linux - openvpn - invalid vpn secrets

[nzbob 0]

Ubuntu 12.04

Around 7 times out of 10 when i try to connect using openvpn i get an 'invalid vpn secrets' error. The syslog shows:

AUTH: Received AUTH_FAILED control message

This looks like a server side authentication failure.

Elsewhere in the forums there are others who have encountered this issue, with the suggested solutions being restarting the network-manager, restarting the machine, and regenerating the openvpn files from AirVPN to import/configure a new connection. At least in my case none of these work. The only thing that does work is to leave the computer, and then 10 minutes or so later retry. Keep doing this and eventually, sometimes as long as 2 hours later, it will reconnect without changing anything at all (or restarting anything).

Is there any further insight into what is causing this, and what the solution is?

In other posts it has been suggested that it is a bug in the network manager, and while it could be, please note that I have been using a different openvpn vpn service for the last 2 years and have never once encountered this error, even though exactly the same client software (openvpn, network-manager-openvpn etc) and setup procedure is used for that service, and I connect and reconnect multiple times a day.

I have attached a log file showing the full logs for both a succesful connect and a failed connect - there are 2 sections in the log file one labelled SUCCESSFUL CONNECTION, and one labelled FAILED CONNECTION. Let me know if I can provide or do anything else to help troubleshoot this, as I will be happy to. When I am connected the speed and reliability of the connection are great.

Thanks.

[Staff 9972]

Ubuntu 12.04

Around 7 times out of 10 when i try to connect using openvpn i get an 'invalid vpn secrets' error. The syslog shows:

AUTH: Received AUTH_FAILED control message

This looks like a server side authentication failure.

Elsewhere in the forums there are others who have encountered this issue, with the suggested solutions being restarting the network-manager, restarting the machine, and regenerating the openvpn files from AirVPN to import/configure a new connection. At least in my case none of these work. The only thing that does work is to leave the computer, and then 10 minutes or so later retry. Keep doing this and eventually, sometimes as long as 2 hours later, it will reconnect without changing anything at all (or restarting anything).

Hello!

In order to determine whether it's a client or a server side problem, can you please try to connect to Orionis or Leonis or Bootis, and try frequent disconnections and re-connections? Those three servers implement a new system which is designed to fix your kind of problem.

We're looking forward to hearing from you.

Kind regards

[nzbob 0]

I just did 12 back to back connects/disconnects to Orionis without any issues. I'll try again later, but it does seem like you've found the solution. What is the timetable to apply this fix to the other servers (in my case the US servers are the important ones).

Thanks.

[Staff 9972]

I just did 12 back to back connects/disconnects to Orionis without any issues. I'll try again later, but it does seem like you've found the solution. What is the timetable to apply this fix to the other servers (in my case the US servers are the important ones).

Thanks.

Hello!

The testing will end on August 19th, Sunday night (Central European Time). After that, we'll schedule the upgrade for all servers. Some servers will require disconnection of all users (restarting OpenVPN) so in that case you will be warned at least 48 hours in advance.

Kind regards

[Staff 9972]

UPDATE: the new software has now been installed on all servers. According to our tests performed during the past 3 weeks on selected servers, the AUTH_FAILED problem is totally fixed on the server side.

Please do not hesitate to report any issue.

Kind regards

[Someone Else 0]

Hey, to me the problem seems fixed, if I reconnect to the same server.

But if I disconnect and then connect to another server, I get the "invalid VPN secret message again.

I hope you'll be able to recreate the problem.

[Staff 9972]

Hey, to me the problem seems fixed, if I reconnect to the same server.

But if I disconnect and then connect to another server, I get the "invalid VPN secret message again.

I hope you'll be able to recreate the problem.

Hello!

We can't reproduce the problem (Debian 6, Debian 7, OpenVPN with root privileges). Can you specify your setup and send us the logs of the failed connections?

Kind regards

[nzbob 0]

Ubuntu 12.04

Unfortunately I still experience the issue also. It does occur less frequently, but if I switch between servers it's easy to recreate. Log entries from a couple of minutes ago (Castor):

Aug 24 21:14:18 mach nm-openvpn[4113]: [server] Peer Connection Initiated with [AF_INET]95.211.169.3:443

Aug 24 21:14:21 mach nm-openvpn[4113]: AUTH: Received AUTH_FAILED control message

Aug 24 21:14:21 mach nm-openvpn[4113]: SIGTERM[soft,auth-failure] received, process exiting

[Staff 9972]

Ubuntu 12.04

Unfortunately I still experience the issue also. It does occur less frequently, but if I switch between servers it's easy to recreate. Log entries from a couple of minutes ago (Castor):

Aug 24 21:14:18 mach nm-openvpn[4113]: [server] Peer Connection Initiated with [AF_INET]95.211.169.3:443

Aug 24 21:14:21 mach nm-openvpn[4113]: AUTH: Received AUTH_FAILED control message

Aug 24 21:14:21 mach nm-openvpn[4113]: SIGTERM[soft,auth-failure] received, process exiting

Hello!

That's just fine.

