OpenVPN Linux failed - Watchguard Firebox - no OTP

[henry_shadowjet]

Hi all,

I've been loving using OpenVPN for connecting to my cloud servers!

Just recently in my new place of work I noticed they used WatchGuard Firebox firewall. On Windows laptop issued by the office, it comes pre-installed with the Watchguard VPN software, but I notice that in the background it is pretty much just acting as an interface for OpenVPN.

So I found the OVPN file somewhere on the laptop and wanted to connect using my Raspberry Pi. The trouble I found is that while it connects successfully, it failed during the OTP phase. The log as is per below, there is a PUSH_REQUEST that never brings up a prompt in the Linux terminal for me to input the 6 digit OTP I can produce using a Microsoft Authenticator app. The log as per below:

Code: Select all

2022-03-26 11:06:14 WARNING: file 'client.pem' is group or others accessible
2022-03-26 11:06:14 WARNING: file 'pass.txt' is group or others accessible
2022-03-26 11:06:14 OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-03-26 11:06:14 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2022-03-26 11:06:14 TCP/UDP: Preserving recently used remote address: [AF_INET]<<server ip>>:<<port>>
2022-03-26 11:06:14 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-03-26 11:06:14 Attempting to establish TCP connection with [AF_INET]<<server ip>>:<<port>> [nonblock]
2022-03-26 11:06:14 TCP connection established with [AF_INET]<<server ip>>:<<port>>
2022-03-26 11:06:14 TCP_CLIENT link local: (not bound)
2022-03-26 11:06:14 TCP_CLIENT link remote: [AF_INET]<<server ip>>:<<port>>
2022-03-26 11:06:14 TLS: Initial packet from [AF_INET]<<server ip>>:<<port>>, sid=d173dc41 21d414a8
2022-03-26 11:06:14 VERIFY OK: depth=1, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN 801005262946D 2020-12-17 07:26:01 UTC) CA
2022-03-26 11:06:14 Validating certificate extended key usage
2022-03-26 11:06:14 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-03-26 11:06:14 VERIFY EKU OK
2022-03-26 11:06:14 VERIFY X509NAME OK: O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
2022-03-26 11:06:14 VERIFY OK: depth=0, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
2022-03-26 11:06:15 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA
2022-03-26 11:06:15 [Fireware SSLVPN Server] Peer Connection Initiated with [AF_INET]<<server ip>>:<<port>>
2022-03-26 11:06:16 SENT CONTROL [Fireware SSLVPN Server]: 'PUSH_REQUEST' (status=1)
2022-03-26 11:06:16 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:443:aGVucnkuY2hhbmRyYWpheWE=:Enter Your Microsoft verification code
2022-03-26 11:06:16 SIGUSR1[soft,auth-failure] received, process restarting
2022-03-26 11:06:16 Restart pause, 5 second(s)

The VERY SAME config file works on an Android version of OpenVPN Connect app - in the this case the authentication box do come up asking for the OTP, and once inserted the process completed successfully.

The config file as per below:

Code: Select all

dev tun
client
proto tcp-client
ca ca.crt
cert client.crt
key client.pem
verify-x509-name "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server"
remote-cert-eku "TLS Web Server Authentication"
remote <<server IP>> <<port>>
persist-key
persist-tun
verb 3
mute 20
keepalive 10 300
cipher AES-128-GCM
float
reneg-sec 28800
nobind
mute-replay-warnings
auth-user-pass pass.txt
tls-version-min 1.2
;remember_connection 0
;auto_reconnect 1
auth-retry interact

Any input would be kindly appreciated!

Thanks in advance all!

[trougnouf]

I was having a similar issue ("Enter Your Microsoft verification code" followed by auth failure), adding "--auth-retry interact" to the openvpn command used to connect worked for me.