WEB_AUTH on REAUTH breaks connection

[jkroepke]

Hi,

I'm running OpenVPN Connect v3 for Mac against a private OpenVPN 2 server.

The OpenVPN 2 server has deferred auth enabled which returns a WEB_AUTH to the client.

While the initial authentication works fine, there are some issues on REAUTH.

The OpenVPN 3 client opens the browser and the OIDC flow succeed successfully.

However, the client stuck here

even after closing the browser tab.

In the server log, I can see that there is no PUSH: Received control message: 'PUSH_REQUEST'

Server logs

tests-openvpn-1  | 2023-09-24 16:39:55 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
tests-openvpn-1  | 2023-09-24 16:39:55 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
tests-openvpn-1  | 2023-09-24 16:39:55 WARNING: file '/etc/openvpn/pki/private/server.key' is group or others accessible
tests-openvpn-1  | 2023-09-24 16:39:55 WARNING: file '/etc/openvpn/password.txt' is group or others accessible
tests-openvpn-1  | 2023-09-24 16:39:55 OpenVPN 2.6.6 [git:release/2.6/70ef43f2b9b93825] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] built on Sep 16 2023
tests-openvpn-1  | 2023-09-24 16:39:55 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
tests-openvpn-1  | 2023-09-24 16:39:55 DCO version: N/A
tests-openvpn-1  | 2023-09-24 16:39:55 MANAGEMENT: TCP Socket listening on [AF_INET][undef]:8081
tests-openvpn-1  | 2023-09-24 16:39:55 Need hold release from management interface, waiting...
tests-openvpn-1  | 2023-09-24 16:40:08 MANAGEMENT: Client connected from [AF_INET]192.168.65.1:60280
tests-openvpn-1  | 2023-09-24 16:40:08 MANAGEMENT: CMD 'hold release'
tests-openvpn-1  | 2023-09-24 16:40:08 net_route_v4_best_gw query: dst 0.0.0.0
tests-openvpn-1  | 2023-09-24 16:40:08 net_route_v4_best_gw result: via 172.18.0.1 dev eth0
tests-openvpn-1  | 2023-09-24 16:40:08 TUN/TAP device tun0 opened
tests-openvpn-1  | 2023-09-24 16:40:08 net_iface_mtu_set: mtu 1500 for tun0
tests-openvpn-1  | 2023-09-24 16:40:08 net_iface_up: set tun0 up
tests-openvpn-1  | 2023-09-24 16:40:08 net_addr_v4_add: 100.64.0.1/24 dev tun0
tests-openvpn-1  | 2023-09-24 16:40:08 Could not determine IPv4/IPv6 protocol. Using AF_INET
tests-openvpn-1  | 2023-09-24 16:40:08 Socket Buffers: R=[212992->212992] S=[212992->212992]
tests-openvpn-1  | 2023-09-24 16:40:08 UDPv4 link local (bound): [AF_INET][undef]:1194
tests-openvpn-1  | 2023-09-24 16:40:08 UDPv4 link remote: [AF_UNSPEC]
tests-openvpn-1  | 2023-09-24 16:40:08 UID set to nobody
tests-openvpn-1  | 2023-09-24 16:40:08 GID set to nogroup
tests-openvpn-1  | 2023-09-24 16:40:08 Capabilities retained: CAP_NET_ADMIN
tests-openvpn-1  | 2023-09-24 16:40:08 MULTI: multi_init called, r=256 v=256
tests-openvpn-1  | 2023-09-24 16:40:08 IFCONFIG POOL IPv4: base=100.64.0.2 size=253
tests-openvpn-1  | 2023-09-24 16:40:08 Initialization Sequence Completed
tests-openvpn-1  | 2023-09-24 16:40:08 MANAGEMENT: CMD 'version'
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 VERIFY OK: depth=1, CN=Easy-RSA CA
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 VERIFY OK: depth=0, CN=joe
