debcrafters-packages team mailing list archive

Thread
Date
[Bug 2119683] [NEW] Multi factor authentication challenges in openvpn network manager show up as a dialog for "Password"

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Russell Weber <2119683@xxxxxxxxxxxxxxxxxx>
Date: Wed, 06 Aug 2025 20:20:17 -0000
Reply-to: Bug 2119683 <2119683@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

I was able to get multi-factor authentication to work with a second
factor authentication token (Microsoft Authenticator) at my place of
employment. It's a random multi-digit code that refreshes every 30
seconds. However, when connecting using OpenVpn, I get a prompt to enter
in my password. After successfully entering in the password, some more
negotiation happens with the server, I then get prompted with another
dialog window re-asking for my "password". This second window accepts
the multi-digit authentication code. Though this works, it is quite
confusing to see the words "Enter password".  There is probably some
sort of messaging that takes place between the server and the client to
be able to mark this second dialog window an "Authentication Token" and
not a "password" dialog. It seems silly, but less technical people who
don't work with openvpn on the daily or people who don't have the time
aren't going to look into the issue further and in stead just say that
it's not working.

lsb_release -rd
No LSB modules are available.
Description:	Ubuntu 24.04.3 LTS
Release:	24.04

network-manager-openvpn-gnome/noble,now 1.10.2-4build2 amd64 [installed,automatic]
network-manager-openvpn/noble,now 1.10.2-4build2 amd64 [installed,automatic]
openvpn/noble-updates,now 2.6.14-0ubuntu0.24.04.1 amd64 [installed,automatic]


Full log output:
Aug 06 14:11:54 HOSTNAME NetworkManager[1921]: <info>  [1754511114.3746] vpn[0x64caef73a5f0,UUID,"VPN_NAME"]: starting openvpn
Aug 06 14:11:54 HOSTNAME NetworkManager[1921]: <info>  [1754511114.3753] audit: op="connection-activate" uuid="UUID" name="VPN_NAME" pid=4381 uid=1000 result="success"
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: DCO version: N/A
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Aug 06 14:11:55 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:56 HOSTNAME nm-openvpn[255969]: AUTH: Received control message: AUTH_FAILED
Aug 06 14:11:56 HOSTNAME nm-openvpn[255969]: SIGUSR1[soft,auth-failure] received, process restarting
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:11 HOSTNAME nm-openvpn[255969]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:245:BASE64_STRING:Enter Your Microsoft verification code
Aug 06 14:12:11 HOSTNAME nm-openvpn[255969]: SIGUSR1[soft,auth-failure] received, process restarting
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:22 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: TUN/TAP device tun0 opened
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 255961 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_XX --tun -- tun0 1500 0 192.168.113.5 255.255.255.0 init
Aug 06 14:12:28 HOSTNAME NetworkManager[1921]: <info>  [1754511148.3530] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/13)
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: UID set to nm-openvpn
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: GID set to nm-openvpn
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: Capabilities retained: CAP_NET_ADMIN
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: Initialization Sequence Completed

** Affects: network-manager-openvpn (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to network-manager-openvpn in
Ubuntu.
https://bugs.launchpad.net/bugs/2119683

Title:
  Multi factor authentication challenges in openvpn network manager show
  up as a dialog for "Password"

Status in network-manager-openvpn package in Ubuntu:
  New

Bug description:
  I was able to get multi-factor authentication to work with a second
  factor authentication token (Microsoft Authenticator) at my place of
  employment. It's a random multi-digit code that refreshes every 30
  seconds. However, when connecting using OpenVpn, I get a prompt to
  enter in my password. After successfully entering in the password,
  some more negotiation happens with the server, I then get prompted
  with another dialog window re-asking for my "password". This second
  window accepts the multi-digit authentication code. Though this works,
  it is quite confusing to see the words "Enter password".  There is
  probably some sort of messaging that takes place between the server
  and the client to be able to mark this second dialog window an
  "Authentication Token" and not a "password" dialog. It seems silly,
  but less technical people who don't work with openvpn on the daily or
  people who don't have the time aren't going to look into the issue
  further and in stead just say that it's not working.

  lsb_release -rd
  No LSB modules are available.
  Description:	Ubuntu 24.04.3 LTS
  Release:	24.04

  network-manager-openvpn-gnome/noble,now 1.10.2-4build2 amd64 [installed,automatic]
  network-manager-openvpn/noble,now 1.10.2-4build2 amd64 [installed,automatic]
  openvpn/noble-updates,now 2.6.14-0ubuntu0.24.04.1 amd64 [installed,automatic]

  
  Full log output:
  Aug 06 14:11:54 HOSTNAME NetworkManager[1921]: <info>  [1754511114.3746] vpn[0x64caef73a5f0,UUID,"VPN_NAME"]: starting openvpn
  Aug 06 14:11:54 HOSTNAME NetworkManager[1921]: <info>  [1754511114.3753] audit: op="connection-activate" uuid="UUID" name="VPN_NAME" pid=4381 uid=1000 result="success"
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: DCO version: N/A
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
  Aug 06 14:11:55 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:11:56 HOSTNAME nm-openvpn[255969]: AUTH: Received control message: AUTH_FAILED
  Aug 06 14:11:56 HOSTNAME nm-openvpn[255969]: SIGUSR1[soft,auth-failure] received, process restarting
  Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
  Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
  Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:11 HOSTNAME nm-openvpn[255969]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:245:BASE64_STRING:Enter Your Microsoft verification code
  Aug 06 14:12:11 HOSTNAME nm-openvpn[255969]: SIGUSR1[soft,auth-failure] received, process restarting
  Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
  Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
  Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:22 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
  Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: TUN/TAP device tun0 opened
  Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 255961 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_XX --tun -- tun0 1500 0 192.168.113.5 255.255.255.0 init
  Aug 06 14:12:28 HOSTNAME NetworkManager[1921]: <info>  [1754511148.3530] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/13)
  Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: UID set to nm-openvpn
  Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: GID set to nm-openvpn
  Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: Capabilities retained: CAP_NET_ADMIN
  Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: Initialization Sequence Completed

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/2119683/+subscriptions
Follow ups

[Bug 2119683] Re: Multi factor authentication challenges in openvpn network manager show up as a dialog for "Password"
From: Ural Tunaboyu, 2025-08-06