My company uses OTP with OpenVPN, so we have a three-factor authentication: 1) the private key 2) the username/password combination 3) an OTP token generated by Google Authenticator (on a separate prompt) I use the kdeplasma-applets-plasma-nm package as my NM GUI, and it does not know how to respond to the OTP challenge. Here is the documentation on the CHALLENGE/RESPONSE protocol (at the bottom of the page): https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html It says client UIs should add explicit support for the challenge/response protocol. We use the 'dynamic' variation of the protocol, judging by the NM output in the logs. Reproducible: Always Steps to Reproduce: 1. Create an OpenVPN connection in the NM KDE Plasma applet 2. Start the connection 3. Have your key, username/password, OTP application ready Actual Results: Jul 22 18:07:06 vst NetworkManager[23350]: <info> Starting VPN service 'openvpn'... Jul 22 18:07:06 vst NetworkManager[23350]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 14500 Jul 22 18:07:06 vst NetworkManager[23350]: <info> VPN service 'openvpn' appeared; activating connections Jul 22 18:07:06 vst NetworkManager[23350]: <info> VPN plugin state changed: starting (3) Jul 22 18:07:06 vst NetworkManager[23350]: <info> VPN connection 'VPN OTP' (Connect) reply received. Jul 22 18:07:06 vst nm-openvpn[14501]: OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014 Jul 22 18:07:06 vst nm-openvpn[14501]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09 Jul 22 18:07:06 vst NetworkManager[23350]: nm-openvpn-Message: openvpn started with pid 14501 Jul 22 18:07:06 vst nm-openvpn[14501]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jul 22 18:07:06 vst nm-openvpn[14501]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 22 18:07:06 vst nm-openvpn[14501]: WARNING: file '/home/vst/ovpn3/vst.key' is group or others accessible Jul 22 18:07:06 vst nm-openvpn[14501]: WARNING: file '/home/vst/ovpn3/ta.key' is group or others accessible Jul 22 18:07:06 vst nm-openvpn[14501]: Control Channel Authentication: using '/home/vst/ovpn3/ta.key' as a OpenVPN static key file Jul 22 18:07:06 vst nm-openvpn[14501]: UDPv4 link local: [undef] Jul 22 18:07:06 vst nm-openvpn[14501]: UDPv4 link remote: [AF_INET]ovpnhost:1194 Jul 22 18:07:08 vst nm-openvpn[14501]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]ovpnhost:1194 Jul 22 18:07:10 vst nm-openvpn[14501]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:VM2+d9zeWvqrTIgufNqZHGloeSAoTUbb:dnN0ZXRza2V2eWNo:OTP Token: Jul 22 18:07:10 vst nm-openvpn[14501]: SIGUSR1[soft,auth-failure] received, process restarting Jul 22 18:07:10 vst NetworkManager[23350]: <warn> VPN plugin failed: login-failed (0) Jul 22 18:07:10 vst NetworkManager[23350]: <info> VPN plugin state changed: stopped (6) Jul 22 18:07:10 vst NetworkManager[23350]: <info> VPN plugin state change reason: login-failed (10) Jul 22 18:07:10 vst NetworkManager[23350]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active. Jul 22 18:07:10 vst NetworkManager[23350]: (nm-openvpn-service:14500): nm-openvpn-WARNING **: Password verification failed Jul 22 18:07:30 vst NetworkManager[23350]: <info> VPN service 'openvpn' disappeared Expected Results: Here's a try with the official console client. Connects fine. [root@vst ~]# openvpn --config /home/vst/ovpn3/ovpn3.conf Wed Jul 22 23:01:55 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014 Wed Jul 22 23:01:55 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09 Enter Auth Username: ************ Enter Auth Password: *********************** CHALLENGE: OTP Token: Response: ****** Wed Jul 22 23:02:16 2015 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 22 23:02:16 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 22 23:02:16 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 22 23:02:16 2015 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Jul 22 23:02:16 2015 UDPv4 link local: [undef] Wed Jul 22 23:02:16 2015 UDPv4 link remote: [AF_INET]ovpnhost:1194 Wed Jul 22 23:02:16 2015 TLS: Initial packet from [AF_INET]ovpnhost:1194, sid=14519136 d810d773 Wed Jul 22 23:02:16 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed Jul 22 23:02:19 2015 VERIFY OK: depth=1, CN=OpenVPN CA Wed Jul 22 23:02:19 2015 VERIFY OK: nsCertType=SERVER Wed Jul 22 23:02:19 2015 VERIFY OK: depth=0, CN=OpenVPN Server ............... connection successful Please fix the client so that it prompts for the challenge. Could use some kind of an askpass program maybe.
Does it work in Gnome? I wonder whether NM OpenVpn plugins supports this, otherwise there is nothing to implement until they add a support for that.
It does not work in Gnome. Here's a bug report: https://bugzilla.gnome.org/show_bug.cgi?id=752740 But this may also be a client issue, I cannot tell.
Then, as I said, we need to wait until it's supported by the VPN plugin, then adding a dialog for that should be easy.
*** Bug 365807 has been marked as a duplicate of this bug. ***
(In reply to vst from comment #2) > It does not work in Gnome. Here's a bug report: > https://bugzilla.gnome.org/show_bug.cgi?id=752740 > But this may also be a client issue, I cannot tell. It looks like [1] this has been implemented in networkmanager-openvpn 1.2.8. By what I can see in the implementation we do not need to change anything in Plasma NM for it to work. Can you upgrade networkmanager-openvpn an check if it works for you? [1] https://bugzilla.gnome.org/show_bug.cgi?id=751842
Unfortunately I cannot test this now, because I don't have access to an OTP-enabled OpenVPN server.
(In reply to Lamarque V. Souza from comment #5) > (In reply to vst from comment #2) > > It does not work in Gnome. Here's a bug report: > > https://bugzilla.gnome.org/show_bug.cgi?id=752740 > > But this may also be a client issue, I cannot tell. > > It looks like [1] this has been implemented in networkmanager-openvpn 1.2.8. > By what I can see in the implementation we do not need to change anything in > Plasma NM for it to work. Can you upgrade networkmanager-openvpn an check if > it works for you? > > [1] https://bugzilla.gnome.org/show_bug.cgi?id=751842 Unfortunately, it does not work. Gnome is properly showing pop-up for oauth token, but KDE doesn't. VPN is just stuck at connecting after providing password and timeouts after some time. No popup for token is shown... It may be relevant to bug in Gnome - if you set your password to be remembered between connections, it will automatically fill OAuth prompt with your password and also save OAuth token as your password if you fill it in... Maybe on KDE side it tries to fill in previously typed password as OAuth token instead of asking for one?
Can confirm that this is still affecting plasma-nm 5.15.4 on Kubuntu 19.04. I use VPN daily for work, and as a result have to resort to downloading/installing VPN client. While it is not too difficult to use a third-party client, it would be nice if the OS VPN manager would handle OTP -- as it is becoming increasingly important to use two-factor authentication.
Support for OTP tokens will be in Plasma 5.16.0.
Is this really changed in OpenVPN? I can see only changes affecting openconnect VPN in the source code...
Sorry, it's really openconnect for now.
*** This bug has been confirmed by popular vote. ***
I can also confirm this behavior. In GNOME the challenge pops up just as expected, but on KDE there is only asked for the password and then the connection fails, since the OTP was not provided. Is there any work already done on this?
