debcrafters-packages team mailing list archive

Thread
Date
[Bug 2125505] [NEW] NetworkManager+OVPN Connection with User/PW + TLS + OTP not working

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Gabriel Kaufmann <2125505@xxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Sep 2025 14:32:34 -0000
Reply-to: Bug 2125505 <2125505@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

I have a customer who runs OpenVPN Server to provide secure access for
work to be done there. I usually use NetworkManager with OpenVPN
integration which works fine.

But in this case the VPN requires additionally to User/PW + TLS an OTP
(Google Authenticator) auth code. Trying to import/setup the connection
using NetworkManager looks like it should work:

Depending on PW Store settings it asks for Password + OTP or only OTP
(if PW is stored). But in every case its stuck in kind of login-loop.

In syslog this logs seem to possibly giving a hint whats happening
(masking sensible data like customer/domain/ip and so on):


```
AEAD Decrypt error: bad packet ID (may be a replay): [ #638 ] -- see the man page entry for --replay-window for more info or silence this warning with --mute-replay-warnings
[...]
2025-09-23T15:09:29.085121+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758632969.0847] audit: op="connection-update" uuid="34623427-0b88-4c6b-b8a9-7de94265c945" name="my-username@sslvpn.**foobar**.de" args="vpn.data" pid=4042661 uid=1000 result="success"
2025-09-23T15:10:37.841099+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758633037.8410] audit: op="connection-delete" uuid="34623427-0b88-4c6b-b8a9-7de94265c945" name="my-username@sslvpn.**foobar**.de" pid=4042661 uid=1000 result="success"
2025-09-23T15:11:06.763467+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758633066.7631] audit: op="connection-add" uuid="ae9a411f-b82a-4746-a6eb-563ea522d82f" name="my-username@sslvpn.**foobar**.de" pid=4042661 uid=1000 result="success"
2025-09-23T15:11:11.440704+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758633071.4404] vpn[0x64dc77080550,ae9a411f-b82a-4746-a6eb-563ea522d82f,"my-username@sslvpn.**foobar**.de"]: starting openvpn
2025-09-23T15:11:11.440970+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758633071.4407] audit: op="connection-activate" uuid="ae9a411f-b82a-4746-a6eb-563ea522d82f" name="my-username@sslvpn.**foobar**.de" pid=14224 uid=1000 result="success"
2025-09-23T15:11:11.500971+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: DEPRECATED: --persist-key option ignored. Keys are now always persisted across restarts. 
2025-09-23T15:11:11.502095+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: OpenVPN 2.7_beta1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-09-23T15:11:11.502148+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
2025-09-23T15:11:11.502179+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: DCO version: N/A
2025-09-23T15:11:11.699513+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-09-23T15:11:11.759207+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: TCP/UDP: Preserving recently used remote address: [AF_INET]88.***.***.11:1194
2025-09-23T15:11:11.759338+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link local: (not bound)
2025-09-23T15:11:11.759379+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link remote: [AF_INET]88.***.***.11:1194
2025-09-23T15:11:11.759411+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2025-09-23T15:11:11.826274+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]88.***.***.11:1194
2025-09-23T15:11:12.869841+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: AUTH: Received control message: AUTH_FAILED,LOCKOUT: user temporarily locked out due to multiple authentication failures
2025-09-23T15:11:12.869985+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: SIGUSR1[soft,auth-failure] received, process restarting
2025-09-23T15:11:20.751996+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-09-23T15:11:20.752121+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: TCP/UDP: Preserving recently used remote address: [AF_INET]88.***.***.11:1194
2025-09-23T15:11:20.752162+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link local: (not bound)
2025-09-23T15:11:20.752282+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link remote: [AF_INET]88.***.***.11:1194
2025-09-23T15:11:20.806221+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]88.***.***.11:1194
2025-09-23T15:11:21.900237+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: AUTH: Received control message: AUTH_FAILED,LOCKOUT: user temporarily locked out due to multiple authentication failures
2025-09-23T15:11:21.900350+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: SIGUSR1[soft,auth-failure] received, process restarting
2025-09-23T15:11:31.719503+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-09-23T15:11:31.719597+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: TCP/UDP: Preserving recently used remote address: [AF_INET]88.***.***.11:1194
2025-09-23T15:11:31.719629+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link local: (not bound)
2025-09-23T15:11:31.719668+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link remote: [AF_INET]88.***.***.11:1194
2025-09-23T15:11:31.778662+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]88.***.***.11:1194
2025-09-23T15:11:32.809207+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: AUTH: Received control message: AUTH_FAILED,LOCKOUT: user temporarily locked out due to multiple authentication failures
2025-09-23T15:11:32.809315+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: SIGUSR1[soft,auth-failure] received, process restarting
2025-09-23T15:11:36.312411+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-09-23T15:11:36.312490+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: TCP/UDP: Preserving recently used remote address: [AF_INET]88.***.***.11:1194
2025-09-23T15:11:36.312523+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link local: (not bound)
2025-09-23T15:11:36.312540+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link remote: [AF_INET]88.***.***.11:1194
2025-09-23T15:11:36.370076+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]88.***.***.11:1194
2025-09-23T15:11:37.403864+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: AUTH: Received control message: AUTH_FAILED,LOCKOUT: user temporarily locked out due to multiple authentication failures
```

** Affects: network-manager-openvpn (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: otp

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to network-manager-openvpn in
Ubuntu.
https://bugs.launchpad.net/bugs/2125505

Title:
  NetworkManager+OVPN Connection with User/PW + TLS + OTP not working

Status in network-manager-openvpn package in Ubuntu:
  New

Bug description:
  I have a customer who runs OpenVPN Server to provide secure access for
  work to be done there. I usually use NetworkManager with OpenVPN
  integration which works fine.

