Disconnect when MFA is enabled
Posted: Mon Jun 07, 2021 9:52 pm
Hey,
I'm having an issue trying to implement MFA. Authentication works fine with MFA disabled. Same user/pass used after enabling MFA and generating the key. VPN connects but drops after no more than 10 minutes.
Any and all help is appreciated, here is the log:
----------------------------------------------------------------------------------------------------------
6/7/2021, 1:56:02 PM OpenVPN core 3.git::58b92569 win x86_64 64-bit built on Feb 10 2021 15:20:23
⏎6/7/2021, 1:56:02 PM Frame=512/2048/512 mssfix-ctrl=1250
⏎6/7/2021, 1:56:02 PM UNUSED OPTIONS
1 [resolv-retry] [20]
3 [nobind]
4 [mute-replay-warnings]
7 [verb] [1]
8 [persist-key]
9 [persist-tun]
10 [explicit-exit-notify] [1]
⏎6/7/2021, 1:56:02 PM Contacting ***.***.***.***:1194 via UDP
⏎6/7/2021, 1:56:02 PM WinCommandAgent: transmitting bypass route to ***.***.***.***
{
"host" : "***.***.***.***",
"ipv6" : false
}
⏎6/7/2021, 1:56:02 PM EVENT: RESOLVE ⏎6/7/2021, 1:56:02 PM EVENT: WAIT ⏎6/7/2021, 1:56:02 PM Connecting to [***.***.***.***]:1194 (***.***.***.***) via UDPv4
⏎6/7/2021, 1:56:02 PM EVENT: CONNECTING ⏎6/7/2021, 1:56:02 PM Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎6/7/2021, 1:56:02 PM Creds: StaticChallenge
⏎6/7/2021, 1:56:02 PM Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.2.3-1851
IV_SSO=openurl
⏎6/7/2021, 1:56:02 PM SSL Handshake: CN=server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
⏎6/7/2021, 1:56:02 PM Session is ACTIVE
⏎6/7/2021, 1:56:02 PM EVENT: GET_CONFIG ⏎6/7/2021, 1:56:02 PM Sending PUSH_REQUEST to server...
⏎6/7/2021, 1:56:02 PM OPTIONS:
0 [register-dns]
1 [route] [192.168.100.0] [255.255.255.0]
2 [route] [172.16.1.0] [255.255.255.0]
3 [topology] [net30]
4 [ping] [2]
5 [ping-restart] [10]
6 [dhcp-option] [DNS] [172.16.1.1]
7 [ifconfig] [172.16.1.6] [172.16.1.5]
8 [peer-id] [0]
9 [cipher] [AES-256-GCM]
⏎6/7/2021, 1:56:02 PM PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: COMP_STUB
peer ID: 0
⏎6/7/2021, 1:56:02 PM CAPTURED OPTIONS:
Session Name: ***.***.***.***
Layer: OSI_LAYER_3
Remote Address: ***.***.***.***
Tunnel Addresses:
172.16.1.6/30 -> 172.16.1.5 [net30]
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
192.168.100.0/24
172.16.1.0/24
Exclude Routes:
DNS Servers:
172.16.1.1
Search Domains:
⏎6/7/2021, 1:56:02 PM EVENT: ASSIGN_IP ⏎6/7/2021, 1:56:03 PM SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
"confirm_event" : "fc17000000000000",
"destroy_event" : "8413000000000000",
"tun" :
{
"adapter_domain_suffix" : "",
"add_routes" :
[
{
"address" : "192.168.100.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
},
{
"address" : "172.16.1.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
}
],
"block_ipv6" : false,
"dns_servers" :
[
{
"address" : "172.16.1.1",
"ipv6" : false
}
],
"layer" : 3,
"mtu" : 0,
"remote_address" :
{
"address" : "***.***.***.***",
"ipv6" : false
},
"reroute_gw" :
{
"flags" : 256,
"ipv4" : false,
"ipv6" : false
},
"route_metric_default" : -1,
"session_name" : "***.***.***.***",
"tunnel_address_index_ipv4" : 0,
"tunnel_address_index_ipv6" : -1,
"tunnel_addresses" :
[
{
"address" : "172.16.1.6",
"gateway" : "172.16.1.5",
"ipv6" : false,
"metric" : -1,
"net30" : true,
"prefix_length" : 30
}
]
},
"wintun" : false
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{A9A5DA14-F92C-467C-9CDC-09EEA52DDC22}' index=24 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{A9A5DA14-F92C-467C-9CDC-09EEA52DDC22}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=24
netsh interface ip set interface 24 metric=1
Ok.