Same here seems to work in kde an i get the following error in syslog : ------ Feb 20 18:07:32 XXXX-Latitude-E7270 nm-openvpn[16556]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]XXX.XXX.XX.XXX:1194 Feb 20 18:07:34 XXXX-Latitude-E7270 nm-openvpn[16556]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:XXXXX==:Enter Google Authenticator Code Feb 20 18:07:34 XXX-Latitude-E7270 NetworkManager[1574]: <warn> [1582214854.1904] vpn-connection[0x556548b62520,d3ef7923-c5e2-4361-9c9e-4a544fe2f016,"XXXX_vpn",0]: VPN plugin: failed: login-failed (0) ------
Still present in plasma-nm 5.19.5-1, networkmanager-openvpn 1.8.12-1. journalctl --unit nm-openvp --unit NetworkManager: > [ 6072.762200] NetworkManager[540]: <info> [1600605261.6491] vpn-connection[...]: Started the VPN service, PID 6707 > [ 6072.768125] NetworkManager[540]: <info> [1600605261.6551] vpn-connection[...]: Saw the service appear; activating connection > [ 6077.270378] NetworkManager[540]: <info> [1600605266.1573] vpn-connection[...]: VPN plugin: state changed: starting (3) > [ 6077.274301] nm-openvpn[6714]: OpenVPN 2.4.9 [git:makepkg/9b0dafca6c50b8bb+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 20 2020 > [ 6077.274343] nm-openvpn[6714]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 > [ 6077.480234] nm-openvpn[6714]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443 > [ 6077.480658] nm-openvpn[6714]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock] > [ 6078.480644] nm-openvpn[6714]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443 > [ 6078.481944] nm-openvpn[6714]: TCP_CLIENT link local: (not bound) > [ 6078.482115] nm-openvpn[6714]: TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443 > [ 6078.482256] nm-openvpn[6714]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay > [ 6078.760194] nm-openvpn[6714]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:443 > [ 6085.258042] nm-openvpn[6714]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:XXXXXXXX:YYYYYYYYY:Enter your one time password > [ 6085.259484] nm-openvpn[6714]: SIGUSR1[soft,auth-failure] received, process restarting > [ 6085.259707] NetworkManager[540]: <warn> [1600605274.1461] vpn-connection[...]: VPN plugin: failed: login-failed (0) > [ 6085.260683] nm-openvpn[6714]: SIGTERM[hard,init_instance] received, process exiting > [ 6085.260907] NetworkManager[540]: <warn> [1600605274.1463] vpn-connection[...]: VPN plugin: failed: connect-failed (1) > [ 6085.261142] NetworkManager[540]: <info> [1600605274.1465] vpn-connection[...]: VPN plugin: state changed: stopping (5) > [ 6085.261415] NetworkManager[540]: <info> [1600605274.1470] vpn-connection[...]: VPN plugin: state changed: stopped (6) > [ 6085.268077] NetworkManager[540]: <info> [1600605274.1550] vpn-connection[...]: VPN service disappeared
I'm using Fedora 33 with plasma-nm-5.20.5-1.fc33.x86_64 and I can also confirm this behavior. In GNOME the challenge pops up just as expected, but on KDE there is only asked for the password and then the connection fails, since the OTP was not provided. Best Regards,
Can you try whether https://invent.kde.org/plasma/plasma-nm/-/merge_requests/67 makes any difference?
(In reply to Jan Grulich from comment #17) > Can you try whether > https://invent.kde.org/plasma/plasma-nm/-/merge_requests/67 makes any > difference? Doesn't for me.
Hi, With plasma-nm-5.23.5-1.fc35.x86_64 the dialog appear correctly. Best Regards, Fernando Gomes
(In reply to Fernando Gomes from comment #19) > With plasma-nm-5.23.5-1.fc35.x86_64 the dialog appear correctly. Not for I. I am on 5.23.5-1 (Arch)
It also works for me now I have 5.24.0-1.1 (opensuse) imho this can be closed
On Plasma 5.24.5 is not working. It looks like it doesn't take into consideration the static-challenge "TOTP SSO:" 1 option.
Is seems the bug is still there plasma-nm 4:6.0.4-0xneon+22.04+jammy+release+build39 No OTP popup appears journalctl -u -f NetworkManager nm-openvpn[65369]: TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:* nm-openvpn[65369]: UDP link local: (not bound) nm-openvpn[65369]: UDP link remote: [AF_INET]*.*.*.*:* nm-openvpn[65369]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]*.*.*.*:* nm-openvpn[65369]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_6K8dDiU5pfn36Iu6:ZXh0ZXJuYWwuZXZnZW5peS52YXNpbGV2c2tpeQ==:Enter Authenticator Code nm-openvpn[65369]: SIGUSR1[soft,auth-failure] received, process restarting NetworkManager[958]: <warn> [1713779336.9853] vpn[0x6167e3a58880,e2969ec5-4f11-49f5-9075-83ae7b0ed30e,"VPN (openvpn)"]: connect timeout exceeded nm-openvpn-serv[65365]: Connect timer expired, disconnecting. nm-openvpn[65369]: SIGTERM[hard,init_instance] received, process exiting
We are adding some patches to NetworkManager that I expect that will make this to work from KDE Plasma without any change required. It will need at least NetworkManager 1.46.2 and NetworkManager-openvpn 1.12.0 (tentative, but probable versions). NetworkManager MR: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1958
the OTP pop up does not seem to appear on Fedora 40, NetworkManager version 1.46.2 and networkmanager-openvpn version 1.12.0 Is there anything that needs to be changed in the VPN config for this to work?