Please see here:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3488&Itemid=142

Kind regards

[nzbob 0]

From Orionis a few moments ago:

Aug 24 21:39:04 mach nm-openvpn[5212]: [server] Peer Connection Initiated with [AF_INET]95.211.98.154:443

Aug 24 21:39:09 mach nm-openvpn[5212]: AUTH: Received AUTH_FAILED control message

[Staff 9972]

From Orionis a few moments ago:

Aug 24 21:39:04 mach nm-openvpn[5212]: [server] Peer Connection Initiated with [AF_INET]95.211.98.154:443

Aug 24 21:39:09 mach nm-openvpn[5212]: AUTH: Received AUTH_FAILED control message

Hello!

That's not fine... it is not a server side problem, as far as we can see, but a nm problem. If you restart nm, does the problem occur again? If you use OpenVPN directly, does the problem occur? We have tested Ubuntu with OpenVPN (launched with sudo) and the problem does not seem to occur, pointing to a client-side, possibly network-manager, issue.

Kind regards

[nzbob 0]

Yes I can reproduce it on nm restart and machine reboot.

Please also know that it is something to do with nm and airvpn in particular, not nm and vpn in general. I can say this for certain, because I have a second service (also openvpn) that uses exactly the same software stack on the client side, and I have never had this issue. I have been using that service for over two years, with multiple daily connects/disconnects.

[Staff 9972]

Yes I can reproduce it on nm restart and machine reboot.

Please also know that it is something to do with nm and airvpn in particular, not nm and vpn in general. I can say this for certain, because I have a second service (also openvpn) that uses exactly the same software stack on the client side, and I have never had this issue. I have been using that service for over two years, with multiple daily connects/disconnects.

Hello!

Thank you for the information.

What happens if you use OpenVPN directly?

Is there anybody else reading who is able to reproduce the problem with network-manager restarted?

Kind regards

[nzbob 0]

I waited ... but it seems like I am the only one.

In case it does help eventually resolve this, the issue is easily reproducible using OpenVPN directly, so the network-manager service is not responsible. Output from OpenVPN below:

Sun Aug 26 13:14:51 2012 [server] Peer Connection Initiated with [AF_INET]69.163.36.66:443

Sun Aug 26 13:14:53 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Sun Aug 26 13:14:53 2012 AUTH: Received AUTH_FAILED control message

[Staff 9972]

I waited ... but it seems like I am the only one.

Hello!

Yes, we can't reproduce the problem in any way.

In case it does help eventually resolve this, the issue is easily reproducible using OpenVPN directly, so the network-manager service is not responsible. Output from OpenVPN below:

Sun Aug 26 13:14:51 2012 [server] Peer Connection Initiated with [AF_INET]69.163.36.66:443

Sun Aug 26 13:14:53 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Sun Aug 26 13:14:53 2012 AUTH: Received AUTH_FAILED control message

Can you please send us a couple of complete failed connection log? Small pieces don't help at the moment.

Have you tried connections to TCP ports? Since we suspect this is a client-side problem related to high latency, TCP might really help.

Kind regards

[nzbob 0]

TCP:

Mon Aug 27 20:37:42 2012 OpenVPN 2.2.1 x86_64-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [iPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012

Mon Aug 27 20:37:42 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Mon Aug 27 20:37:42 2012 LZO compression initialized

Mon Aug 27 20:37:42 2012 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]

Mon Aug 27 20:37:42 2012 Socket Buffers: R=[87380->131072] S=[16384->131072]

Mon Aug 27 20:37:42 2012 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]

Mon Aug 27 20:37:42 2012 Local Options hash (VER=V4): '958c5492'

Mon Aug 27 20:37:42 2012 Expected Remote Options hash (VER=V4): '79ef4284'

Mon Aug 27 20:37:42 2012 Attempting to establish TCP connection with [AF_INET]69.163.36.66:443 [nonblock]

Mon Aug 27 20:37:43 2012 TCP connection established with [AF_INET]69.163.36.66:443

Mon Aug 27 20:37:43 2012 TCPv4_CLIENT link local: [undef]

Mon Aug 27 20:37:43 2012 TCPv4_CLIENT link remote: [AF_INET]69.163.36.66:443

Mon Aug 27 20:37:43 2012 TLS: Initial packet from [AF_INET]69.163.36.66:443, sid=xx xx

Mon Aug 27 20:37:47 2012 VERIFY OK: depth=1, /C=xx/ST=xx/L=xx/O=xx/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Mon Aug 27 20:37:47 2012 VERIFY OK: nsCertType=SERVER

Mon Aug 27 20:37:47 2012 VERIFY OK: depth=0, /C=xx/ST=xx/L=xx/O=xx/CN=server/emailAddress=info@airvpn.org

Mon Aug 27 20:37:56 2012 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Mon Aug 27 20:37:56 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Aug 27 20:37:56 2012 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Mon Aug 27 20:37:56 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Aug 27 20:37:56 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Mon Aug 27 20:37:56 2012 [server] Peer Connection Initiated with [AF_INET]69.163.36.66:443

Mon Aug 27 20:37:58 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Mon Aug 27 20:37:59 2012 AUTH: Received AUTH_FAILED control message

Mon Aug 27 20:37:59 2012 TCP/UDP: Closing socket

Mon Aug 27 20:37:59 2012 SIGTERM[soft,auth-failure] received, process exiting

[Staff 9972]

@nzbob

Hello!

