AUTH_FAILED with android

[b.bychick]

Hi all
I hope you can assist me to figure out what is the issue...

I am able to connect with Debian 10, however, when I am connecting with android 11 I'm getting AUTH_FAIL.
Here os the OVPN file (I use it on both Android and Debian):

Code: Select all

keepalive 10 30
mssfix 1350
comp-lzo no
compress lz4
auth SHA512
cipher AES-256-GCM
tls-version-min 1.2
tls-version-max 1.2

tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

ecdh-curve secp521r1

remote vpn.server.my 3011 udp4
dev-type tun
dev tun0
management-up-down
management-hold
management-query-passwords
auth-retry interact
management-forget-disconnect
verb 4
management 127.0.0.1 100001
<ca>
-----BEGIN CERTIFICATE-----
-----------------------
-----END CERTIFICATE-----
</ca>


<cert>
-----BEGIN CERTIFICATE-----
-----------------------
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
-------------------------
-----END RSA PRIVATE KEY-----
</key>

<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
----------------------------
-----END OpenVPN Static key V1-----
</tls-crypt>
tls-client
pull
nobind
explicit-exit-notify 1
remote-random
verify-x509-name "openvpn.server.my" name
remote-cert-tls server
tls-exit
connect-retry 10 180
resolv-retry infinite
connect-timeout 10
push-peer-info
up-delay

Server side config:

Code: Select all

config /path/to/my/file.inc
# IP and port to listen for incoming vpn connections.
local 10.0.0.1
port 3011
dev-type tun
dev cl-int-vpn31
persist-tun
management 127.0.0.1 3111 /path/to/my/mgmt-pw
management-up-down
client-config-dir /path/to/my/client
opt-verify
log-append /var/log/openvpn/server.log
verb 9
mute 10
status /var/log/openvpn/status 10
status-version 3

# Path to scripts that will be executed on daemon startup and shutdown.
up "/path/to/my/some.sh up"
down "/path/to/my/some.sh down"
down-pre
script-security 2
route-noexec
ifconfig-noexec
ca /path/to/my/ca.crt
crl-verify /path/to/my/list.pem
cert /path/to/my/cert.crt
key /path/to/my/key.no_pw.pem
dh /path/to/my/dh.pem
tls-crypt /path/to/my/ta.key
prng none
ncp-disable
mode server
tls-server
float
fast-io
proto udp4
topology subnet
push "topology subnet"
explicit-exit-notify 2
ccd-exclusive
verify-client-cert require
remote-cert-tls client
client-to-client
max-clients 200
connect-freq 10 sec

# Run some client specific timers only if a client is connected to this server.
ping-timer-rem

push "ip-win32 dynamic"
push "show-net-up"
push "block-outside-dns"
push "route-gateway <internal IP>"

Server side log Debian:

Code: Select all

Wed Jul 22 13:49:35 2020 us=368482 MULTI: multi_create_instance called
Wed Jul 22 13:49:35 2020 us=368822 ip:port Re-using SSL/TLS context
Wed Jul 22 13:49:35 2020 us=368854 ip:port LZ4 compression initializing
Wed Jul 22 13:49:35 2020 us=369022 ip:port Control Channel MTU parms [  ]
Wed Jul 22 13:49:35 2020 us=369054 ip:port Data Channel MTU parms [ ]
Wed Jul 22 13:49:35 2020 us=369117 ip:port Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Wed Jul 22 13:49:35 2020 us=369155 ip:port Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Wed Jul 22 13:49:35 2020 us=369214 ip:portTLS: Initial packet from [AF_INET]IP address:42292, sid=some number
Wed Jul 22 13:49:35 2020 us=467259 ip:port VERIFY OK: depth=1, CN and so on..
Wed Jul 22 13:49:35 2020 us=468921 ip:port VERIFY KU OK
Wed Jul 22 13:49:35 2020 us=469128 ip:port Validating certificate extended key usage
Wed Jul 22 13:49:35 2020 us=469301 ip:port++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Wed Jul 22 13:49:35 2020 us=469478 ip:port VERIFY EKU OK
Wed Jul 22 13:49:35 2020 us=469736 ip:port VERIFY OK: depth=0, and so on..
Wed Jul 22 13:49:35 2020 us=492255 ip:port peer info: IV_VER=2.4.7
Wed Jul 22 13:49:35 2020 us=492465 ip:port peer info: IV_PLAT=linux
Wed Jul 22 13:49:35 2020 us=492599 ip:port peer info: IV_PROTO=2
Wed Jul 22 13:49:35 2020 us=492728 ip:port peer info: IV_NCP=2
Wed Jul 22 13:49:35 2020 us=492860 ip:port peer info: IV_LZ4=1
Wed Jul 22 13:49:35 2020 us=492989 ip:port peer info: IV_LZ4v2=1
Wed Jul 22 13:49:35 2020 us=493116 ip:port peer info: IV_LZO=1
Wed Jul 22 13:49:35 2020 us=493301 ip:port peer info: IV_COMP_STUB=1
Wed Jul 22 13:49:35 2020 us=493432 ip:port peer info: IV_COMP_STUBv2=1
Wed Jul 22 13:49:35 2020 us=493560 ip:port peer info: IV_TCPNL=1
Wed Jul 22 13:49:35 2020 us=493900 ip:port Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 22 13:49:35 2020 us=494058 ip:port Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 22 13:49:35 2020 us=507472 ip:port Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Jul 22 13:49:35 2020 us=507693 ip:port [client-vpn] Peer Connection Initiated with [AF_INET]IP ADDRESS:PORT
Wed Jul 22 13:49:35 2020 us=507871 client-vpn/IP address:42292 OPTIONS IMPORT: reading client specific options from: /path/to/my/
Wed Jul 22 13:49:35 2020 us=508116 ip:port MULTI: Learn: some address -> client/address:port
Wed Jul 22 13:49:35 2020 us=508281 ip:port MULTI: primary virtual IP for client/address:port: other address
Wed Jul 22 13:49:36 2020 us=694547 ip:port PUSH: Received control message: 'PUSH_REQUEST'
Wed Jul 22 13:49:36 2020 us=694713 ip:portSENT CONTROL [client]: 'PUSH_REPLY,topology subnet,compress lz4,ip-win32 dynamic,show-net-up,block-outside-dns,dhcp-option,push-continuation 1' (status=1)

For android

Code: Select all

Wed Jul 22 13:55:17 2020 us=121638 other ip:port peer info: IV_VER=3.git:released:3e56f9a6:Release
Wed Jul 22 13:55:17 2020 us=122057 other ip:port peer info: IV_PLAT=android
Wed Jul 22 13:55:17 2020 us=122248 other ip:port peer info: IV_NCP=2
Wed Jul 22 13:55:17 2020 us=122422 other ip:port peer info: IV_TCPNL=1
Wed Jul 22 13:55:17 2020 us=122590 other ip:port peer info: IV_PROTO=2
Wed Jul 22 13:55:17 2020 us=122755 other ip:port peer info: IV_LZO_STUB=1
Wed Jul 22 13:55:17 2020 us=122918 other ip:port peer info: IV_COMP_STUB=1
Wed Jul 22 13:55:17 2020 us=123180 other ip:port peer info: IV_COMP_STUBv2=1
Wed Jul 22 13:55:17 2020 us=123354 other ip:portpeer info: IV_AUTO_SESS=1
Wed Jul 22 13:55:17 2020 us=123525 other ip:port peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.2-5027
Wed Jul 22 13:55:17 2020 us=123693 other ip:port peer info: IV_SSO=openurl
Wed Jul 22 13:55:17 2020 us=123858 other ip:port peer info: IV_HWADDR=some address
Wed Jul 22 13:55:17 2020 us=124104 other ip:port peer info: IV_SSL=OpenSSL_1.1.1g__21_Apr_2020
Wed Jul 22 13:55:17 2020 us=124283 other ip:port WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1522'
Wed Jul 22 13:55:17 2020 us=124462 other ip:port Option inconsistency warnings triggering disconnect due to --opt-verify
Wed Jul 22 13:55:17 2020 us=162290 other ip:port Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Jul 22 13:55:17 2020 us=162616 other ip:port [client] Peer Connection Initiated with [AF_INET]address:port
Wed Jul 22 13:55:17 2020 us=162861 other ip:port PUSH: Received control message: 'PUSH_REQUEST'
Wed Jul 22 13:55:17 2020 us=163053 other ip:port Delayed exit in 5 seconds
Wed Jul 22 13:55:17 2020 us=163327 other ip:port SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
Wed Jul 22 13:55:22 2020 us=757807 other ip:port SIGTERM[soft,delayed-exit] received, client-instance exiting

[TinCanTech]

Server side config:


ccd-exclusive

[b.bychick]

TinCanTech

Thank you for your answer.

I've checked without ccd-exclusive, but the issue still remains the same.

I've used wrong password, but then the client dropped the connection before even reaching the server...

The odd part here is that both Win10 and Debian10 clients are connecting without any issue.

Maybe there is some difference in mobile client? or something that should be added to server or/and client configuration file?

Thanks

[TinCanTech]

I've used wrong password

Then use the right password ..

the client dropped the connection before even reaching the server...

No it did not as your log clearly shows ..

I've checked without ccd-exclusive, but the issue still remains the same.

That was just a guess based on what you have posted.

[b.bychick]

I've used wrong password

Then use the right password ..

Sorry, I meant: as a test, intentionally, I've used wrong password, then the client dropped an error "Invalid Private Key password"

The AUTH_FAILED appeared when all the parameters were provided correctly

May there be any additional parameters that can cause such issue?
Or, perhaps, wrong order of parameters in ovpn file...

Thanks

[TinCanTech]

I've used wrong password

Then use the right password ..

Sorry, I meant: as a test, intentionally, I've used wrong password, then the client dropped an error "Invalid Private Key password"

The AUTH_FAILED appeared when all the parameters were provided correctly

I don't see either --auth-user-pass in your client config nor --auth-user-pass-verify in your server config.

Probably, your Android client software does not do what you want it to.

[b.bychick]

So, once I've changed cipher on both sides to AES-256-CBC it worked.

Doesn't Android App supports the AES-256-GCM?
The App I've used was freshly installed from Google apps

[TinCanTech]

Looking a little closer:

Server side config:


opt-verify

And in your log:

For android


Wed Jul 22 13:55:17 2020 us=124283 other ip:port WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1522'
Wed Jul 22 13:55:17 2020 us=124462 other ip:port Option inconsistency warnings triggering disconnect due to --opt-verify

It's easy to be too strict