Windows OpenVPN Client win11 With IPFire connection problems

This should be done by fireIP ?!
just as the OTP challenge should be included in the .ovpn file… (so that the OTP question pops up)

but thats just my 2 cents

Like this it is less secure because the certificate is in plain text. Normally the client and the OS would find the certificates from the .p12 file and everything would work smoothly. For some reason this is failing in your setting, but this is not normal. IPFire could create automatically an .ovpn with all the certificates embedded if you go for the unsecure route.

I tried to add the certificate using the ca tags from a .ovpn file from an insecure package…
This was not working :frowning:

It all looks so nice in specs, but if its not working and our VPN’s are working without any form of name/passwords or OTP challenges… It is simply insecure so NOT usable !!

If somebody gains access to our “unsecure” vpn connection files or our windows machines they gain access to our environment. (this is NOT an option)

something is very wrong with your setting, the certificate cannot be missed if embedded in the .ovpn This has never failed before in ios, macos or android, in my tests.

EDIT: try to extract it from a secure .p12 as highlighted in the post above. Openssl before writing in clear text it will ask for the password.

1 Like

maybe its just the windows client ??? so the openvpn client that makes the trouble.

But i cannot be the only one using windows :stuck_out_tongue:

you are not, but you are the first to report this issue. If you search the forum you will find several windows users that had trouble importing the certificates that were solved by following the instructions given by other members of this forum.

Edit, this is a recent one: Cannot find .p12 file in Windows 11? - #5 by tphz

2 Likes

I guess that this is an older openvpn client in windows (2.x.x ??).
The folder that they use is also not ‘normal’ in windows.

3.3.6 uses something like :

C:\Users<username>\AppData\Roaming\OpenVPN Connect\profiles

I always stand on the Bleeding edge (first one te get into trouble :stuck_out_tongue: )

My environment is very new, so i download all the latest en greatest versions

v3

I would just like to remind you that there are two editions/versions of the openvpn client available on openvpn.net .

  1. the “official” version - OpenVPN Connect
  2. the Community Edition version

These editions, differ in the way they are configured.
Differences in configuration, have been a source of trouble, reported and explained on the IPFire forum.

OTP works only on the community editions.

3 Likes

I will try the ‘other’ version now…

I was always clear which version i used (first post)

My understanding of the client “community” fork is that OpenVPN monetizes their development, which is open source, by selling their cloud or enterprise solutions. The client is designed to work best with those versions that contain proprietary code, including the 2FA.

The community edition is the attempt of porting some of those proprietary features to the open source version.

If you use their cloud or self-hosting solutions, you definitely want to have the V3 of the official OpenVPN Connect. However if you use the open source code, like the server in IPFire, you might want to stick to the community edition.

3 Likes

grrr… I installed the community version…
Set an p12 password,
activated OTP

I have put the files in the correct folder…

2023-02-03 16:28:53 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jan 25 2023
2023-02-03 16:28:53 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-02-03 16:28:53 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2023-02-03 16:28:53 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-02-03 16:28:53 Need hold release from management interface, waiting...
2023-02-03 16:28:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50759
2023-02-03 16:28:53 MANAGEMENT: CMD 'state on'
2023-02-03 16:28:53 MANAGEMENT: CMD 'log on all'
2023-02-03 16:28:53 MANAGEMENT: CMD 'echo on all'
2023-02-03 16:28:53 MANAGEMENT: CMD 'bytecount 5'
2023-02-03 16:28:53 MANAGEMENT: CMD 'state'
2023-02-03 16:28:53 MANAGEMENT: CMD 'hold off'
2023-02-03 16:28:53 MANAGEMENT: CMD 'hold release'
2023-02-03 16:29:04 MANAGEMENT: CMD 'password [...]'
2023-02-03 16:29:04 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-02-03 16:29:04 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-02-03 16:29:04 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-02-03 16:29:04 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-02-03 16:29:04 MANAGEMENT: >STATE:1675438144,RECONNECTING,private-key-password-failure,,,,,
2023-02-03 16:29:04 Restart pause, 1 second(s)
2023-02-03 16:29:29 MANAGEMENT: CMD 'password [...]'
2023-02-03 16:29:29 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-02-03 16:29:29 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-02-03 16:29:29 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-02-03 16:29:29 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-02-03 16:29:29 MANAGEMENT: >STATE:1675438169,RECONNECTING,private-key-password-failure,,,,,
2023-02-03 16:29:29 Restart pause, 1 second(s)

I get this:

error:11800071:PKCS12 routines::mac verify failure
Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption

I use TLS Channel protection
Hash is SHA2 (512 bit)
Encryption is: AES-GCM (256 bit)

Now im clueless :frowning:

At the moment, this problem appeared in version 2.6.0

1 Like

Quite unlucky too :grin:. You hit another problem due to a change to openssl 3 for OpenVPN Connect 2.6 in windows that has not happened yet in IPFire. Fortunately, this post @bonnietwin should provide a work around until openssl 3 is shipped in IPFire.

3 Likes

adding the line

providers legacy default

to the .ovpn configuration file does not help?

2 Likes

In my test environment with windows 11 - looks like it’s connected


On windows 10 it did not connect

2023-02-03 20:29:17 CreateFile failed on ovpn-dco device: \\?\ROOT#NET#0008#{cac88484-7515-4c03-82e6-71a87abac361}\ovpn-dco
2023-02-03 20:29:17 MANAGEMENT: Client disconnected
2023-02-03 20:29:17 All ovpn-dco adapters on this system are currently in use or disabled.
2023-02-03 20:29:17 Exiting due to fatal error

Windows 10 connects when all OpenVPNData Channel Offload interfaces are disabled or removed.

obraz

OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jan 25 2023
library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
Windows version 10.0 (Windows 10 or greater), amd64 executable

Best

1 Like

OK, some good news…

I got it working by adding the following 3 lines to the standard ovpn that was provided by the IPfire download pakage.

auth-user-pass
static-challenge "Enter your OTP" 0
providers legacy default

One Weird thing…

I get 3 prompts:

  1. user password
  2. OTP token
  3. user password

But after the 3 prompts, i get connected :slight_smile:

current ovpn:

Additional Information:

I made a NEW profile in the IPfire which has NO PKCS12 File Password
But it does has the OTP token.
I added the 3 lines in the ovpn file manually.

So the result is :

Only 1 prompt for the OTP and after that it connects perfectly fine.

.
So basically I removed the double prompts for the user password which was strange (in my eyes anyway).

p.s. (I would like to have a single password prompt… but for now this will do !)

thanks everybody for the help/comments :+1:

2 Likes