OpenVPN Client 2.5.2 can connect to OpenVPN Cloud

Next-generation cloud-hosted OpenVPN business solution.
Post Reply
gz
OpenVpn Newbie
Posts: 1
Joined: Mon May 24, 2021 7:57 pm

OpenVPN Client 2.5.2 can connect to OpenVPN Cloud

Post by gz » Mon May 24, 2021 8:25 pm

Hello,

I created an OpenVPN Cloud account and I tried to use OpenVPN Client community edition 2.5.2 (OpenVPN-2.5.2-I601-amd64.msi) to connect to it, unfortunatly durign the connectione I receive the error: "AUTH: Received control message: AUTH_FAILED,SSO Auth Failed due to lack of client support"

I used the .ovpn file generated from the OpneVPN Cloud https://mydomain.openvpn.com/users

This is the file(hidden some parts):

Code: Select all

setenv USERNAME "xxxhiddenxxx/myemailhidden%40gmail.com/xxxhiddenxxx"
# OVPN_WEBAUTH_FRIENDLY_USERNAME=xxxhiddenxxx/myemailhidden@gmail.com/pc
# OVPN_FRIENDLY_PROFILE_NAME=xxx/myemailhidden@gmail.com@mydomain.openvpn.com [Milan]
client
dev tun
remote it-mxp.gw.openvpn.com 1194 udp
remote it-mxp.gw.openvpn.com 1194 udp
remote it-mxp.gw.openvpn.com 443 tcp
remote it-mxp.gw.openvpn.com 1194 udp
remote it-mxp.gw.openvpn.com 1194 udp
remote it-mxp.gw.openvpn.com 1194 udp
remote it-mxp.gw.openvpn.com 1194 udp
remote it-mxp.gw.openvpn.com 1194 udp
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
persist-tun
nobind
verb 3
socket-flags TCP_NODELAY

<ca>
-----BEGIN CERTIFICATE-----
xxxhiddenxxx
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
xxxhiddenxxx
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
xxxhiddenxxx
-----END RSA PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxxhiddenxxx
-----END OpenVPN Static key V1-----
</tls-auth>
Using OpneVPN Connect it work but I need to use OpenVPN GUI cummonity edition (and then router).

I understand that is a problem of autentication but I don't understand how to solve it, this is the log:

Code: Select all

2021-05-24 22:10:20 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-05-24 22:10:20 OpenVPN 2.5.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
2021-05-24 22:10:20 Windows version 10.0 (Windows 10 or greater) 64bit
2021-05-24 22:10:20 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Enter Management Password:
2021-05-24 22:10:20 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-05-24 22:10:20 Need hold release from management interface, waiting...
2021-05-24 22:10:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-05-24 22:10:20 MANAGEMENT: CMD 'state on'
2021-05-24 22:10:20 MANAGEMENT: CMD 'log all on'
2021-05-24 22:10:20 MANAGEMENT: CMD 'echo all on'
2021-05-24 22:10:20 MANAGEMENT: CMD 'bytecount 5'
2021-05-24 22:10:20 MANAGEMENT: CMD 'hold off'
2021-05-24 22:10:20 MANAGEMENT: CMD 'hold release'
2021-05-24 22:10:20 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-05-24 22:10:20 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-05-24 22:10:20 MANAGEMENT: >STATE:1621887020,RESOLVE,,,,,,
2021-05-24 22:10:20 TCP/UDP: Preserving recently used remote address: [AF_INET]45.128.37.17:1194
2021-05-24 22:10:20 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-05-24 22:10:20 NOTE: setsockopt TCP_NODELAY=1 failed
2021-05-24 22:10:20 UDP link local: (not bound)
2021-05-24 22:10:20 UDP link remote: [AF_INET]45.128.37.17:1194
2021-05-24 22:10:20 MANAGEMENT: >STATE:1621887020,WAIT,,,,,,
2021-05-24 22:10:20 MANAGEMENT: >STATE:1621887020,AUTH,,,,,,
2021-05-24 22:10:20 TLS: Initial packet from [AF_INET]45.128.37.17:1194, sid=c3398b3f d31b2431
2021-05-24 22:10:20 VERIFY OK: depth=1, CN=CloudVPN Prod CA
2021-05-24 22:10:20 VERIFY KU OK
2021-05-24 22:10:20 Validating certificate extended key usage
2021-05-24 22:10:20 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-05-24 22:10:20 VERIFY EKU OK
2021-05-24 22:10:20 VERIFY OK: depth=0, CN=it-mxp-dc2-b1.cloud.openvpn.net
2021-05-24 22:10:20 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2021-05-24 22:10:20 [it-mxp-dc2-b1.cloud.openvpn.net] Peer Connection Initiated with [AF_INET]45.128.37.17:1194
2021-05-24 22:10:21 MANAGEMENT: >STATE:1621887021,GET_CONFIG,,,,,,
2021-05-24 22:10:21 SENT CONTROL [it-mxp-dc2-b1.cloud.openvpn.net]: 'PUSH_REQUEST' (status=1)
2021-05-24 22:10:21 AUTH: Received control message: AUTH_FAILED,SSO Auth Failed due to lack of client support
2021-05-24 22:10:21 SIGUSR1[soft,auth-failure] received, process restarting
2021-05-24 22:10:21 MANAGEMENT: >STATE:1621887021,RECONNECTING,auth-failure,,,,,
2021-05-24 22:10:21 Restart pause, 5 second(s)
Please can some help me using the OpenVPN GUI Client community edition (OpenVPN Connect is working but I need to use cummunity edition)

Thank you

GZ

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Client 2.5.2 can connect to OpenVPN Cloud

Post by openvpn_inc » Thu May 27, 2021 2:48 pm

Hello gz,

The error message may be a little hard to understand. Allow me to explain.
> AUTH: Received control message: AUTH_FAILED,SSO Auth Failed due to lack of client support

This means to say "You are trying to connect with an account that is configured to use Single-Sign On Authentication. But your OpenVPN client is lacking the ability to do Single-Sign On Authentication".

You have 2 options:
- Use an OpenVPN client that support SSO auth, like OpenVPN Connect v3
- Or configure the authentication method on OpenVPN Cloud so that it doesn't use the SSO authentication method

That second option you can do by for example going to your OpenVPN Cloud panel and going to Users, and then click the Groups tab, and there edit the group that your user is a part of, and set the Connect Auth to 'no'. Or you can set it globally to 'no' under Settings - but that only applies to new groups not to existing ones.

You can read more about the authentication methods here:
https://openvpn.net/cloud-docs/openvpn- ... tion-type/

But in short, with 'no' you can use a non-SSO capable client, and the other two options mean you need an SSO capable client.

Currently SSO capability is not yet present in OpenVPN GUI.

It is technically possible to force sending a flag to the server that you support SSO even if you don't, and then manually go into the logs and copying out the SSO URL sent to your client, and then opening that separately in a browser... but that's not something I would normally advise people to do.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply