1572527392.4768] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: Saw the service appear; activating connection
oct 31 09:10:02 u1910 NetworkManager[491]: <info> [1572527402.8568] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN plugin: state changed: starting (3)
oct 31 09:10:02 u1910 NetworkManager[491]: <info> [1572527402.8574] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN connection: (ConnectInteractive) reply received
oct 31 09:10:02 u1910 nm-openvpn[2271]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019
oct 31 09:10:02 u1910 nm-openvpn[2271]: library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10
oct 31 09:10:03 u1910 nm-openvpn[2271]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
oct 31 09:10:03 u1910 nm-openvpn[2271]: TCP/UDP: Preserving recently used remote address: [AF_INET]4.3.2.1:1192
oct 31 09:10:03 u1910 nm-openvpn[2271]: UDP link local: (not bound)
oct 31 09:10:03 u1910 nm-openvpn[2271]: UDP link remote: [AF_INET]4.3.2.1:1192
oct 31 09:10:03 u1910 nm-openvpn[2271]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
oct 31 09:10:03 u1910 nm-openvpn[2271]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
oct 31 09:10:03 u1910 nm-openvpn[2271]: [server] Peer Connection Initiated with [AF_INET]4.3.2.1:1192
oct 31 09:10:04 u1910 nm-openvpn[2271]: AUTH: Received control message: AUTH_FAILED
oct 31 09:10:04 u1910 nm-openvpn[2271]: SIGUSR1[soft,auth-failure] received, process restarting
oct 31 09:10:09 u1910 NetworkManager[491]: <info> [1572527409.5104] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN plugin: requested secrets; state connect (4)
oct 31 09:10:21 u1910 nm-openvpn[2271]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
oct 31 09:10:21 u1910 nm-openvpn[2271]: TCP/UDP: Preserving recently used r...

Hi,

We use OpenVPN + DUO.
I imported a .ovpn file via sudo nmcli connection import type openvpn file /path/to/foo.ovpn.
I set my login in Ubuntu VPN settings (no password).
Turned on the VPN.
Ubuntu asked for an authentication, I entered my VPN password.
Ubuntu asked for a password (I guess it means DUO passcode), I entered it.
Ubuntu asked for it again and I pressed Cancel (system asks for it infinitely).

I hope it helps.

OpenVPN CLI works, OpenVPN for Windows works. Entering password,passcode or passwordpasscode or passcodepassword doesn't work.

Feb 27 18:21:43 ubuntu-pc NetworkManager[1363]: <info> [1582856503.6578] audit: op="connection-activate" uuid="f84be875-048c-40d8-9859-c4319e75eff4" name="Work" pid=12083 uid=1000 result="success"
Feb 27 18:21:43 ubuntu-pc NetworkManager[1363]: <info> [1582856503.6629] vpn-connection[0x55cd0a0a8750,f84be875-048c-40d8-9859-c4319e75eff4,"Work",0]: Started the VPN service, PID 26648
Feb 27 18:21:43 ubuntu-pc NetworkManager[1363]: <info> [1582856503.6687] vpn-connection[0x55cd0a0a8750,f84be875-048c-40d8-9859-c4319e75eff4,"Work",0]: Saw the service appear; activating connection
Feb 27 18:21:50 ubuntu-pc NetworkManager[1363]: <info> [1582856510.4074] settings-connection[0x55cd0a068b60,f84be875-048c-40d8-9859-c4319e75eff4]: write: successfully updated (keyfile: update /etc/NetworkManager/system-connections/Work (f84be875-048c-40d8-9859-c4319e75eff4,"Work")
Feb 27 18:21:50 ubuntu-pc NetworkManager[1363]: <info> [1582856510.4146] vpn-connection[0x55cd0a0a8750,f84be875-048c-40d8-9859-c4319e75eff4,"Work",0]: VPN plugin: state changed: starting (3)
Feb 27 18:21:50 ubuntu-pc NetworkManager[1363]: <info> [1582856510.4147] vpn-connection[0x55cd0a0a8750,f84be875-048c-40d8-9859-c4319e75eff4,"Work",0]: VPN connection: (ConnectInteractive) reply received
Feb 27 18:21:50 ubuntu-pc nm-openvpn[26667]: OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Feb 27 18:21:50 ubuntu-pc nm-openvpn[26667]: library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Feb 27 18:21:50 ubuntu-pc nm-openvpn[26667]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 27 18:21:50 ubuntu-pc nm-openvpn[26667]: TCP/UDP: Preserving recently used remote address: [AF_INET]54.188.115.216:443
Feb 27 18:21:50 ubuntu-pc nm-openvpn[26667]: UDP link local: (not bound)
Feb 27 18:21:50 ubuntu-pc nm-openvpn[26667]: UDP link remote: [AF_INET]54.188.115.216:443
Feb 27 18:21:50 ubuntu-pc nm-openvpn[26667]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Feb 27 18:21:50 ubuntu-pc nm-openvpn[26667]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 27 18:21:50 ubuntu-pc nm-openvpn[26667]: [entrustawsclientvpn] Peer Connection Initiated with [AF_INET]54.188.115.216:443
Feb 27 18:21:51 ubuntu-pc nm-openvpn[26667]: AUTH: Received control message: AUTH_FAILED,Invalid username or password
Feb 27 18:21:51 ubuntu-pc nm-openvpn[26667]: SIGUSR1[soft,auth-failure] received, process restarting
Feb 27 18:21:56 ubuntu-pc NetworkManager[1363]: <info> [1582856516.9069] vpn-connection[0x5...

Still a bug in Ubuntu 22.04. The issue is opened since 2014, almost 10 years ago, unbelievable!

Does anybody has found a solution? At least, is there somebody working on it?

Once my toddler grows up to be a kernel engineer this ticket can be
assigned to him!

On Fri, Feb 9, 2024, 05:48 Mathieu Mege <email address hidden> wrote:

> Does anybody has found a solution? At least, is there somebody working
> on it?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1322728
>
> Title:
> VPN Connection Failed With 2 Factor Authentication
>
> Status in network-manager-fortisslvpn package in Ubuntu:
> Confirmed
> Status in network-manager-openvpn package in Ubuntu:
> Confirmed
>
> Bug description:
> Hi all,
>
> my setup is an openvpn access server with google 2 factor auth
>
> i was trying to connect to my VPN using the gnome openvpn module and
> get the following errors on syslog:
>
> May 23 22:23:00 laptop nm-openvpn[18049]: [OpenVPN Server] Peer
> Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
> May 23 22:23:02 laptop nm-openvpn[18049]: AUTH: Received control
> message:
> AUTH_FAILED,CRV1:R,E:d1r12r21df232+owqrf23t23t23tCn:aXRf3r2s=:Enter Google
> Authenticator Code
> May 23 22:23:02 laptop nm-openvpn[18049]: SIGTERM[soft,auth-failure]
> received, process exiting
> May 23 22:23:02 laptop NetworkManager[1043]: <warn> VPN plugin failed: 0
>
> i looked in the documentation but didn't found anything useful.
>
> any help will be appreciated
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/network-manager-fortisslvpn/+bug/1322728/+subscriptions
>
>

Same question. it is a really needed feature