Disconnect when MFA is enabled

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
dj-itadvisors
OpenVpn Newbie
Posts: 1
Joined: Mon Jun 07, 2021 9:52 pm

Disconnect when MFA is enabled

Post by dj-itadvisors » Mon Jun 07, 2021 9:52 pm

Hey,

I'm having an issue trying to implement MFA. Authentication works fine with MFA disabled. Same user/pass used after enabling MFA and generating the key. VPN connects but drops after no more than 10 minutes.

Any and all help is appreciated, here is the log:

----------------------------------------------------------------------------------------------------------
6/7/2021, 1:56:02 PM OpenVPN core 3.git::58b92569 win x86_64 64-bit built on Feb 10 2021 15:20:23
⏎6/7/2021, 1:56:02 PM Frame=512/2048/512 mssfix-ctrl=1250
⏎6/7/2021, 1:56:02 PM UNUSED OPTIONS
1 [resolv-retry] [20]
3 [nobind]
4 [mute-replay-warnings]
7 [verb] [1]
8 [persist-key]
9 [persist-tun]
10 [explicit-exit-notify] [1]
⏎6/7/2021, 1:56:02 PM Contacting ***.***.***.***:1194 via UDP
⏎6/7/2021, 1:56:02 PM WinCommandAgent: transmitting bypass route to ***.***.***.***
{
"host" : "***.***.***.***",
"ipv6" : false
}

⏎6/7/2021, 1:56:02 PM EVENT: RESOLVE ⏎6/7/2021, 1:56:02 PM EVENT: WAIT ⏎6/7/2021, 1:56:02 PM Connecting to [***.***.***.***]:1194 (***.***.***.***) via UDPv4
⏎6/7/2021, 1:56:02 PM EVENT: CONNECTING ⏎6/7/2021, 1:56:02 PM Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎6/7/2021, 1:56:02 PM Creds: StaticChallenge
⏎6/7/2021, 1:56:02 PM Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.2.3-1851
IV_SSO=openurl

⏎6/7/2021, 1:56:02 PM SSL Handshake: CN=server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
⏎6/7/2021, 1:56:02 PM Session is ACTIVE
⏎6/7/2021, 1:56:02 PM EVENT: GET_CONFIG ⏎6/7/2021, 1:56:02 PM Sending PUSH_REQUEST to server...
⏎6/7/2021, 1:56:02 PM OPTIONS:
0 [register-dns]
1 [route] [192.168.100.0] [255.255.255.0]
2 [route] [172.16.1.0] [255.255.255.0]
3 [topology] [net30]
4 [ping] [2]
5 [ping-restart] [10]
6 [dhcp-option] [DNS] [172.16.1.1]
7 [ifconfig] [172.16.1.6] [172.16.1.5]
8 [peer-id] [0]
9 [cipher] [AES-256-GCM]

⏎6/7/2021, 1:56:02 PM PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: COMP_STUB
peer ID: 0
⏎6/7/2021, 1:56:02 PM CAPTURED OPTIONS:
Session Name: ***.***.***.***
Layer: OSI_LAYER_3
Remote Address: ***.***.***.***
Tunnel Addresses:
172.16.1.6/30 -> 172.16.1.5 [net30]
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
192.168.100.0/24
172.16.1.0/24
Exclude Routes:
DNS Servers:
172.16.1.1
Search Domains:

⏎6/7/2021, 1:56:02 PM EVENT: ASSIGN_IP ⏎6/7/2021, 1:56:03 PM SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
"confirm_event" : "fc17000000000000",
"destroy_event" : "8413000000000000",
"tun" :
{
"adapter_domain_suffix" : "",
"add_routes" :
[
{
"address" : "192.168.100.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
},
{
"address" : "172.16.1.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
}
],
"block_ipv6" : false,
"dns_servers" :
[
{
"address" : "172.16.1.1",
"ipv6" : false
}
],
"layer" : 3,
"mtu" : 0,
"remote_address" :
{
"address" : "***.***.***.***",
"ipv6" : false
},
"reroute_gw" :
{
"flags" : 256,
"ipv4" : false,
"ipv6" : false
},
"route_metric_default" : -1,
"session_name" : "***.***.***.***",
"tunnel_address_index_ipv4" : 0,
"tunnel_address_index_ipv6" : -1,
"tunnel_addresses" :
[
{
"address" : "172.16.1.6",
"gateway" : "172.16.1.5",
"ipv6" : false,
"metric" : -1,
"net30" : true,
"prefix_length" : 30
}
]
},
"wintun" : false
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{A9A5DA14-F92C-467C-9CDC-09EEA52DDC22}' index=24 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{A9A5DA14-F92C-467C-9CDC-09EEA52DDC22}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=24
netsh interface ip set interface 24 metric=1
Ok.
netsh interface ip set address 24 static 172.16.1.6 255.255.255.252 gateway=172.16.1.5 store=active
IPHelper: add route 192.168.100.0/24 24 172.16.1.5 metric=-1
IPHelper: add route 172.16.1.0/24 24 172.16.1.5 metric=-1
netsh interface ip set dnsservers 24 static 172.16.1.1 register=primary validate=no
NRPT::ActionCreate names=[.] dns_servers=[172.16.1.1]
ActionWFP openvpn_app_path=C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe tap_index=24 enable=1
permit IPv4 DNS requests from OpenVPN app
permit IPv6 DNS requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP handle: f410000000000000
⏎6/7/2021, 1:56:03 PM Connected via TUN_WIN
⏎6/7/2021, 1:56:03 PM LZO-ASYM init swap=0 asym=1
⏎6/7/2021, 1:56:03 PM Comp-stub init swap=1
⏎6/7/2021, 1:56:03 PM EVENT: CONNECTED ******@***.***.***.***:1194 (***.***.***.***) via /UDPv4 on TUN_WIN/172.16.1.6/ gw=[172.16.1.5/]⏎6/7/2021, 2:02:55 PM Session invalidated: KEEPALIVE_TIMEOUT
⏎6/7/2021, 2:02:55 PM Client terminated, restarting in 2000 ms...
⏎6/7/2021, 2:02:55 PM SetupClient: signaling tun destroy event
⏎6/7/2021, 2:02:57 PM EVENT: RECONNECTING ⏎6/7/2021, 2:02:57 PM EVENT: RESOLVE ⏎6/7/2021, 2:02:57 PM Contacting ***.***.***.***:1194 via UDP
⏎6/7/2021, 2:02:57 PM WinCommandAgent: transmitting bypass route to ***.***.***.***
{
"host" : "***.***.***.***",
"ipv6" : false
}

⏎6/7/2021, 2:02:57 PM EVENT: WAIT ⏎6/7/2021, 2:02:57 PM Connecting to [***.***.***.***]:1194 (***.***.***.***) via UDPv4
⏎6/7/2021, 2:02:57 PM EVENT: CONNECTING ⏎6/7/2021, 2:02:57 PM Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎6/7/2021, 2:02:57 PM Creds: StaticChallenge
⏎6/7/2021, 2:02:57 PM Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.2.3-1851
IV_SSO=openurl

⏎6/7/2021, 2:02:57 PM SSL Handshake: CN=server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
⏎6/7/2021, 2:02:57 PM Session is ACTIVE
⏎6/7/2021, 2:02:57 PM Sending PUSH_REQUEST to server...
⏎6/7/2021, 2:02:57 PM EVENT: GET_CONFIG ⏎6/7/2021, 2:02:57 PM AUTH_FAILED
⏎6/7/2021, 2:02:57 PM EVENT: AUTH_FAILED ⏎6/7/2021, 2:02:57 PM EVENT: DISCONNECTED ⏎
--------------------------------------------------------------------------------------------------------------

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Disconnect when MFA is enabled

Post by openvpn_inc » Tue Jun 29, 2021 4:22 pm

Hello dj-itadvisors,

How are you implementing MFA requirement on the server side? What is the server running in terms of software and MFA configuration?

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply