OpenVPN OTP not working for me in 198

I also face the common problem with OTP support for OpenVPN that the client does not ask for a code. The server was freshly set up with core 197 and the OpenVPN-profile also was newly created.

On client-side, I have the most recent Community-client available.

No matter what I try, I’m not asked for the OTP code and the connection stalls at the same point until in times out:

image567×143 7.88 KB

I also see that line in the log:

2025-12-04 07:51:43 AUTH: Received control message: AUTH_FAILED,CRV1:R,XXXXXXXXXXXX==:XXXXX==:One Time Token:

Without OTP enabled, the dial-in works flawless.

AFAIC the bug leading to the problem that the user is not asked for the code should have been fixed many core releases before, shouldn’t it?

Any ideas?
TIA!

I was able to solve the problem for me. Obviously still the lines making the OpenVPN-client to ask for the OTP are missing in the ovpn-files generated by IPFire.

If I add the following lines:

auth-user-pass
static-challenge "Enter OTP token" 0

The client opens a popup-window asking for the OTP.

From my understanding, I would expect that the ovpn for users with OTP enabled should already contain these lines, no?

Shall I open a bug-report or there already one in the pipeline?

Thanks!

The auth-user-pass was unintentionally removed in the big openvpn changes in CU197 and the fix has been merged and is available in CU199 Testing.

https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=ab628fec98da87b210e14894343fda130099314d

Okay, seems like I was too early happy in this case.
After ~1h the following dialog pops up:

image271×242 3.86 KB

Please note that these are additional “Benutzer” (user) and “Passwort” (password) fields now. Also, seems like the user should enter an OTP again?

My aim would be that the user only has to put in an OTP once when dialing up, and not every x hours… Is that possible?

That has also been fixed in CU199.

It seems to be related to a peculiarity with windows clients where they do this if the auth-nocache option is enabled, so it has been removed in CU199 which is in testing.

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=e3e4d6fe8ab6b3e60157be3b2b08aa5fa2d05b67

Would be good if you could evaluate CU199 Testing which has been out for 9 days.

Hello @bonnietwin,

thanks, I will try to see if both bugs do not happen here any more.

BTW, when I was asked to reboot for the update, I got the following message on screen:

image1455×215 30.7 KB

Is this known to happen when updating from 198 to 199?

I haven’t seen that in any of my update evaluations (done 7 or 8 so far).

If after pressing Enter or waiting for the minute it continued without any issues and after the reboot apache was working (you could access the WUI) then it would seem that apache had already stopped for some reason.

Would be interesting to hear if anyone else has had the problem.

I will do updates of my CU199 Testing systems as some new changes have been merged if I remember correctly.

After reboot, the message disappeared and did not come back. Seems like a temporary problem with ending the apache while upgrading.

For the fixes: I can confirm that:
a) The ovpn-files now work with OTP without any manual modifications
b) The 1h-problem is also gone.

Looks good to me!

Thanks for the great help!

I can confirm that it works.

Today I performed two tests
The first test involved pinging a remote host every 30 seconds.
The second test was without pinging. (Ping was done before turning off the tunnel, only to check the availability of the remote host).

During the first and second tests, the OTP code was entered at the beginning of the connection and did not ask for the code to be re-entered after an hour.

Core-Update 199 Development Build: master/d656b7a

OpenVPN v2.6.17

obraz393×259 11.5 KB

test1

Pings every 30 seconds

obraz246×154 1.35 KB

test2

Ping before disconnecting

Regards