Failed to authenticate w/ Google Authenticator when configuring OpenVPN on OpenWRT

问题

I'm quite new to OpenWRT and I'm facing some problems here.

I set up the OpenVPN server on a Ubuntu using OpenVPN Access Server web GUI, and correspondingly I got the client profile client.ovpn. Also I enabled "Google Authenticator Multi-Factor Authentication". When I configured as a client using client.ovpn, it worked perfectly on my phone, my other PC, but it just failed when I tried to start a client on OpenWRT on my router.

According to https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/, I used openvpn --config client.ovpn --auth-user-pass --auth-retry interact to start a connection, and I was prompted for a username and a password, which makes sense, but then I was never prompted for the authenticator code. Actually when I looked at the response, it did ask me for a code, but I never had a place to enter it. Instead, it asked to enter the username again, thus dropping into a loop. See below: (the forth line from the bottom)

root@OpenWrt:/etc/openvpn# openvpn --config client_gui.ovpn --auth-retry interac
t
Mon Mar  9 19:01:18 2020 Unrecognized option or missing or extra parameter(s) in client_gui.ovpn:124: static-challenge (2.4.7)
Mon Mar  9 19:01:18 2020 OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Mar  9 19:01:18 2020 library versions: mbed TLS 2.16.3, LZO 2.10
Enter Auth Username:london
Enter Auth Password:
Mon Mar  9 19:01:24 2020 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Mon Mar  9 19:01:24 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar  9 19:01:24 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar  9 19:01:24 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar  9 19:01:24 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.8.222:1194
Mon Mar  9 19:01:24 2020 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Mar  9 19:01:24 2020 UDP link local: (not bound)
Mon Mar  9 19:01:24 2020 UDP link remote: [AF_INET]192.168.8.222:1194
Mon Mar  9 19:01:24 2020 TLS: Initial packet from [AF_INET]192.168.8.222:1194, sid=fb509f08 f4ae8b1f
Mon Mar  9 19:01:24 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar  9 19:01:24 2020 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Mar  9 19:01:24 2020 VERIFY OK: nsCertType=SERVER
Mon Mar  9 19:01:24 2020 VERIFY OK: depth=0, CN=OpenVPN Server
Mon Mar  9 19:01:24 2020 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key
Mon Mar  9 19:01:24 2020 [OpenVPN Server] Peer Connection Initiated with [AF_INET]192.168.8.222:1194
Mon Mar  9 19:01:25 2020 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Mon Mar  9 19:01:25 2020 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_09HT0rZcjdFd6GnA:bG9uZG9u:Enter Authenticator Code
Mon Mar  9 19:01:25 2020 SIGUSR1[soft,auth-failure] received, process restarting
Mon Mar  9 19:01:25 2020 Restart pause, 5 second(s)
Enter Auth Username:

How can I solve this problem? Is there anything to be modified in client.ovpn? Thank you!

回答1:

In 18.04, Create a file userpass in same directory as client.ovpn.

Userpass should contains 2 lines

username in first line
password in second line

and save the file, open new terminal, Execute the script.

openvpn --config client.ovpn --auth-user-pass userpass --auth-retry interact

In 16.04

Execute the following code

sudo -s

wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -

echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

apt-get update

apt-get dist-upgrade

Create a file userpass in same directory as client.ovpn.

Userpass should contains 2 lines