netsh interface ip set address 24 static 172.16.1.6 255.255.255.252 gateway=172.16.1.5 store=active
IPHelper: add route 192.168.100.0/24 24 172.16.1.5 metric=-1
IPHelper: add route 172.16.1.0/24 24 172.16.1.5 metric=-1
netsh interface ip set dnsservers 24 static 172.16.1.1 register=primary validate=no
NRPT::ActionCreate names=[.] dns_servers=[172.16.1.1]
ActionWFP openvpn_app_path=C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe tap_index=24 enable=1
permit IPv4 DNS requests from OpenVPN app
permit IPv6 DNS requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP handle: f410000000000000
⏎6/7/2021, 1:56:03 PM Connected via TUN_WIN
⏎6/7/2021, 1:56:03 PM LZO-ASYM init swap=0 asym=1
⏎6/7/2021, 1:56:03 PM Comp-stub init swap=1
⏎6/7/2021, 1:56:03 PM EVENT: CONNECTED ******@***.***.***.***:1194 (***.***.***.***) via /UDPv4 on TUN_WIN/172.16.1.6/ gw=[172.16.1.5/]⏎6/7/2021, 2:02:55 PM Session invalidated: KEEPALIVE_TIMEOUT
⏎6/7/2021, 2:02:55 PM Client terminated, restarting in 2000 ms...
⏎6/7/2021, 2:02:55 PM SetupClient: signaling tun destroy event
⏎6/7/2021, 2:02:57 PM EVENT: RECONNECTING ⏎6/7/2021, 2:02:57 PM EVENT: RESOLVE ⏎6/7/2021, 2:02:57 PM Contacting ***.***.***.***:1194 via UDP
⏎6/7/2021, 2:02:57 PM WinCommandAgent: transmitting bypass route to ***.***.***.***
{
"host" : "***.***.***.***",
"ipv6" : false
}
⏎6/7/2021, 2:02:57 PM EVENT: WAIT ⏎6/7/2021, 2:02:57 PM Connecting to [***.***.***.***]:1194 (***.***.***.***) via UDPv4
⏎6/7/2021, 2:02:57 PM EVENT: CONNECTING ⏎6/7/2021, 2:02:57 PM Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎6/7/2021, 2:02:57 PM Creds: StaticChallenge
⏎6/7/2021, 2:02:57 PM Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.2.3-1851
IV_SSO=openurl
⏎6/7/2021, 2:02:57 PM SSL Handshake: CN=server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
⏎6/7/2021, 2:02:57 PM Session is ACTIVE
⏎6/7/2021, 2:02:57 PM Sending PUSH_REQUEST to server...
⏎6/7/2021, 2:02:57 PM EVENT: GET_CONFIG ⏎6/7/2021, 2:02:57 PM AUTH_FAILED
⏎6/7/2021, 2:02:57 PM EVENT: AUTH_FAILED ⏎6/7/2021, 2:02:57 PM EVENT: DISCONNECTED ⏎
--------------------------------------------------------------------------------------------------------------
I'm having an issue trying to implement MFA. Authentication works fine with MFA disabled. Same user/pass used after enabling MFA and generating the key. VPN connects but drops after no more than 10 minutes.
Any and all help is appreciated, here is the log:
----------------------------------------------------------------------------------------------------------
6/7/2021, 1:56:02 PM OpenVPN core 3.git::58b92569 win x86_64 64-bit built on Feb 10 2021 15:20:23
⏎6/7/2021, 1:56:02 PM Frame=512/2048/512 mssfix-ctrl=1250
⏎6/7/2021, 1:56:02 PM UNUSED OPTIONS
1 [resolv-retry] [20]
3 [nobind]
4 [mute-replay-warnings]
7 [verb] [1]
8 [persist-key]
9 [persist-tun]
10 [explicit-exit-notify] [1]
⏎6/7/2021, 1:56:02 PM Contacting ***.***.***.***:1194 via UDP
⏎6/7/2021, 1:56:02 PM WinCommandAgent: transmitting bypass route to ***.***.***.***
{
"host" : "***.***.***.***",
"ipv6" : false
}
⏎6/7/2021, 1:56:02 PM EVENT: RESOLVE ⏎6/7/2021, 1:56:02 PM EVENT: WAIT ⏎6/7/2021, 1:56:02 PM Connecting to [***.***.***.***]:1194 (***.***.***.***) via UDPv4
⏎6/7/2021, 1:56:02 PM EVENT: CONNECTING ⏎6/7/2021, 1:56:02 PM Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎6/7/2021, 1:56:02 PM Creds: StaticChallenge
⏎6/7/2021, 1:56:02 PM Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.2.3-1851
IV_SSO=openurl
⏎6/7/2021, 1:56:02 PM SSL Handshake: CN=server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
⏎6/7/2021, 1:56:02 PM Session is ACTIVE
⏎6/7/2021, 1:56:02 PM EVENT: GET_CONFIG ⏎6/7/2021, 1:56:02 PM Sending PUSH_REQUEST to server...
