OpenVPN client 2.6.X private key password prompt

bonnietwin · 1 February 2024 18:38

I have looked through the logs for the community versions.

The only things I found were some bug fixes related to auth-token in version 2.5.8 but looking at them I am not sure they would result in the sort of things you are experiencing.

ensure that auth-token received from server is cleared if requested by the management interface (“forget password” or automatically via ``–management-forget-disconnect’')

in a setup without username+password, but with auth-token and auth-token-username pushed by the server, OpenVPN would start asking for username+password on token expiry. Fix.

using --auth-token together with --management-client-auth (on the server) would lead to TLS keys getting out of sync and client being disconnected. Fix.

barkingdoggy · 1 February 2024 21:22

Agreed.

To be clear, after editing my user config file as described earlier, the client no longer prompts for private key password when the user’s private key is not encrypted… The earlier posted client and server logs describe that case interaction.

When the user private key is encrypted, the prompt appears, but the key password I created does not work. The prompt keeps popping back up with an error saying it’s the wrong password. If I enter the TOTP code after entering the password, no success.

svenf · 5 February 2024 10:58

Sry I did not read all posts but to get 2FA working with OpenVPN Community Edition V2.6.x you need to add the following lines

auth-user-pass
static-challenge “Enter OTP” 0

If you have a vpn config from a older ipfire release you need
providers legacy default

@bonnietwin Can you add this lines to the wiki? I think this is the 4 (?) thread to this topic.

bonnietwin · 5 February 2024 11:50

You can make those edits to the wiki yourself.

If you are logged into IPFire then just pressing the Edit button at the bottom of the involved wiki page will open up the editor for you.

donbrill · 5 February 2024 15:04

Normally, I prefer to use the most current stable release. However, I’ve been utilizing 2.5.9 as any of 2.6.x versions do not work unless each ovpn file is edited., and then edit the new ovpn file whenever the key expires and a new key is generated. (all clients Windows 10/11) Would it make sense for IPFire to include the “providers legacy default” when it generates the ovpn file?

barkingdoggy · 5 February 2024 15:33

Sven’s tip works for me. Thank you!!!
Don, what do you mean “edit the new ovpn file whenever the key expires…”?Which line in the ovpn file needs to be changed? Which key expires?

donbrill · 14 February 2024 07:16

If I move into the 2.6.x client, I need to edit each ovpn file to get it to work. When the certificate expires (default is 730 days) and I generate a new certificate, I need to edit the ovpn file again. Far easier to stay with 2.5.9, which works fine (unless there’s some known security flaw that I’ve missed.)

janr · 22 February 2024 09:52

Same problem here.
Core 182.
Only Client 2.5.7 is working.
All newer ones bring up key-prompt for .p12 endlessly.
Tried a lot, but without success.

Here is the config-file:

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote URL 1194
pkcs12 CERTNAME.p12
cipher AES-256-CBC
auth SHA512
verb 3
remote-cert-tls server
verify-x509-name URL name
mssfix 0
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact
auth-user-pass
static-challenge “Enter OTP” 0
providers legacy default