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_VER=3.8.1
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_PLAT=mac
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_NCP=2
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_TCPNL=1
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_PROTO=990
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_MTU=1600
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_AUTO_SESS=1
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_GUI_VER=OCmacOS_3.4.4-4629
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_SSO=webauth,openurl,crtext
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 peer info: IV_BS64DL=1
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 TLS: Username/Password authentication deferred for username ''
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit ED25519, signature: ED25519
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 [joe] Peer Connection Initiated with [AF_INET]192.168.65.1:50129
tests-openvpn-1  | 2023-09-24 16:40:09 192.168.65.1:50129 PUSH: Received control message: 'PUSH_REQUEST'
tests-openvpn-1  | 2023-09-24 16:40:09 MANAGEMENT: CMD 'client-pending-auth 0 1 "WEB_AUTH::https://joe-nb:9000/oauth2/start?state=NAId_iAKkHy3EJ3bbZPLKcmxq6NmFgrpWxP1mnWsB86c31FD64vsfoHmvqaCLygoUzHovHTKop1ZK_tz73Swhk_dTxaO_VeGWK-zRvC-qaCKgRN8espJ5m91T3qPMuaqFtI8NtFx9KDLrDF1Pjoo6i_FcwfdCQ14guraYisptzfYYO9Q5pba5VTUmoN0wF-OdIr4mbQ" 600'
tests-openvpn-1  | 2023-09-24 16:40:09 SENT CONTROL [joe]: 'AUTH_PENDING,timeout 60' (status=1)
tests-openvpn-1  | 2023-09-24 16:40:09 SENT CONTROL [joe]: 'INFO_PRE,WEB_AUTH::https://joe-nb:9000/oauth2/start?state=NAId_iAKkHy3EJ3bbZPLKcmxq6NmFgrpWxP1mnWsB86c31FD64vsfoHmvqaCLygoUzHovHTKop1ZK_tz73Swhk_dTxaO_VeGWK-zRvC-qaCKgRN8espJ5m91T3qPMuaqFtI8NtFx9KDLrDF1Pjoo6i_FcwfdCQ14guraYisptzfYYO9Q5pba5VTUmoN0wF-OdIr4mbQ' (status=1)
tests-openvpn-1  | 2023-09-24 16:40:10 192.168.65.1:50129 PUSH: Received control message: 'PUSH_REQUEST'
tests-openvpn-1  | 2023-09-24 16:40:11 MANAGEMENT: CMD 'client-auth 0 1'
tests-openvpn-1  | 2023-09-24 16:40:11 joe/192.168.65.1:50129 MULTI_sva: pool returned IPv4=100.64.0.2, IPv6=(Not enabled)
tests-openvpn-1  | 2023-09-24 16:40:11 joe/192.168.65.1:50129 MULTI: Learn: 100.64.0.2 -> joe/192.168.65.1:50129
tests-openvpn-1  | 2023-09-24 16:40:11 joe/192.168.65.1:50129 MULTI: primary virtual IP for joe/192.168.65.1:50129: 100.64.0.2
tests-openvpn-1  | 2023-09-24 16:40:11 joe/192.168.65.1:50129 SENT CONTROL [joe]: 'PUSH_REPLY,route-gateway 100.64.0.1,topology subnet,ping 10,ping-restart 60,auth-token-user bWFpbEBqa3JvZXBrZS5kZQ==,ifconfig 100.64.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
tests-openvpn-1  | 2023-09-24 16:40:12 joe/192.168.65.1:50129 Data Channel: cipher 'AES-256-GCM', peer-id: 0
tests-openvpn-1  | 2023-09-24 16:40:12 joe/192.168.65.1:50129 Timers: ping 10, ping-restart 120
tests-openvpn-1  | 2023-09-24 16:40:12 joe/192.168.65.1:50129 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 TLS: soft reset sec=57/57 bytes=380/-1 pkts=10/0
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 VERIFY OK: depth=1, CN=Easy-RSA CA
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 VERIFY OK: depth=0, CN=joe
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_VER=3.8.1
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_PLAT=mac
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_NCP=2
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_TCPNL=1
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_PROTO=990
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_MTU=1600
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_AUTO_SESS=1
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_GUI_VER=OCmacOS_3.4.4-4629
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 peer info: IV_SSO=webauth,openurl,crtext
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 TLS: Username/Password authentication deferred for username ''
tests-openvpn-1  | 2023-09-24 16:41:06 joe/192.168.65.1:50129 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit ED25519, signature: ED25519
tests-openvpn-1  | 2023-09-24 16:41:06 MANAGEMENT: CMD 'client-pending-auth 0 3 "WEB_AUTH::https://joe-nb:9000/oauth2/start?state=u4ueW-bqZNBuBY_FZQBzVgMoPS3_CvBd9I1K1r4xJG8mVhTAN-PSZfgIzGboft04JbYz-BRz7JA_YlxrB-h15GRNSY5hb99NRaR5XGziUlapXSMfLK14Sv5jASm6G0Xjq_HumPlHuStG7RMbgK1KgezGirD7qekRxiq_TsrzxF1gSr-BjzVSf_0cTh9-vrjUW4uKmO8" 600'
tests-openvpn-1  | 2023-09-24 16:41:06 SENT CONTROL [joe]: 'AUTH_PENDING,timeout 60' (status=1)
tests-openvpn-1  | 2023-09-24 16:41:06 SENT CONTROL [joe]: 'INFO_PRE,WEB_AUTH::https://joe-nb:9000/oauth2/start?state=u4ueW-bqZNBuBY_FZQBzVgMoPS3_CvBd9I1K1r4xJG8mVhTAN-PSZfgIzGboft04JbYz-BRz7JA_YlxrB-h15GRNSY5hb99NRaR5XGziUlapXSMfLK14Sv5jASm6G0Xjq_HumPlHuStG7RMbgK1KgezGirD7qekRxiq_TsrzxF1gSr-BjzVSf_0cTh9-vrjUW4uKmO8' (status=1)
tests-openvpn-1  | 2023-09-24 16:41:07 MANAGEMENT: CMD 'client-auth 0 3'
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 TLS: soft reset sec=57/57 bytes=0/-1 pkts=0/0
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 VERIFY OK: depth=1, CN=Easy-RSA CA
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 VERIFY OK: depth=0, CN=joe
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_VER=3.8.1
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_PLAT=mac
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_NCP=2
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_TCPNL=1
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_PROTO=990
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_MTU=1600
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_AUTO_SESS=1
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_GUI_VER=OCmacOS_3.4.4-4629
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 peer info: IV_SSO=webauth,openurl,crtext
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 TLS: Username/Password authentication deferred for username ''
tests-openvpn-1  | 2023-09-24 16:42:03 joe/192.168.65.1:50129 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit ED25519, signature: ED25519