Thank you for the report.

The various "xx" that are visible in the logs on the "VERIFY OK" lines have been put by you (i.e. you edited the logs) or are those the unedited logs?

Does it happen only with Vega on port 443 TCP, on all Vega ports, or on every server?

Kind regards

[nzbob 0]

You're right, the xx's are my edits, apologies if this caused any confusion. I have experienced the issue on Vega and Orionis with both TCP and UDP using ports 443 and 80, and also on Castor before it was down for maintenance (UDP only for Castor I think, I did not try TCP on that server). I have not connected to any other servers.

[Someone Else 0]

Hello, attached are my logs. As I described this happens if I disconnect from one server and want to connect to another.

Aug 27 17:39:38 nm-openvpn[4270]: OpenVPN 2.2.1 x86_64-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [iPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012

Aug 27 17:39:38 nm-openvpn[4270]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Aug 27 17:39:38 nm-openvpn[4270]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Aug 27 17:39:38 nm-openvpn[4270]: WARNING: file '~/.airvpn/vega/user.key' is group or others accessible

Aug 27 17:39:38 nm-openvpn[4270]: LZO compression initialized

Aug 27 17:39:38 nm-openvpn[4270]: UDPv4 link local: [undef]

Aug 27 17:39:38 nm-openvpn[4270]: UDPv4 link remote: [AF_INET]69.163.36.66:443

Aug 27 17:39:42 nm-openvpn[4270]: [server] Peer Connection Initiated with [AF_INET]69.163.36.66:443

Aug 27 17:39:51 nm-openvpn[4270]: AUTH: Received AUTH_FAILED control message

Aug 27 17:39:51 nm-openvpn[4270]: SIGTERM[soft,auth-failure] received, process exiting

Aug 27 17:39:55 nm-openvpn[4273]: OpenVPN 2.2.1 x86_64-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [iPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012

Aug 27 17:39:55 nm-openvpn[4273]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Aug 27 17:39:55 nm-openvpn[4273]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Aug 27 17:39:55 nm-openvpn[4273]: WARNING: file '~/.airvpn/tauri/user.key' is group or others accessible

Aug 27 17:39:55 nm-openvpn[4273]: LZO compression initialized

Aug 27 17:39:55 nm-openvpn[4273]: UDPv4 link local: [undef]

Aug 27 17:39:55 nm-openvpn[4273]: UDPv4 link remote: [AF_INET]46.165.208.65:443

Aug 27 17:39:55 nm-openvpn[4273]: [server] Peer Connection Initiated with [AF_INET]46.165.208.65:443

Aug 27 17:39:58 nm-openvpn[4273]: AUTH: Received AUTH_FAILED control message

Aug 27 17:39:58 nm-openvpn[4273]: SIGTERM[soft,auth-failure] received, process exiting

[Staff 9972]

Hello, attached are my logs. As I described this happens if I disconnect from one server and want to connect to another.

Hello!

This is because you are still, really connected to the previous server. It has been possible to determine this with absolute certainty for a stroke of luck because we don't keep logs, however your account is still connected and exchanging successfully data to another server (we don't report it here for privacy). The connection to that other server began well before the time of the logs you report.

So, assuming of course that you did not give your user.key to anyone, please check the disconnection procedure of your client, it seems that you think to be disconnected while in reality you are still connected.

Kind regards

[Staff 9972]

@Someone Else

Hello!

Ignore the previous reply if you received it via e-mail (it did not take into consideration a different timezone).

We'll further look into the issue.

Kind regards

[Someone Else 0]

Ignore the previous reply if you received it via e-mail (it did not take into consideration a different timezone).

 

Hello, yes CEST is my timezone.

We'll further look into the issue.

 

I appreciate it. Thank you.

[Ingiant 1]

Hello,

I can confirm I am having the same ´invalid vpn secrets´ problem.

Initial connection through nm after booting Ubuntu 12.04 to a AirVPN server is fine. But when I change to another server, I get this ´invalid vpn secrets´ message from nm.

Connecting and reconnecting to another server from the cli, with;

sudo openvpn some.ovpn

works just fine though.

So I think I can narrow down the problem to the network-manager.

What I notice is when I am disconnecting a connection from the cli, it nicely sends a ´exit notification to peer´ and then closes down.

From what I see in the config files of a VPN connection (in /etc/Networkmanager/system-connections) there is no explicit-exit-notify specified, like specified in the ovpn files.

I think nm just closes the connection without notifying the AirVPN server.

So when you try to connect to another server through nm, AirVPN thinks there is still a connection active on another server.

And since you´re only allowed 1 connection at a time, the other server refuses the connection.

Hope you can resolve this.

I can start a connection on the cli. But I´d like to have a visual clue that I´m connected like nm does with its little lock on the connection icon.

Grz.