Hi,
I had to replace a existing VPN client and the user had problems with the new created package.
I checked the created config file and found:
"
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact
"
set as options.
We do not activate TOTP or other options.
After deleting these 4 options the connection was working without any problems.
Why are these options set in the config file now?
Security reasons?
Best
Silvio
Additional Info:
Client was a Windows10 with OpenVPN Gui 11.14.00
Error:
Options error: Unrecognized option or missing or extra parameter(s) in xxx-TO-Test.ovpn:18: auth-token-user (2.4.8) Use --help for more information.
Those options have been in the IPFire client configs since the OTP option was added. Of course existing client connections at that time would not have them.
Any OpenVPN clients should just ignore them if they are not being used.
With my Linux Network Manager client, Linux OpenVPN command line client and my OpenVPN for Android client app that is what happens. I don’t use OTP with any of those and the client connection is made and those options ignored.
Unfortunately Windows has decided to flag one of the options as explicitly unrecognised, although it does not have a problem with the others.
Other users on this forum have had the same problem with windows connections and deleting the line(s) is the only option.
The whole point of the client config is that you should be able to use it with any client and when creating a client connection you should not need to know what client is going to use the connection. That works for everything except for the Windows client which doesn’t like auth-token-user and the OpenVPN Connect client which doesn’t accept certificates in a .p12 bundle.
Thanks for the answer Adolf,
I can confirm that Linux has no problems with these options. That’s why I’m only stumbling upon it now.
Best
Silvio
Today I did a test on
IPFire 2.29 (x86_64) - Core-Update 190
Windows 10 Pro 22H2 (19045.5247)
OpenVPN 2.6.12 (OpenVPN GUI 11.50.0.0)
I created a new connection on IPFire
I downloaded the client package
Below the contents of the .ovpn file
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote xx.xx.xx.xx 1194
#comment the above line and uncomment the next line, if you want to connect on the Blue interface
;remote 10.20.130.240 1194
pkcs12 openvpntest.p12
cipher AES-256-GCM
auth SHA512
tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name xx.xx.xx.xx name
mssfix 0
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact
The result: the client connected without errors 
Regards
That’s interesting. You didn’t have to set anything specific in the windows client, it was just a default client setup?
Windows is something i can’t test out as i don’t have any systems with it on any version. Last windows i used was XP.
I do see a difference in the windows openvpn gui version number between @tphz and @silvio so maybe it now works by default.
@silvio can you update your windows system to the same openvpn gui version?
As far as we can see, version 11.14.0.0 was used in OpenVPN 2.4.8
OpenVPN 2.4.8 released 31 October 2019
That is quite old. Maybe not all the otp options were in that version.
That might explain what is happening.
I did a second test.
I uninstalled OpenVPN and installed version 2.4.8
I got the same message.
Options error: Unrecognized option or missing or extra parameter(s) in 248test-TO-IPFire.ovpn:20: auth-token-user (2.4.8)
Use --help for more information.
Then I uninstalled version 2.4.8.
After installing the latest version 2.6.12 and connecting, this error did not show up.
OpenVPN GUI v11.4.0.0 - A Windows GUI for OpenVPN.
OpenVPN Connect - Client Software For Windows | OpenVPN
I have deleted the for options but…
Options error: Parameter --cert cannot be used when --pkcs12 is also specified.
Use --help for more information.
I saw that there is a newer variant there… It’s worse.
That is correct.
In the past they had a workaround to enable .p12 (pkcs12) bundle files to still be used but now with the latest versions they removed the workaround so you can’t use the .p12 version with OpenVPN Connect.
OpenVPN Connect have deprecated and removed the .p12 capability but .p12 is still a fully functioning option for the majority of other OpenVPN clients.
So with the current IPFire OpenVPN system your only option is to use the insecure option, ie without passwords, as that provides the certs as individual .pem & .key files and not as a .p12 certificate bundle.
I think that with the 2.6 update version of OpenVPN in IPFire it will be using embedded files and so the .p12 issues from OpenVPN Connect should be resolved but I will need to check that out to confirm it as I am not 100% certain at this point.
Thank you!
Can we manually update the VPN server inside ipfire (ssh)? Or it will break things?
It is not the server itself that you would need to change, it is the ovpnmain.cgi code that relates to the OpenVPN WUI page.
It is this code that is being significantly overhauled with the update to the 2.6 branch of OpenVPN.
If you make changes yourself to that code then when an update is done to that file then at Core Update where that change is released any change you have made locally will be overwritten.
That worked on all my clients (Android, Windows, travel router VPN client). Thank you!