⏎6/7/2021, 1:56:02 PM OPTIONS:
0 [register-dns]
1 [route] [192.168.100.0] [255.255.255.0]
2 [route] [172.16.1.0] [255.255.255.0]
3 [topology] [net30]
4 [ping] [2]
5 [ping-restart] [10]
6 [dhcp-option] [DNS] [172.16.1.1]
7 [ifconfig] [172.16.1.6] [172.16.1.5]
8 [peer-id] [0]
9 [cipher] [AES-256-GCM]
⏎6/7/2021, 1:56:02 PM PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: COMP_STUB
peer ID: 0
⏎6/7/2021, 1:56:02 PM CAPTURED OPTIONS:
Session Name: ***.***.***.***
Layer: OSI_LAYER_3
Remote Address: ***.***.***.***
Tunnel Addresses:
172.16.1.6/30 -> 172.16.1.5 [net30]
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
192.168.100.0/24
172.16.1.0/24
Exclude Routes:
DNS Servers:
172.16.1.1
Search Domains:
⏎6/7/2021, 1:56:02 PM EVENT: ASSIGN_IP ⏎6/7/2021, 1:56:03 PM SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
"confirm_event" : "fc17000000000000",
"destroy_event" : "8413000000000000",
"tun" :
{
"adapter_domain_suffix" : "",
"add_routes" :
[
{
"address" : "192.168.100.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
},
{
"address" : "172.16.1.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
}
],
"block_ipv6" : false,
"dns_servers" :
[
{
"address" : "172.16.1.1",
"ipv6" : false
}
],
"layer" : 3,
"mtu" : 0,
"remote_address" :
{
"address" : "***.***.***.***",
"ipv6" : false
},
"reroute_gw" :
{
"flags" : 256,
"ipv4" : false,
"ipv6" : false
},
"route_metric_default" : -1,
"session_name" : "***.***.***.***",
"tunnel_address_index_ipv4" : 0,
"tunnel_address_index_ipv6" : -1,
"tunnel_addresses" :
[
{
"address" : "172.16.1.6",
"gateway" : "172.16.1.5",
"ipv6" : false,
"metric" : -1,
"net30" : true,
"prefix_length" : 30
}
]
},
"wintun" : false
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{A9A5DA14-F92C-467C-9CDC-09EEA52DDC22}' index=24 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{A9A5DA14-F92C-467C-9CDC-09EEA52DDC22}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=24
netsh interface ip set interface 24 metric=1
Ok.
netsh interface ip set address 24 static 172.16.1.6 255.255.255.252 gateway=172.16.1.5 store=active
IPHelper: add route 192.168.100.0/24 24 172.16.1.5 metric=-1
IPHelper: add route 172.16.1.0/24 24 172.16.1.5 metric=-1
netsh interface ip set dnsservers 24 static 172.16.1.1 register=primary validate=no
NRPT::ActionCreate names=[.] dns_servers=[172.16.1.1]
ActionWFP openvpn_app_path=C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe tap_index=24 enable=1
permit IPv4 DNS requests from OpenVPN app
permit IPv6 DNS requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP handle: f410000000000000
⏎6/7/2021, 1:56:03 PM Connected via TUN_WIN
⏎6/7/2021, 1:56:03 PM LZO-ASYM init swap=0 asym=1
⏎6/7/2021, 1:56:03 PM Comp-stub init swap=1
⏎6/7/2021, 1:56:03 PM EVENT: CONNECTED ******@***.***.***.***:1194 (***.***.***.***) via /UDPv4 on TUN_WIN/172.16.1.6/ gw=[172.16.1.5/]⏎6/7/2021, 2:02:55 PM Session invalidated: KEEPALIVE_TIMEOUT
⏎6/7/2021, 2:02:55 PM Client terminated, restarting in 2000 ms...
⏎6/7/2021, 2:02:55 PM SetupClient: signaling tun destroy event
⏎6/7/2021, 2:02:57 PM EVENT: RECONNECTING ⏎6/7/2021, 2:02:57 PM EVENT: RESOLVE ⏎6/7/2021, 2:02:57 PM Contacting ***.***.***.***:1194 via UDP
⏎6/7/2021, 2:02:57 PM WinCommandAgent: transmitting bypass route to ***.***.***.***
{
"host" : "***.***.***.***",
"ipv6" : false
}
⏎6/7/2021, 2:02:57 PM EVENT: WAIT ⏎6/7/2021, 2:02:57 PM Connecting to [***.***.***.***]:1194 (***.***.***.***) via UDPv4
⏎6/7/2021, 2:02:57 PM EVENT: CONNECTING ⏎6/7/2021, 2:02:57 PM Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎6/7/2021, 2:02:57 PM Creds: StaticChallenge
⏎6/7/2021, 2:02:57 PM Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.2.3-1851
IV_SSO=openurl
⏎6/7/2021, 2:02:57 PM SSL Handshake: CN=server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
⏎6/7/2021, 2:02:57 PM Session is ACTIVE
⏎6/7/2021, 2:02:57 PM Sending PUSH_REQUEST to server...
⏎6/7/2021, 2:02:57 PM EVENT: GET_CONFIG ⏎6/7/2021, 2:02:57 PM AUTH_FAILED
⏎6/7/2021, 2:02:57 PM EVENT: AUTH_FAILED ⏎6/7/2021, 2:02:57 PM EVENT: DISCONNECTED ⏎
--------------------------------------------------------------------------------------------------------------