  But in this case the VPN requires additionally to User/PW + TLS an OTP
  (Google Authenticator) auth code. Trying to import/setup the
  connection using NetworkManager looks like it should work:

  Depending on PW Store settings it asks for Password + OTP or only OTP
  (if PW is stored). But in every case its stuck in kind of login-loop.

  In syslog this logs seem to possibly giving a hint whats happening
  (masking sensible data like customer/domain/ip and so on):

  
  ```
  AEAD Decrypt error: bad packet ID (may be a replay): [ #638 ] -- see the man page entry for --replay-window for more info or silence this warning with --mute-replay-warnings
  [...]
  2025-09-23T15:09:29.085121+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758632969.0847] audit: op="connection-update" uuid="34623427-0b88-4c6b-b8a9-7de94265c945" name="my-username@sslvpn.**foobar**.de" args="vpn.data" pid=4042661 uid=1000 result="success"
  2025-09-23T15:10:37.841099+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758633037.8410] audit: op="connection-delete" uuid="34623427-0b88-4c6b-b8a9-7de94265c945" name="my-username@sslvpn.**foobar**.de" pid=4042661 uid=1000 result="success"
  2025-09-23T15:11:06.763467+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758633066.7631] audit: op="connection-add" uuid="ae9a411f-b82a-4746-a6eb-563ea522d82f" name="my-username@sslvpn.**foobar**.de" pid=4042661 uid=1000 result="success"
  2025-09-23T15:11:11.440704+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758633071.4404] vpn[0x64dc77080550,ae9a411f-b82a-4746-a6eb-563ea522d82f,"my-username@sslvpn.**foobar**.de"]: starting openvpn
  2025-09-23T15:11:11.440970+02:00 Gabriel-Tuxedo NetworkManager[2791]: <info>  [1758633071.4407] audit: op="connection-activate" uuid="ae9a411f-b82a-4746-a6eb-563ea522d82f" name="my-username@sslvpn.**foobar**.de" pid=14224 uid=1000 result="success"
  2025-09-23T15:11:11.500971+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: DEPRECATED: --persist-key option ignored. Keys are now always persisted across restarts. 
  2025-09-23T15:11:11.502095+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: OpenVPN 2.7_beta1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
  2025-09-23T15:11:11.502148+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
  2025-09-23T15:11:11.502179+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: DCO version: N/A
  2025-09-23T15:11:11.699513+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  2025-09-23T15:11:11.759207+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: TCP/UDP: Preserving recently used remote address: [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:11.759338+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link local: (not bound)
  2025-09-23T15:11:11.759379+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link remote: [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:11.759411+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
  2025-09-23T15:11:11.826274+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:12.869841+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: AUTH: Received control message: AUTH_FAILED,LOCKOUT: user temporarily locked out due to multiple authentication failures
  2025-09-23T15:11:12.869985+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: SIGUSR1[soft,auth-failure] received, process restarting
  2025-09-23T15:11:20.751996+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  2025-09-23T15:11:20.752121+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: TCP/UDP: Preserving recently used remote address: [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:20.752162+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link local: (not bound)
  2025-09-23T15:11:20.752282+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link remote: [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:20.806221+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:21.900237+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: AUTH: Received control message: AUTH_FAILED,LOCKOUT: user temporarily locked out due to multiple authentication failures
  2025-09-23T15:11:21.900350+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: SIGUSR1[soft,auth-failure] received, process restarting
  2025-09-23T15:11:31.719503+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  2025-09-23T15:11:31.719597+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: TCP/UDP: Preserving recently used remote address: [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:31.719629+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link local: (not bound)
  2025-09-23T15:11:31.719668+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link remote: [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:31.778662+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:32.809207+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: AUTH: Received control message: AUTH_FAILED,LOCKOUT: user temporarily locked out due to multiple authentication failures
  2025-09-23T15:11:32.809315+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: SIGUSR1[soft,auth-failure] received, process restarting
  2025-09-23T15:11:36.312411+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  2025-09-23T15:11:36.312490+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: TCP/UDP: Preserving recently used remote address: [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:36.312523+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link local: (not bound)
  2025-09-23T15:11:36.312540+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: UDPv4 link remote: [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:36.370076+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]88.***.***.11:1194
  2025-09-23T15:11:37.403864+02:00 Gabriel-Tuxedo nm-openvpn[4045723]: AUTH: Received control message: AUTH_FAILED,LOCKOUT: user temporarily locked out due to multiple authentication failures
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/2125505/+subscriptions