OpenVPN client 2.6.X private key password prompt

Virtual Private Networks OpenVPN
21

I have looked through the logs for the community versions.

The only things I found were some bug fixes related to auth-token in version 2.5.8 but looking at them I am not sure they would result in the sort of things you are experiencing.

  • ensure that auth-token received from server is cleared if requested by the management interface (“forget password” or automatically via ``–management-forget-disconnect’')
  • in a setup without username+password, but with auth-token and auth-token-username pushed by the server, OpenVPN would start asking for username+password on token expiry. Fix.
  • using --auth-token together with --management-client-auth (on the server) would lead to TLS keys getting out of sync and client being disconnected. Fix.
22

Agreed.

To be clear, after editing my user config file as described earlier, the client no longer prompts for private key password when the user’s private key is not encrypted… The earlier posted client and server logs describe that case interaction.

When the user private key is encrypted, the prompt appears, but the key password I created does not work. The prompt keeps popping back up with an error saying it’s the wrong password. If I enter the TOTP code after entering the password, no success.

1 Like
23

Sry I did not read all posts but to get 2FA working with OpenVPN Community Edition V2.6.x you need to add the following lines

auth-user-pass
static-challenge “Enter OTP” 0

If you have a vpn config from a older ipfire release you need
providers legacy default

@bonnietwin Can you add this lines to the wiki? I think this is the 4 (?) thread to this topic.

3 Likes
24

You can make those edits to the wiki yourself.

If you are logged into IPFire then just pressing the Edit button at the bottom of the involved wiki page will open up the editor for you.

25

Normally, I prefer to use the most current stable release. However, I’ve been utilizing 2.5.9 as any of 2.6.x versions do not work unless each ovpn file is edited., and then edit the new ovpn file whenever the key expires and a new key is generated. (all clients Windows 10/11) Would it make sense for IPFire to include the “providers legacy default” when it generates the ovpn file?

1 Like
26

Sven’s tip works for me. Thank you!!!
Don, what do you mean “edit the new ovpn file whenever the key expires…”?Which line in the ovpn file needs to be changed? Which key expires?

27

If I move into the 2.6.x client, I need to edit each ovpn file to get it to work. When the certificate expires (default is 730 days) and I generate a new certificate, I need to edit the ovpn file again. Far easier to stay with 2.5.9, which works fine (unless there’s some known security flaw that I’ve missed.)

28

Same problem here.
Core 182.
Only Client 2.5.7 is working.
All newer ones bring up key-prompt for .p12 endlessly.
Tried a lot, but without success.

Here is the config-file:

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote URL 1194
pkcs12 CERTNAME.p12
cipher AES-256-CBC
auth SHA512
verb 3
remote-cert-tls server
verify-x509-name URL name
mssfix 0
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact
auth-user-pass
static-challenge “Enter OTP” 0
providers legacy default

29

For the 2.6.x client on Windows to work with legacy IPFire OpenVPN (with no password or 2FA), remove all these lines except:
auth-nocache
auth-retry interact

Also the lines:
providers legacy default
data-ciphers AES-256-CBC
must be added (with the encryption in the second line changed of course to your choice)

30

Chiming in to say “me too”. We tested all the ovpn clients and found 2.5.9 was the last one that would work with IPFire. We do NOT use 2FA. Just username/password. Our environment is a mix of Windows 10/11.