tests-openvpn-1  | 2023-09-24 16:42:03 MANAGEMENT: CMD 'client-pending-auth 0 4 "WEB_AUTH::https://joe-nb:9000/oauth2/start?state=KqIg1PtCqMoJp2W_H8UeSqiCjCbiq1d8vwMpFwfQH0AxCmdhvt_QQVpdt5Q4l3Cnqna8N2Gq7joTus9QeLr68juuVpSIvkenBe7T7hUXw2xDewd02svQPcLYlS-2QS03C9br7qoxwmEtjq6sSwfu_skg4FaT5ru2PBLT45j6T24GJFBoUS5fzurr2Q4wYFRcOH4_vzs" 600'
tests-openvpn-1  | 2023-09-24 16:42:03 SENT CONTROL [joe]: 'AUTH_PENDING,timeout 60' (status=1)
tests-openvpn-1  | 2023-09-24 16:42:03 SENT CONTROL [joe]: 'INFO_PRE,WEB_AUTH::https://joe-nb:9000/oauth2/start?state=KqIg1PtCqMoJp2W_H8UeSqiCjCbiq1d8vwMpFwfQH0AxCmdhvt_QQVpdt5Q4l3Cnqna8N2Gq7joTus9QeLr68juuVpSIvkenBe7T7hUXw2xDewd02svQPcLYlS-2QS03C9br7qoxwmEtjq6sSwfu_skg4FaT5ru2PBLT45j6T24GJFBoUS5fzurr2Q4wYFRcOH4_vzs' (status=1)
tests-openvpn-1  | 2023-09-24 16:42:13 joe/192.168.65.1:50129 TLS Error: local/remote TLS keys are out of sync: [AF_INET]192.168.65.1:50129 (received key id: 0, known key ids:  [key#0 state=S_ACTIVE auth=KS_AUTH_DEFERRED id=2 sid=dcdf51a1 aa093ba0] [key#1 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=1 sid=dcdf51a1 aa093ba0] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000])
tests-openvpn-1  | 2023-09-24 16:42:23 joe/192.168.65.1:50129 TLS Error: local/remote TLS keys are out of sync: [AF_INET]192.168.65.1:50129 (received key id: 0, known key ids:  [key#0 state=S_ACTIVE auth=KS_AUTH_DEFERRED id=2 sid=dcdf51a1 aa093ba0] [key#1 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=1 sid=dcdf51a1 aa093ba0] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000])
tests-openvpn-1  | 2023-09-24 16:42:33 joe/192.168.65.1:50129 TLS Error: local/remote TLS keys are out of sync: [AF_INET]192.168.65.1:50129 (received key id: 0, known key ids:  [key#0 state=S_ACTIVE auth=KS_AUTH_DEFERRED id=2 sid=dcdf51a1 aa093ba0] [key#1 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=1 sid=dcdf51a1 aa093ba0] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000])
tests-openvpn-1  | 2023-09-24 16:42:43 joe/192.168.65.1:50129 TLS Error: local/remote TLS keys are out of sync: [AF_INET]192.168.65.1:50129 (received key id: 0, known key ids:  [key#0 state=S_ACTIVE auth=KS_AUTH_DEFERRED id=2 sid=dcdf51a1 aa093ba0] [key#1 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=1 sid=dcdf51a1 aa093ba0] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000])
tests-openvpn-1  | 2023-09-24 16:42:53 joe/192.168.65.1:50129 TLS Error: local/remote TLS keys are out of sync: [AF_INET]192.168.65.1:50129 (received key id: 0, known key ids:  [key#0 state=S_ACTIVE auth=KS_AUTH_DEFERRED id=2 sid=dcdf51a1 aa093ba0] [key#1 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=1 sid=dcdf51a1 aa093ba0] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000])
tests-openvpn-1  | 2023-09-24 16:43:03 joe/192.168.65.1:50129 Delayed exit in 5 seconds
tests-openvpn-1  | 2023-09-24 16:43:03 joe/192.168.65.1:50129 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
tests-openvpn-1  | 2023-09-24 16:43:03 joe/192.168.65.1:50129 SENT CONTROL [joe]: 'AUTH_FAILED' (status=1)
tests-openvpn-1  | 2023-09-24 16:43:08 joe/192.168.65.1:50129 SIGTERM[soft,delayed-exit] received, client-instance exiting

