Openvpn3 indicator does not support 2fa authentication profile #7
Comments
|
Are you sure you're running the latest version? I've been testing that against OpenVPN Access Server with a profile requiring 2FA ... What kind of server do you connect against? |
|
@pushkargogte Did you store credentials? If you did, then the app stored the code and tries to use the old one. I need to fix this. |
|
@dsommers I don't have a profile with 2FA to test against. Can I set it up using openvpn2 server? Do you have any hints how to tell which fields should never be stored in secret storage? |
yes i'm using config imported in openvpn3-cli my .ovpn config file does have stored credentials |
@grzegorz-gutowski I'll reach out via e-mail with details. |
|
@pushkargogte You can try the newest version. It is not the final solution yet (as I yet have to write some code that decides which fields are unsafe for storage), but it could get you going (with an unnecessary, failing authorization attempt with an old Auth Code) |
i tried newest version available in launchpad, but it not working can you share me your email address as the video recording consists of confidential info? |
|
You can share the recording to my e-mail adress [email protected]. |
have sent you the video recordings |
|
It seems that indicator does not handle dynamic challenges to well. |
@grzegorz-gutowski can you check your email, I have emailed you the logs |
|
@grzegorz-gutowski Okay, so this whole authentication scheme is a complicated mess ... as there are more ways how this is handled, mostly for historical reasons. The low-level aspects of the static/dynamic challenges are documented here: https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt#L1209
The OpenVPN Access Server and Cloud Connexa have moved towards using just the "pending auth" approach, but we still need to support all methods. Older Access Servers will not do the "auth pending" approach, neither will many community server setups. In the Access Server config you got, you can dump that ( I wish it would be simpler ways to do this - but so far there has been some challenges with getting D-Bus signals properly delivered with the "dynamic challenge" approach due to the client thread is being stopped automatically and outside of the control of the OpenVPN 3 Linux implementation. This may improve in later releases, since the GDBus++ implementation in the coming v22_dev release can behave a bit different in regards to how and when signals are sent. |
|
@dsommers I tried AS config of yours with removed |
i have mailed you a sample ovpn file with the configuration i use |
|
Issue is resolved after updating openvpn3-linux package to v21 |
|
@pushkargogte We should probably highlight that, yes ... thanks for the heads-up! Even though, with the latest change from me merged .... I would expect v20 to work though ... but maybe it's something else too. |
There's more investigation needed, as after upgrading to v21, openvpn3-indicator failed On second try it started working |
|
Was closed by mistake |
|
My guess is that the cause of the problem is that sometimes indicator does not get status change to CFG_REQUIRE_USER. In v20 it looked as if indicator got CFG_REQUIRE_USER for the user/password prompt, then after providing credentials and connecting comes dynamic challenge, and indicator does not get new status change and stays in "old" CFG_REQUIRE_USER. In v21 in the faulty run that pushkargogte mentions, after connect it got status change to CONN_CONNECTING, and stayed in that state forever. |
Currently openvpn3-indicator does not support 2fa authentication profiles, openvpn3 cli does support it
though
openvpn3 sessions-listreturns with current session, but as 2fa code is not asked can't ssh to specified server addressThe text was updated successfully, but these errors were encountered: