Unable to connect OpenVPN with 2FA (CU 174)

Hi
I’ve configured OpenVPN and try to connect with 2FA, but it fails. Without 2FA, I can connect. I scanned the token with FreeOTP App on iPhone.

This is the log I get while trying to connect with 2FA:

2023-05-10 11:50:26: Viscosity Mac 1.10.5 (1626)
2023-05-10 11:50:26: Viscosity OpenVPN Engine Started
2023-05-10 11:50:26: Running on macOS 13.3.1
2023-05-10 11:50:26: ---------
2023-05-10 11:50:26: State changed to Connecting
2023-05-10 11:50:26: Checking reachability status of connection...
2023-05-10 11:50:26: Connection is reachable. Starting connection attempt.
2023-05-10 11:50:26: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-05-10 11:50:26: OpenVPN 2.5.9 aarch64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Feb 22 2023
2023-05-10 11:50:26: library versions: OpenSSL 1.1.1t  7 Feb 2023, LZO 2.10
2023-05-10 11:50:26: Resolving address: ovpn.domain.com
2023-05-10 11:50:26: Valid endpoint found: wan-ip_ipfire:1194:tcp-client
2023-05-10 11:50:26: TCP/UDP: Preserving recently used remote address: [AF_INET]wan-ip_ipfire:1194
2023-05-10 11:50:26: Socket Buffers: R=[131072->131072] S=[131072->131072]
2023-05-10 11:50:26: Attempting to establish TCP connection with [AF_INET]wan-ip_ipfire:1194 [nonblock]
2023-05-10 11:50:26: TCP connection established with [AF_INET]wan-ip_ipfire:1194
2023-05-10 11:50:26: TCP_CLIENT link local: (not bound)
2023-05-10 11:50:26: TCP_CLIENT link remote: [AF_INET]wan-ip_ipfire:1194
2023-05-10 11:50:26: State changed to Authenticating
2023-05-10 11:50:26: TLS: Initial packet from [AF_INET]wan-ip_ipfire:1194, sid=c827f63f 9d838463
2023-05-10 11:50:27: VERIFY OK: depth=1, C=CH, O=company name, CN=company name CA
2023-05-10 11:50:27: VERIFY KU OK
2023-05-10 11:50:27: Validating certificate extended key usage
2023-05-10 11:50:27: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-05-10 11:50:27: VERIFY EKU OK
2023-05-10 11:50:27: VERIFY X509NAME OK: C=CH, O=company name, CN=ovpn.domain.com
2023-05-10 11:50:27: VERIFY OK: depth=0, C=CH, O=company name, CN=ovpn.domain.com
2023-05-10 11:50:27: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2023-05-10 11:50:27: [ovpn.domain.com] Peer Connection Initiated with [AF_INET]wan-ip_ipfire:1194
2023-05-10 11:50:27: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:27: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:VGVzdFZQTg==:VE9UUA==:One Time Token:
2023-05-10 11:50:27: SIGUSR1[soft,auth-failure (auth-token)] received, process restarting
2023-05-10 11:50:27: Viscosity Mac 1.10.5 (1626)
2023-05-10 11:50:27: Viscosity OpenVPN Engine Started
2023-05-10 11:50:27: Running on macOS 13.3.1
2023-05-10 11:50:27: ---------
2023-05-10 11:50:27: State changed to Connecting
2023-05-10 11:50:27: Resolving address: ovpn.domain.com
2023-05-10 11:50:27: Resolving address: ovpn.domain.com
2023-05-10 11:50:27: Valid endpoint found: wan-ip_ipfire:1194:tcp-client
2023-05-10 11:50:27: TCP/UDP: Preserving recently used remote address: [AF_INET]wan-ip_ipfire:1194
2023-05-10 11:50:27: Socket Buffers: R=[131072->131072] S=[131072->131072]
2023-05-10 11:50:27: Attempting to establish TCP connection with [AF_INET]wan-ip_ipfire:1194 [nonblock]
2023-05-10 11:50:27: TCP connection established with [AF_INET]wan-ip_ipfire:1194
2023-05-10 11:50:27: TCP_CLIENT link local: (not bound)
2023-05-10 11:50:27: TCP_CLIENT link remote: [AF_INET]wan-ip_ipfire:1194
2023-05-10 11:50:27: State changed to Authenticating
2023-05-10 11:50:27: TLS: Initial packet from [AF_INET]wan-ip_ipfire:1194, sid=40d65abd 044350a7
2023-05-10 11:50:27: VERIFY OK: depth=1, C=CH, O=company name, CN=company name CA
2023-05-10 11:50:27: VERIFY KU OK
2023-05-10 11:50:27: Validating certificate extended key usage
2023-05-10 11:50:27: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-05-10 11:50:27: VERIFY EKU OK
2023-05-10 11:50:27: VERIFY X509NAME OK: C=CH, O=company name, CN=ovpn.domain.com
2023-05-10 11:50:27: VERIFY OK: depth=0, C=CH, O=company name, CN=ovpn.domain.com
2023-05-10 11:50:28: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2023-05-10 11:50:28: [ovpn.domain.com] Peer Connection Initiated with [AF_INET]wan-ip_ipfire:1194
2023-05-10 11:50:28: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:29: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:30: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:31: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:32: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:33: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:35: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:36: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:37: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:38: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:39: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:40: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:41: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:42: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:43: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:44: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:45: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:46: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:47: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:49: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:50:49: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)

Log without 2FA, connection comes up:

2023-05-10 11:57:16: Viscosity Mac 1.10.5 (1626)
2023-05-10 11:57:16: Viscosity OpenVPN Engine Started
2023-05-10 11:57:16: Running on macOS 13.3.1
2023-05-10 11:57:16: ---------
2023-05-10 11:57:16: State changed to Connecting
2023-05-10 11:57:16: Checking reachability status of connection...
2023-05-10 11:57:16: Connection is reachable. Starting connection attempt.
2023-05-10 11:57:17: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-05-10 11:57:17: OpenVPN 2.5.9 aarch64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Feb 22 2023
2023-05-10 11:57:17: library versions: OpenSSL 1.1.1t  7 Feb 2023, LZO 2.10
2023-05-10 11:57:17: Resolving address: ovpn.domain.com
2023-05-10 11:57:17: Valid endpoint found: ip-wan_ipfire:1194:tcp-client
2023-05-10 11:57:17: TCP/UDP: Preserving recently used remote address: [AF_INET]ip-wan_ipfire:1194
2023-05-10 11:57:17: Socket Buffers: R=[131072->131072] S=[131072->131072]
2023-05-10 11:57:17: Attempting to establish TCP connection with [AF_INET]ip-wan_ipfire:1194 [nonblock]
2023-05-10 11:57:17: TCP connection established with [AF_INET]ip-wan_ipfire:1194
2023-05-10 11:57:17: TCP_CLIENT link local: (not bound)
2023-05-10 11:57:17: TCP_CLIENT link remote: [AF_INET]ip-wan_ipfire:1194
2023-05-10 11:57:17: State changed to Authenticating
2023-05-10 11:57:17: TLS: Initial packet from [AF_INET]ip-wan_ipfire:1194, sid=0d6cc05b d44a38a2
2023-05-10 11:57:17: VERIFY OK: depth=1, C=CH, O=company name, CN=company name CA
2023-05-10 11:57:17: VERIFY KU OK
2023-05-10 11:57:17: Validating certificate extended key usage
2023-05-10 11:57:17: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-05-10 11:57:17: VERIFY EKU OK
2023-05-10 11:57:17: VERIFY X509NAME OK: C=CH, O=company name, CN=ovpn.domain.com
2023-05-10 11:57:17: VERIFY OK: depth=0, C=CH, O=company name, CN=ovpn.domain.com
2023-05-10 11:57:17: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2023-05-10 11:57:17: [ovpn.domain.com] Peer Connection Initiated with [AF_INET]ip-wan_ipfire:1194
2023-05-10 11:57:17: SENT CONTROL [ovpn.domain.com]: 'PUSH_REQUEST' (status=1)
2023-05-10 11:57:17: PUSH: Received control message: 'PUSH_REPLY,route 10.186.7.1,topology net30,ping 10,ping-restart 60,route 172.16.16.0 255.255.255.0,ifconfig 10.186.7.34 10.186.7.33,peer-id 0,cipher AES-256-CBC'
2023-05-10 11:57:17: OPTIONS IMPORT: timers and/or timeouts modified
2023-05-10 11:57:17: OPTIONS IMPORT: --ifconfig/up options modified
2023-05-10 11:57:17: OPTIONS IMPORT: route options modified
2023-05-10 11:57:17: OPTIONS IMPORT: peer-id set
2023-05-10 11:57:17: OPTIONS IMPORT: adjusting link_mtu to 1526
2023-05-10 11:57:17: OPTIONS IMPORT: data channel crypto options modified
2023-05-10 11:57:17: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2023-05-10 11:57:17: Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-05-10 11:57:17: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2023-05-10 11:57:17: Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-05-10 11:57:17: Opened utun device utun10
2023-05-10 11:57:17: /sbin/ifconfig utun10 delete
2023-05-10 11:57:17: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2023-05-10 11:57:17: /sbin/ifconfig utun10 10.186.7.34 10.186.7.33 mtu 1400 netmask 255.255.255.255 up
2023-05-10 11:57:18: /sbin/route add -net 10.186.7.1 10.186.7.33 255.255.255.255
2023-05-10 11:57:18: /sbin/route add -net 172.16.16.0 10.186.7.33 255.255.255.0
2023-05-10 11:57:18: DNS mode set to Split
2023-05-10 11:57:18: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
2023-05-10 11:57:18: State changed to Connected
2023-05-10 11:57:18: Initialization Sequence Completed

Can someone give me a hint, what to do?

I had the same issue today with OpenVPN 2.5.9 on Windows and Core 173. It seems to be an OpenVPN 2.5.9 issue. With 2.5.7 it works fine.

Really? You managed to use 2FA with OpenVPN using OpenVPN connect in a platform that is not windows and the Community edition? Where? OP is using an Iphone. I never managed to get OpenVPN connect working a 2FA authentication in IOS. Only windows Community Edition and Viscosity in MacOS (actually I only supposed it works given the documentation but never really tried). I could not find a way to have it working in ANY other platform. I welcome any evidence to the contrary.

I wish I could, I never found any documentation on how to send the 2FA token to the server using OpenVPN connect. Only the windows client community edition is clearly capable of doing it (not tested personally, but many testimonials here of its success). I tried with IOS and android, never managed to do it. As well as googling to the death the web, I could find nothing.

I always thought it was a problem of OpenVPN connect, but probably it is instead the way OpenVPN server is implemented in IPFire the reason of this failure (see thread below).

In this thread we discussed the problem with someone that contrary to me knows what he is talking about.

I wanted to open a bug report, but I never found the energy and time to do it.

EDIT: 13097 – OpenVPN, 2FA infrastructure is not working using ANY client EXCEPT windows community edition

I mean OpenVPN Community edition…