Google Authenticator not work

netops · October 20, 2022, 2:03pm

Hello Dear Colleagues!

I have a problem connecting 2fa via Google Authenticator. If the client connects via Pin, everything is fine. But if you enable Google Authenticator, then there is no way to connect.
I have tried generating new code, it does not lead to success.

I’m using the free version. Do I understand correctly that 2fa won’t work without a subscription?

RROR User auth failed “Challenge OTP code”

zach · October 20, 2022, 3:19pm

The Google Authenticator is based on the current time. Verify both the server and authenticator device have the correct date and time.

netops · October 20, 2022, 3:47pm

I fixed the time issue, but it doesn’t lead to success

netops · October 20, 2022, 4:15pm

2022-10-20 19:11:38 DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning./n
2022-10-20 19:11:38 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 16 2022/n
2022-10-20 19:11:38 Windows version 10.0 (Windows 10 or greater) 64bit/n
2022-10-20 19:11:38 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10/n
2022-10-20 19:11:38 Outgoing Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication/n
2022-10-20 19:11:38 Incoming Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication/n
2022-10-20 19:11:38 TCP/UDP: Preserving recently used remote address: [AF_INET]130.193.48.183:18138/n
2022-10-20 19:11:38 UDP link local: (not bound)/n
2022-10-20 19:11:38 UDP link remote: [AF_INET]130.193.48.183:18138/n
2022-10-20 19:11:38 VERIFY OK: depth=1, O=6350f6a0588e71fdcd695e02, CN=6350f6a0588e71fdcd695e06/n
2022-10-20 19:11:38 VERIFY KU OK/n
2022-10-20 19:11:38 Validating certificate extended key usage/n
2022-10-20 19:11:38 NOTE: --mute triggered…/n
2022-10-20 19:11:38 4 variation(s) on previous 3 message(s) suppressed by --mute/n
2022-10-20 19:11:38 [6350f6a0588e71fdcd695e14] Peer Connection Initiated with [AF_INET]130.193.48.183:18138/n
2022-10-20 19:11:39 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:27760e7f816e4f76ad4c61cce09b04f1:bmls:Enter OTP Code/n
2022-10-20 19:11:39 SIGTERM[soft,auth-failure] received, process exiting/n

mixollm94 · June 23, 2023, 8:56am

Hi. I have the same issue. Any ideas about another solution except time change? I have already tried to add the same 2FA on my end and my OTP code works. But if the user who owns account tries to setup 2FA and enter the code - he gets the error all the time. But if I send him OTP code for the same user account - it works. We have already tried different apps(the same as Google Authenticator) - but the result is the same.

zach · June 23, 2023, 1:54pm

If one device with the Google Authenticator app gives a different OTP code for the same user QR code it is a time issue.

mixollm94 · June 23, 2023, 2:25pm

Hi Zach, thanks for the prompt reply. Could you please provide a bit more details what exactly I have to change? Because we use UTC on pritunl server but all our users are from different countries. And it works perfectly for all of them except one. And we have a lot of users in the same country as those user who is unable to use his 2FA device.

zach · June 24, 2023, 1:53am

The timezone if set correctly will not effect the code. If the timezone is incorrect and the configured time is being shifted to a different timezone that will cause an incorrect calculation.