openvpn_auth_azure_ad.util.errors.ConnectError: [Errno 111] Connection refused

Question

openvpn_auth_azure_ad.util.errors.ConnectError: [Errno 111] Connection refused

paulchen1102 opened this issue 2 years ago · 8 comments

When I run

python3 openvpn-auth-azure-ad.py --client-id xxxx -H xxxx -P xxxx -p xxxx
I got the following response

Traceback (most recent call last): File "openvpn-auth-azure-ad.py", line 6, in <module> main() File "/etc/openvpn/server/openvpn-auth-azure-ad-master/openvpn_auth_azure_ad/cli.py", line 177, in main authenticator = AADAuthenticator( File "/etc/openvpn/server/openvpn-auth-azure-ad-master/openvpn_auth_azure_ad/authenticator.py", line 60, in __init__ self._openvpn.connect() File "/etc/openvpn/server/openvpn-auth-azure-ad-master/openvpn_auth_azure_ad/openvpn/__init__.py", line 138, in connect raise errors.ConnectError(str(e)) from None openvpn_auth_azure_ad.util.errors.ConnectError: [Errno 111] Connection refused

Any other arguments I have to set? Please kindly help.

Answer 1 · 2021-11-30T13:33:04.000Z

Looks like nothing is listen on the provided host/port combination.

Answer 2 · 2021-11-30T14:24:15.000Z

Looks like nothing is listen on the provided host/port combination.

You're right as I specified localhost rather than the real ip in server.conf.
As I finished the configuration and tried to login in the client I got the following error log

2021-11-30 09:09:31,706 INFO [cid: 8]: Received client disconnect event 2021-11-30 09:10:24,529 INFO [cid: 9 | test]: Received client connect 2021-11-30 09:10:24,529 INFO [cid: 9 | test]: Start to authenticate using device token flow 2021-11-30 09:10:24,634 ERROR Exception in thread Traceback (most recent call last): File "/etc/openvpn/server/openvpn-auth-azure-ad-master/openvpn_auth_azure_ad/util/thread_pool.py", line 23, in _function_wrapper return fn(*args, **kwargs) File "/etc/openvpn/server/openvpn-auth-azure-ad-master/openvpn_auth_azure_ad/authenticator.py", line 245, in client_connect self.authenticate_client(client) File "/etc/openvpn/server/openvpn-auth-azure-ad-master/openvpn_auth_azure_ad/authenticator.py", line 387, in authenticate_client flow = self.device_auth_start() File "/etc/openvpn/server/openvpn-auth-azure-ad-master/openvpn_auth_azure_ad/authenticator.py", line 410, in device_auth_start raise ValueError( ValueError: Fail to create device flow. Err: { "error": "invalid_request", "error_description": "AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: 17c043cc-6003-4f29-b792-00f742a5bc01\r\nCorrelation ID: 9cefb07b-5f2f-4fb2-955e-cf983ce335a4\r\nTimestamp: 2021-11-30 14:10:24Z", "error_codes": [ 50059 ], "timestamp": "2021-11-30 14:10:24Z", "trace_id": "17c043cc-6003-4f29-b792-00f742a5bc01", "correlation_id": "9cefb07b-5f2f-4fb2-955e-cf983ce335a4", "interval": 5, "expires_in": 1800, "expires_at": 1638283224.6337636, "_correlation_id": "9cefb07b-5f2f-4fb2-955e-cf983ce335a4" } 2021-11-30 09:11:14,729 INFO [cid: 9]: Received client disconnect event
Also I found "user_code" in the script but I don't know what it is.

if "user_code" not in flow: raise ValueError( "Fail to create device flow. Err: %s" % json.dumps(flow, indent=4) )

As I only set the client-id in the arguments,does this mean I have to set some other arguments?

Answer 3 · 2021-11-30T14:37:14.000Z

And here 's the openvpn server log:

‘Tue Nov 30 09:08:27 2021 192.168.8.138:52450 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 30 09:08:32 2021 TCP connection established with [AF_INET]192.168.8.138:52523
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 TLS: Initial packet from [AF_INET]192.168.8.138:52523, sid=772d4bbd 0e611e4c
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 VERIFY OK: depth=1, CN=Comm100 IT
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 VERIFY OK: depth=0, CN=test
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_VER=2.4.11
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_PLAT=win
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_PROTO=2
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_NCP=2
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_LZ4=1
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_LZ4v2=1
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_LZO=1
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_COMP_STUB=1
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_COMP_STUBv2=1
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_TCPNL=1
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 TLS: Username/Password authentication deferred for username 'paul.chen'
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Nov 30 09:08:33 2021 192.168.8.138:52523 [test] Peer Connection Initiated with [AF_INET]192.168.8.138:52523
Tue Nov 30 09:08:34 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:08:39 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:08:44 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:08:49 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:08:54 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:08:59 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:09:04 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:09:09 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:09:15 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:09:20 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:09:25 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:09:30 2021 192.168.8.138:52523 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 09:09:31 2021 192.168.8.138:52523 Connection reset, restarting [-1]
’

Answer 4 · 2021-11-30T15:01:20.000Z

From the first error log

AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials.

Maybe you have also set --token-authority.

Answer 5 · 2021-12-01T04:30:00.000Z

This time I ran the script like following:

python3 openvpn-auth-azure-ad.py --client-id xxxx -H xxxx -P xxxx -p xxxx --token-authority https://login.microsoftonline.com/my-tenant-id

After I input username/password into the openvpn client pop-up I could see the log both on the server and client side asking me to open https://microsoft.com/devicelogin and login with my microsoft account.

As I did it successfully I was suspended at the challenge response client window. I can't press OK as the input was blank.
I don't know what to do next.My goal is that I can login the openvpn with my microsoft account.

openvpn server side log

Tue Nov 30 23:17:03 2021 TCP connection established with [AF_INET]192.168.8.138:57577
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 TLS: Initial packet from [AF_INET]192.168.8.138:57577, sid=bca7ff89 bf324f33
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_VER=2.4.11
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_PLAT=win
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_PROTO=2
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_NCP=2
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_LZ4=1
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_LZ4v2=1
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_LZO=1
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_COMP_STUB=1
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_COMP_STUBv2=1
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_TCPNL=1
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 TLS: Username/Password authentication deferred for username 'paul.chen@comm100.com'
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Tue Nov 30 23:17:04 2021 192.168.8.138:57577 [] Peer Connection Initiated with [AF_INET]192.168.8.138:57577
Tue Nov 30 23:17:04 2021 MANAGEMENT: CMD 'client-deny 11 0 "client_challenge" "CRV1:E,R:6fa5ec19-5ccc-4832-ad9a-40d12296f7e1:cGF1bC5jaGVuQGNvbW0xMDAuY29t:To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code FHQZNWQJU to authenticate. Then press OK here. No input required here."'
Tue Nov 30 23:17:04 2021 MULTI: connection rejected: client_challenge, CLI:CRV1:E,R:6fa5ec19-5ccc-4832-ad9a-40d12296f7e1:cGF1bC5jaGVuQGNvbW0xMDAuY29t:To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code FHQZNWQJU to authenticate. Then press OK here. No input required here.
Tue Nov 30 23:17:05 2021 192.168.8.138:57577 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 23:17:05 2021 192.168.8.138:57577 Delayed exit in 5 seconds
Tue Nov 30 23:17:05 2021 192.168.8.138:57577 SENT CONTROL [UNDEF]: 'AUTH_FAILED,CRV1:E,R:6fa5ec19-5ccc-4832-ad9a-40d12296f7e1:cGF1bC5jaGVuQGNvbW0xMDAuY29t:To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code FHQZNWQJU to authenticate. Then press OK here. No input required here.' (status=1)
Tue Nov 30 23:17:05 2021 192.168.8.138:57577 Connection reset, restarting [0]
Tue Nov 30 23:17:05 2021 192.168.8.138:57577 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Nov 30 23:17:31 2021 TCP connection established with [AF_INET]192.168.8.138:57580
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 TLS: Initial packet from [AF_INET]192.168.8.138:57580, sid=764f6a65 d9fbf19b
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_VER=2.4.11
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_PLAT=win
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_PROTO=2
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_NCP=2
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_LZ4=1
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_LZ4v2=1
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_LZO=1
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_COMP_STUB=1
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_COMP_STUBv2=1
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_TCPNL=1
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 TLS: Username/Password authentication deferred for username 'paul.chen@comm100.com'
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Tue Nov 30 23:17:32 2021 192.168.8.138:57580 [] Peer Connection Initiated with [AF_INET]192.168.8.138:57580
Tue Nov 30 23:17:33 2021 192.168.8.138:57580 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 23:17:38 2021 192.168.8.138:57580 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 23:17:43 2021 192.168.8.138:57580 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 23:17:49 2021 192.168.8.138:57580 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 23:17:54 2021 192.168.8.138:57580 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 23:17:59 2021 192.168.8.138:57580 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 23:18:02 2021 MANAGEMENT: CMD 'client-deny 12 0 "device token flow errored: no user action"'
Tue Nov 30 23:18:02 2021 MULTI: connection rejected: device token flow errored: no user action, CLI:[NULL]
Tue Nov 30 23:18:04 2021 192.168.8.138:57580 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 30 23:18:04 2021 192.168.8.138:57580 Delayed exit in 5 seconds
Tue Nov 30 23:18:04 2021 192.168.8.138:57580 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Tue Nov 30 23:18:04 2021 192.168.8.138:57580 Connection reset, restarting [0]
Tue Nov 30 23:18:04 2021 192.168.8.138:57580 SIGUSR1[soft,connection-reset] received, client-instance restarting

the script log

2021-11-30 23:14:34,211 INFO [cid: 9]: Received client connect
2021-11-30 23:14:34,212 INFO [cid: 9]: Start to authenticate using device token flow
2021-11-30 23:14:35,351 INFO [cid: 9]: Received client disconnect event
2021-11-30 23:14:47,009 INFO [cid: 10]: Received client connect
2021-11-30 23:14:47,009 INFO [cid: 10]: Continue to authenticate using device token flow
2021-11-30 23:15:17,827 INFO [cid: 10]: device token flow errored: no user action
2021-11-30 23:15:19,224 INFO [cid: 10]: Received client disconnect event
2021-11-30 23:17:04,319 INFO [cid: 11]: Received client connect
2021-11-30 23:17:04,320 INFO [cid: 11]: Start to authenticate using device token flow
2021-11-30 23:17:05,381 INFO [cid: 11]: Received client disconnect event
2021-11-30 23:17:32,272 INFO [cid: 12]: Received client connect
2021-11-30 23:17:32,272 INFO [cid: 12]: Continue to authenticate using device token flow
2021-11-30 23:18:02,983 INFO [cid: 12]: device token flow errored: no user action
2021-11-30 23:18:04,660 INFO [cid: 12]: Received client disconnect event

openvpn client side log

Wed Dec 01 12:22:43 2021 OpenVPN 2.4.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 17 2021
Wed Dec 01 12:22:43 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Dec 01 12:22:43 2021 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Wed Dec 01 12:22:43 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Dec 01 12:22:43 2021 Need hold release from management interface, waiting...
Wed Dec 01 12:22:43 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Dec 01 12:22:43 2021 MANAGEMENT: CMD 'state on'
Wed Dec 01 12:22:43 2021 MANAGEMENT: CMD 'log all on'
Wed Dec 01 12:22:43 2021 MANAGEMENT: CMD 'echo all on'
Wed Dec 01 12:22:43 2021 MANAGEMENT: CMD 'bytecount 5'
Wed Dec 01 12:22:43 2021 MANAGEMENT: CMD 'hold off'
Wed Dec 01 12:22:43 2021 MANAGEMENT: CMD 'hold release'
Wed Dec 01 12:22:50 2021 MANAGEMENT: CMD 'username "Auth" "paul.chen@comm100.com"'
Wed Dec 01 12:22:50 2021 MANAGEMENT: CMD 'password [...]'
Wed Dec 01 12:22:50 2021 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 01 12:22:50 2021 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 01 12:22:50 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.8.220:1194
Wed Dec 01 12:22:50 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Dec 01 12:22:50 2021 Attempting to establish TCP connection with [AF_INET]192.168.8.220:1194 [nonblock]
Wed Dec 01 12:22:50 2021 MANAGEMENT: >STATE:1638332570,TCP_CONNECT,,,,,,
Wed Dec 01 12:22:51 2021 TCP connection established with [AF_INET]192.168.8.220:1194
Wed Dec 01 12:22:51 2021 TCP_CLIENT link local: (not bound)
Wed Dec 01 12:22:51 2021 TCP_CLIENT link remote: [AF_INET]192.168.8.220:1194
Wed Dec 01 12:22:51 2021 MANAGEMENT: >STATE:1638332571,WAIT,,,,,,
Wed Dec 01 12:22:51 2021 MANAGEMENT: >STATE:1638332571,AUTH,,,,,,
Wed Dec 01 12:22:51 2021 TLS: Initial packet from [AF_INET]192.168.8.220:1194, sid=aeb1bb05 95275d4e
Wed Dec 01 12:22:51 2021 VERIFY OK: depth=1, CN=Comm100 IT
Wed Dec 01 12:22:51 2021 VERIFY KU OK
Wed Dec 01 12:22:51 2021 Validating certificate extended key usage
Wed Dec 01 12:22:51 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Dec 01 12:22:51 2021 VERIFY EKU OK
Wed Dec 01 12:22:51 2021 VERIFY OK: depth=0, CN=openvpn-server
Wed Dec 01 12:22:51 2021 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Dec 01 12:22:51 2021 [openvpn-server] Peer Connection Initiated with [AF_INET]192.168.8.220:1194
Wed Dec 01 12:22:52 2021 MANAGEMENT: >STATE:1638332572,GET_CONFIG,,,,,,
Wed Dec 01 12:22:52 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:22:57 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:02 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:07 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:11 2021 MANAGEMENT: CMD 'signal SIGHUP'
Wed Dec 01 12:23:11 2021 SIGHUP[hard,] received, process restarting
Wed Dec 01 12:23:11 2021 MANAGEMENT: >STATE:1638332591,RECONNECTING,SIGHUP,,,,,
Wed Dec 01 12:23:11 2021 OpenVPN 2.4.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 17 2021
Wed Dec 01 12:23:11 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Dec 01 12:23:11 2021 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Wed Dec 01 12:23:11 2021 Restart pause, 2 second(s)
Wed Dec 01 12:23:13 2021 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 01 12:23:13 2021 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 01 12:23:13 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.8.220:1194
Wed Dec 01 12:23:13 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Dec 01 12:23:13 2021 Attempting to establish TCP connection with [AF_INET]192.168.8.220:1194 [nonblock]
Wed Dec 01 12:23:13 2021 MANAGEMENT: >STATE:1638332593,TCP_CONNECT,,,,,,
Wed Dec 01 12:23:14 2021 TCP connection established with [AF_INET]192.168.8.220:1194
Wed Dec 01 12:23:14 2021 TCP_CLIENT link local: (not bound)
Wed Dec 01 12:23:14 2021 TCP_CLIENT link remote: [AF_INET]192.168.8.220:1194
Wed Dec 01 12:23:14 2021 MANAGEMENT: >STATE:1638332594,WAIT,,,,,,
Wed Dec 01 12:23:14 2021 MANAGEMENT: >STATE:1638332594,AUTH,,,,,,
Wed Dec 01 12:23:14 2021 TLS: Initial packet from [AF_INET]192.168.8.220:1194, sid=481f5093 4f9d671c
Wed Dec 01 12:23:14 2021 VERIFY OK: depth=1, CN=Comm100 IT
Wed Dec 01 12:23:14 2021 VERIFY KU OK
Wed Dec 01 12:23:14 2021 Validating certificate extended key usage
Wed Dec 01 12:23:14 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Dec 01 12:23:14 2021 VERIFY EKU OK
Wed Dec 01 12:23:14 2021 VERIFY OK: depth=0, CN=openvpn-server
Wed Dec 01 12:23:14 2021 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Dec 01 12:23:14 2021 [openvpn-server] Peer Connection Initiated with [AF_INET]192.168.8.220:1194
Wed Dec 01 12:23:15 2021 MANAGEMENT: >STATE:1638332595,GET_CONFIG,,,,,,
Wed Dec 01 12:23:15 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:15 2021 AUTH: Received control message: AUTH_FAILED,CRV1:E,R:4b0a2f88-c9bf-496e-87f6-6331cea2c647:cGF1bC5jaGVuQGNvbW0xMDAuY29t:To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ER4ZSDTWM to authenticate. Then press OK here. No input required here.
Wed Dec 01 12:23:15 2021 SIGUSR1[soft,auth-failure] received, process restarting
Wed Dec 01 12:23:15 2021 MANAGEMENT: >STATE:1638332595,RECONNECTING,auth-failure,,,,,
Wed Dec 01 12:23:15 2021 Restart pause, 5 second(s)
Wed Dec 01 12:23:23 2021 MANAGEMENT: CMD 'username "Auth" "paul.chen@comm100.com"'
Wed Dec 01 12:23:23 2021 MANAGEMENT: CMD 'password [...]'
Wed Dec 01 12:23:23 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.8.220:1194
Wed Dec 01 12:23:23 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Dec 01 12:23:23 2021 Attempting to establish TCP connection with [AF_INET]192.168.8.220:1194 [nonblock]
Wed Dec 01 12:23:23 2021 MANAGEMENT: >STATE:1638332603,TCP_CONNECT,,,,,,
Wed Dec 01 12:23:24 2021 TCP connection established with [AF_INET]192.168.8.220:1194
Wed Dec 01 12:23:24 2021 TCP_CLIENT link local: (not bound)
Wed Dec 01 12:23:24 2021 TCP_CLIENT link remote: [AF_INET]192.168.8.220:1194
Wed Dec 01 12:23:24 2021 MANAGEMENT: >STATE:1638332604,WAIT,,,,,,
Wed Dec 01 12:23:24 2021 MANAGEMENT: >STATE:1638332604,AUTH,,,,,,
Wed Dec 01 12:23:24 2021 TLS: Initial packet from [AF_INET]192.168.8.220:1194, sid=17f7efe2 bca8fa3f
Wed Dec 01 12:23:24 2021 VERIFY OK: depth=1, CN=Comm100 IT
Wed Dec 01 12:23:24 2021 VERIFY KU OK
Wed Dec 01 12:23:24 2021 Validating certificate extended key usage
Wed Dec 01 12:23:24 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Dec 01 12:23:24 2021 VERIFY EKU OK
Wed Dec 01 12:23:24 2021 VERIFY OK: depth=0, CN=openvpn-server
Wed Dec 01 12:23:24 2021 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Dec 01 12:23:24 2021 [openvpn-server] Peer Connection Initiated with [AF_INET]192.168.8.220:1194
Wed Dec 01 12:23:25 2021 MANAGEMENT: >STATE:1638332605,GET_CONFIG,,,,,,
Wed Dec 01 12:23:25 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:30 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:35 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:40 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:46 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:51 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:56 2021 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Wed Dec 01 12:23:56 2021 AUTH: Received control message: AUTH_FAILED
Wed Dec 01 12:23:56 2021 SIGUSR1[soft,auth-failure] received, process restarting
Wed Dec 01 12:23:56 2021 MANAGEMENT: >STATE:1638332636,RECONNECTING,auth-failure,,,,,
Wed Dec 01 12:23:56 2021 Restart pause, 5 second(s)

the configuration file:

server.conf

management ip port passwordfile
management-client-auth

client.conf

auth-user-pass
auth-retry interact`

Answer 6 · 2021-12-01T06:05:28.000Z

I've found the reason as I used openvpn client 2.4.11.When I changed my client to version 2.4.9 I can click OK even if the response input leaving blank.

Many thanks!

And I want to confirm that I set 'auth-user-pass' on client.conf just to enbale challenge-response. It doesn't matter even if I input wrong username and password?

I use the following command now:

python3 openvpn-auth-azure-ad.py --client-id xxxx -H xxxx -P xxxx -p xxxx --token-authority https://login.microsoftonline.com/my-tenant-id --auth-token

Answer 7 · 2021-12-01T20:30:21.000Z

And I want to confirm that I set 'auth-user-pass' on client.conf just to enbale challenge-response. It doesn't matter even if I input wrong username and password?

Thats correct. auth-user-pass is required to enable the challenge-response, but OpenVPN is unable to verify the password by default.

You can enable the password verification. (-a username_password,device_token) But Microsoft highly recommend to not use the verification method.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

Answer 8 · 2021-12-02T12:13:51.000Z

OK,I would use device token authentication rather than the ROPC because the latter doesn't support MFA.
Thanks for your help!