---

Client logs

⏎[Sep 24, 2023, 18:39:59] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Sep 24, 2023, 18:39:59] NOTE: This configuration contains options that were not used:
⏎[Sep 24, 2023, 18:39:59] Unsupported option (ignored)
⏎[Sep 24, 2023, 18:39:59] 5 [resolv-retry] [infinite]
⏎[Sep 24, 2023, 18:39:59] 7 [persist-tun]
⏎[Sep 24, 2023, 18:39:59] EVENT: RESOLVE ⏎[Sep 24, 2023, 18:39:59] Contacting 127.0.0.1:1194 via UDP
⏎[Sep 24, 2023, 18:39:59] EVENT: WAIT ⏎[Sep 24, 2023, 18:39:59] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
	"host" : "127.0.0.1",
	"ipv6" : false,
	"pid" : 61137
}

⏎[Sep 24, 2023, 18:39:59] Connecting to [127.0.0.1]:1194 (127.0.0.1) via UDPv4
⏎[Sep 24, 2023, 18:40:09] EVENT: CONNECTING ⏎[Sep 24, 2023, 18:40:09] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎[Sep 24, 2023, 18:40:09] Creds: UsernameEmpty/PasswordEmpty
⏎[Sep 24, 2023, 18:40:09] Peer Info:
IV_VER=3.8.1
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.4.4-4629
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1

⏎[Sep 24, 2023, 18:40:09] SSL Handshake: peer certificate: CN=server, 256 bit ED25519, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD

⏎[Sep 24, 2023, 18:40:09] Session is ACTIVE
⏎[Sep 24, 2023, 18:40:09] EVENT: GET_CONFIG ⏎[Sep 24, 2023, 18:40:09] Sending PUSH_REQUEST to server...
⏎[Sep 24, 2023, 18:40:09] Extending connection timeout from 49 to 60 for pending authentification
⏎[Sep 24, 2023, 18:40:09] EVENT: AUTH_PENDING timeout 60⏎[Sep 24, 2023, 18:40:09] EVENT: INFO WEB_AUTH::https://joe-nb:9000/oauth2/start?state=NAId_iAKkHy3EJ3bbZPLKcmxq6NmFgrpWxP1mnWsB86c31FD64vsfoHmvqaCLygoUzHovHTKop1ZK_tz73Swhk_dTxaO_VeGWK-zRvC-qaCKgRN8espJ5m91T3qPMuaqFtI8NtFx9KDLrDF1Pjoo6i_FcwfdCQ14guraYisptzfYYO9Q5pba5VTUmoN0wF-OdIr4mbQ⏎[Sep 24, 2023, 18:40:10] Sending PUSH_REQUEST to server...
⏎[Sep 24, 2023, 18:40:11] OPTIONS:
0 [route-gateway] [100.64.0.1]
1 [topology] [subnet]
2 [ping] [10]
3 [ping-restart] [60]
4 [auth-token-user] [bWFpbEBqa3JvZXBrZS5kZQ==]
5 [ifconfig] [100.64.0.2] [255.255.255.0]
6 [peer-id] [0]
7 [cipher] [AES-256-GCM]
8 [protocol-flags] [cc-exit] [tls-ekm] [dyn-tls-crypt]
9 [tun-mtu] [1500]

⏎[Sep 24, 2023, 18:40:11] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: TLS Keying Material Exporter [RFC5705]
  compress: NONE
  peer ID: 0
  control channel: dynamic tls-crypt enabled
⏎[Sep 24, 2023, 18:40:11] TunPersist: short-term connection scope
⏎[Sep 24, 2023, 18:40:11] TunPersist: new tun context
⏎[Sep 24, 2023, 18:40:11] EVENT: ASSIGN_IP ⏎[Sep 24, 2023, 18:40:11] CAPTURED OPTIONS:
Session Name: 127.0.0.1
Layer: OSI_LAYER_3
MTU: 1500
Remote Address: 127.0.0.1
Tunnel Addresses:
  100.64.0.2/24 -> 100.64.0.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv4: no
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
Search Domains:

⏎[Sep 24, 2023, 18:40:11] SetupClient: transmitting tun setup list to /var/run/agent_ovpnconnect.sock
{
	"config" : 
	{
		"iface_name" : "",
		"layer" : "OSI_LAYER_3",
		"tun_prefix" : false
	},
	"pid" : 61137,
	"tun" : 
	{
		"adapter_domain_suffix" : "",
		"block_ipv6" : false,
		"layer" : 3,
		"mtu" : 1500,
		"remote_address" : 
		{
			"address" : "127.0.0.1",
			"ipv6" : false
		},
		"reroute_gw" : 
		{
			"flags" : 256,
			"ipv4" : false,
			"ipv6" : false
		},
		"route_metric_default" : -1,
		"session_name" : "127.0.0.1",
		"tunnel_address_index_ipv4" : 0,
		"tunnel_address_index_ipv6" : -1,
		"tunnel_addresses" : 
		[
			{
				"address" : "100.64.0.2",
				"gateway" : "100.64.0.1",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			}
		]
	}
}
POST unix://[/var/run/agent_ovpnconnect.sock]/tun-setup : 200 OK
{
	"iface_name" : "utun10",
	"layer" : "OSI_LAYER_3",
	"tun_prefix" : true
}
/sbin/ifconfig utun10 down
/sbin/ifconfig utun10 100.64.0.2 100.64.0.1 netmask 255.255.255.0 mtu 1500 up
/sbin/route add -net 100.64.0.0 -netmask 255.255.255.0 100.64.0.2
add net 100.64.0.0: gateway 100.64.0.2
MacDNSAction: FLAGS=F RD=0 SO=5000 DNS= DOM= ADS=
open utun10 SUCCEEDED
⏎[Sep 24, 2023, 18:40:11] Connected via utun10
⏎[Sep 24, 2023, 18:40:11] EVENT: CONNECTED 127.0.0.1:1194 (127.0.0.1) via /UDPv4 on utun10/100.64.0.2/ gw=[100.64.0.1/] mtu=1500⏎[Sep 24, 2023, 18:41:06] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎[Sep 24, 2023, 18:41:06] Peer Info:
IV_VER=3.8.1
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.4.4-4629
IV_SSO=webauth,openurl,crtext

⏎[Sep 24, 2023, 18:41:06] Creds: UsernameEmpty/PasswordEmpty
⏎[Sep 24, 2023, 18:41:06] SSL Handshake: peer certificate: CN=server, 256 bit ED25519, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD

⏎[Sep 24, 2023, 18:41:06] EVENT: INFO WEB_AUTH::https://joe-nb:9000/oauth2/start?state=u4ueW-bqZNBuBY_FZQBzVgMoPS3_CvBd9I1K1r4xJG8mVhTAN-PSZfgIzGboft04JbYz-BRz7JA_YlxrB-h15GRNSY5hb99NRaR5XGziUlapXSMfLK14Sv5jASm6G0Xjq_HumPlHuStG7RMbgK1KgezGirD7qekRxiq_TsrzxF1gSr-BjzVSf_0cTh9-vrjUW4uKmO8⏎[Sep 24, 2023, 18:42:03] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎[Sep 24, 2023, 18:42:03] Peer Info:
IV_VER=3.8.1
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.4.4-4629
IV_SSO=webauth,openurl,crtext

⏎[Sep 24, 2023, 18:42:03] Creds: UsernameEmpty/PasswordEmpty
⏎[Sep 24, 2023, 18:42:03] SSL Handshake: peer certificate: CN=server, 256 bit ED25519, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD

⏎[Sep 24, 2023, 18:42:03] EVENT: INFO WEB_AUTH::https://joe-nb:9000/oauth2/start?state=KqIg1PtCqMoJp2W_H8UeSqiCjCbiq1d8vwMpFwfQH0AxCmdhvt_QQVpdt5Q4l3Cnqna8N2Gq7joTus9QeLr68juuVpSIvkenBe7T7hUXw2xDewd02svQPcLYlS-2QS03C9br7qoxwmEtjq6sSwfu_skg4FaT5ru2PBLT45j6T24GJFBoUS5fzurr2Q4wYFRcOH4_vzs⏎[Sep 24, 2023, 18:43:03] AUTH_FAILED
⏎[Sep 24, 2023, 18:43:03] EVENT: AUTH_FAILED ⏎[Sep 24, 2023, 18:43:03] EVENT: DISCONNECTED ⏎[Sep 24, 2023, 18:43:03] SetupClient: transmitting tun destroy request to /var/run/agent_ovpnconnect.sock
GET unix://[/var/run/agent_ovpnconnect.sock]/tun-destroy : 200 OK
/sbin/route delete -net 100.64.0.0 -netmask 255.255.255.0 100.64.0.2
delete net 100.64.0.0: gateway 100.64.0.2
/sbin/ifconfig utun10 down
MacDNSAction: FLAGS=F
⏎[Sep 24, 2023, 18:44:51] Raw stats on disconnect:
 BYTES_IN : 7971
 BYTES_OUT : 7413
 PACKETS_IN : 38
 PACKETS_OUT : 50
 AUTH_FAILED : 1
 KEY_STATE_ERROR : 6

⏎[Sep 24, 2023, 18:44:51] Performance stats on disconnect:
  CPU usage (microseconds): 22621753
  Network bytes per CPU second: 680
  Tunnel bytes per CPU second: 0

[jkroepke]

@lstipakov do you have an hint for me to debug this issue?

[lstipakov]

Sorry for the delay. This looks like a bug in OpenVPN Connect, not in core library. We have the similar bug in Windows client and provided a workaround until it is fixed. Since this is not a core library issue, I am closing this ticket and suggest you to contact OpenVPN Support - unfortunately they're not monitoring GitHub.

[jkroepke]

Hi @lstipakov

the OpenVPN Support does not provide an option create an request for OpenVPN Connect. Seems like an unresolvable deadlock here.

[lstipakov]

the OpenVPN Support does not provide an option create an request for OpenVPN Connect. Seems like an unresolvable deadlock here.

[jkroepke]

Thanks @lstipakov, however I stuck here

It seems like running OpenVPN connect against OpenVPN 2 server is not a supported scenario.

Thanks for you help!

[novaflash]

hey @jkroepke - check again, I've discussed this with people in OpenVPN Inc. and they've added community edition to that support form. So you can submit your issue now. It seems quite likely like a bug in OpenVPN Connect. And I can tell you that OpenVPN Inc. definitely do wants to get those bug reports.

OpenVPN Connect is created and maintained by OpenVPN Inc. and is free and works with Access Server, CloudConnexa, and open source community edition.

However, as you can imagine, since OpenVPN Inc. sells the products Access Server and CloudConnexa, those paying customers get support connecting OpenVPN Connect and open source clients to those paid server products. But the reverse, connecting OpenVPN Connect to an open source server, that is lower on the priority in terms of support because OpenVPN Inc. doesn't get any money from paying customers from that. There is of course the forums.openvpn.net for community support, but this smells like a bug report that the maintainers need to know and looks like best reported to where they want it to be reported - support.openvpn.net.

So what I'm saying is, what you can expect is that the bug report for OpenVPN Connect will be taken and reviewed gladly on support.openvpn.net, but if the issue turns out to be in the open source community OpenVPN server configuration, then that's something OpenVPN Inc. probably won't be able to solve for you. But honestly after looking at this, it seems like a bug purely in Connect.

[jkroepke]

Hey @novaflash

reading your post makes me happy. Did not expect that OpenVPN Inc has some interest for bugs which may not exists if Connect is used against non commerical products.

I understand that the priority is low for free users and if there is a solution in 6-9 months, I'm more than happy.

Thanks a lot. 👍

[jkroepke]

Hey @novaflash,

i have still some issues with support. I may still need assistance here. I choice the new option 'community edition'.

[novaflash]

Probably they just need to check internally about change of procedure in this regard. I'm sure it will be fine, give it some time.

[lolorc]

atm the workaround here is to set in the .ovpn client config and no auth-user-pass-optional in server config.

<auth-user-pass>
login
login
</auth-user-pass>

not the same context, I'm also supplying client certs and authenticating with webauth