Silent failure of PLAP on adding management password

[selvanair]

    @selvanair I've been testing the PLAP without management interface password and all worked fine.

Now that I would like to test it on our corporate environment, I have added a password file to the management interface like this:

management 127.0.0.1 8888 passwd.txt

The passwd.txt file has one line with the management interface password. I've copied the file to the same path as the ovpn (C:\Program Files\OpenVPN\config-auto), but after this, I can see the PLAP on Windows Logon screen and when I choose the ovpn profile it doesn't ask any username/password (or any OpenVPN window) and immediately shows that the connection failed.
If I try to start the connection with the OpenVPN GUI then I see a quick window opening and closing again. Log file does not log anything.
If I remove the passwd.txt parameter from the management configuration, it works like expected.
Am I missing something or doing something wrong?
Thanks again for all you work for making this PLAP a reality! :)

Originally posted by @gitnewcomer in #77 (comment)

[selvanair]

Moved to a new issue --- #77 was about a feature request that has been completed and closed. Better to open new issues for reporting errors like this or to request improvements.

@gitnewcomer

Based on what you describe, my guess would be: you added the password, restarted the service, then edited the password file and did not restart the service again. That would lead to a management password mismatch and the only error would be in the event log. We should probably show an error popup for this --- iirc, there was some reason not to, but I'll reconsider. At least we've to return a relevant reason for failure to PLAP screen.

Log file does not log anything.

OpenVPN daemon for persistent connections is started by OpenVPNService and it must log something to the log file --- even if the startup failed for some reason. I guess you mean that the log file does not show anything related to the failure of PLAP or GUI. That would be the case if the connection to management interface failed due to management password mismatch -- in that case GUI/PLAP logs a warning to Windows EventLog.

Restart OpenVPNService and check the log file in C:\Program Files\OpenVPN\log\<config-name>.log to ensure the process has started up. Then try GUI and PLAP again. You can also directly test the management password by connecting to management interface using telnet (exit the GUI before trying this): telnet 127.0.0.1 8888 it will prompt for management password. If that works, quit telnet before starting the GUI or PLAP again.

BTW, unlike user configs, you have to always restart OpenVPNService after editing a config file in config-auto folder for changes to take effect. This is true for all persistent connections (those started at boot up) whether PLAP is in use or not.

[gitnewcomer]

BTW, unlike user configs, you have to always restart OpenVPNService after editing a config file in config-auto folder for changes to take effect. This is true for all persistent connections (those started at boot up) whether PLAP is in use or not.

@selvanair I have restarted the OpenVPNService and tested again with OpenVPN GUI and PLAP: the same behavior as mentioned before. On the log file of the config I only see 3 lines with OpenVPN version, OS version and OpenSSL version... Can't find any warning logged to the EventLog (only that the service stopped and started again)... :(

If I connect using telnet it asks for a password and connects if correct password is provided...

I'm using last OpenVPN 2.6 Beta2...

[selvanair]

Your config may have verb < 3. If you increase that to 3 (or better 4 for testing) and restart the service you will see more in logs -- like management port being listened on and that its waiting for username/password from management. Then when you connect using telnet, GUI or PLAP it should log a line showing connected to management client and when the client disconnects.

The only reason I can think of is password mismatch (like the passwd.txt file may have some hidden characters, wrong encoding etc.. ). Keep password pure ascii to avoid such issues. But even then the GUI should log to EventLog.

Anyway, try removing the password so that you can confirm that you have a working configuration. If adding 'passwd.txt' is the only change to a working setup I can't see how this could happen.

[gitnewcomer]

Your config may have verb < 3. If you increase that to 3 (or better 4 for testing) and restart the service you will see more in logs -- like management port being listened on and that its waiting for username/password from management. Then when you connect using telnet, GUI or PLAP it should log a line showing connected to management client and when the client disconnects.

@selvanair I now added verb 4 to my configuration and got this on log file when trying to use PLAP or OpenVPN GUI (I still have the same behavior like my first post):

2022-12-22 09:49:41 us=640000 OpenVPN 2.6_beta2 [git:none/566c0791caddc52e] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Dec 15 2022
2022-12-22 09:49:41 us=640000 Windows version 10.0 (Windows 10 or greater), amd64 executable
2022-12-22 09:49:41 us=640000 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2022-12-22 09:49:41 us=640000 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:8888
2022-12-22 09:49:41 us=640000 Need hold release from management interface, waiting...
2022-12-22 09:49:59 us=921000 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:59353
2022-12-22 09:49:59 us=953000 MANAGEMENT: Client disconnected

I can connect to the management interface with telnet using the password set on 'passwd.txt'

Anyway, try removing the password so that you can confirm that you have a working configuration. If adding 'passwd.txt' is the only change to a working setup I can't see how this could happen.

If I remove the 'passwd.txt' the configuration works and log file shows:

2022-12-22 09:59:07 us=937000 OpenVPN 2.6_beta2 [git:none/566c0791caddc52e] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Dec 15 2022
2022-12-22 09:59:07 us=937000 Windows version 10.0 (Windows 10 or greater), amd64 executable
2022-12-22 09:59:07 us=937000 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2022-12-22 09:59:07 us=937000 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:8888
2022-12-22 09:59:07 us=937000 Need hold release from management interface, waiting...
2022-12-22 09:59:27 us=15000 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:59425
2022-12-22 09:59:27 us=156000 MANAGEMENT: CMD 'state on'
2022-12-22 09:59:27 us=156000 MANAGEMENT: CMD 'log on all'
2022-12-22 09:59:27 us=578000 MANAGEMENT: CMD 'echo on all'
2022-12-22 09:59:27 us=578000 MANAGEMENT: CMD 'bytecount 5'
...

I also have checked that 'passwd.txt' is ANSI encoded (I think this also can't be the problem because authentication over telnet works).

If I copy my config to the config folder with the 'passwd.txt', it works. It seems a problem only with persistent connections.

I also have found another problem with OpenVPN GUI: if there is no opvn profile on the config folder, the OpenVPN GUI does not show the persistent profiles when we right click on the OpenVPN icon on the taskbar.

[selvanair]

If I copy my config to the config folder with the 'passwd.txt', it works. It seems a problem only with persistent connections.

In that case passwd.txt is not used as the GUI sets it own random password for non-persistent connections

I also have found another problem with OpenVPN GUI: if there is no opvn profile on the config folder, the OpenVPN GUI does not show the persistent profiles when we right click on the OpenVPN icon on the taskbar.

I cannot reproduce this. See image below with only persistent profiles:

But the opposite is possible: i.e., if you have the same config in config-auto and config, only the latter will show up. Always use unique file names for configs. This is something that could be improved, but its not an easy fix.

Back to your issue with PLAP, I'm out of ideas. Looking at the logs it shows PLAP or GUI connects to the management and immediately disconnects. The only reason I can think of is password mismatch but that should log to EventLog. Do you mind sharing the config and passwd.txt (you can replace the password with something simple)? The certificates and key can be removed from the config as I only need to test startup. Preferably, share as an archive (say zip) so that the files and their encoding are preserved.

[gitnewcomer]

Hi @selvanair I think I have found the problem: after changing the password on 'passwd.txt' to prepare the file for sending it to you, this worked!
I have compared both 'passwd.txt' files and what I found out was that my original file had a password greater than 15 chars. Reducing the password to 15 chars worked, everything over 15 chars doesn't work. The strange part is: if the password is over 15 chars, I still can connect with the management interface using telnet, but PLAP and OpenVPN GUI doesn't work. Reducing the password to 15 chars or less, the PLAP and OpenVPN GUI works!
Is there any maximum password length for the management interface? Is the length of the password checked to avoid buffer overflow? If there is a maximum length, why isn't there any error log that could tell us that the password exceeded the maximum length? And why does it work with telnet and not with PLAP/OpenVPN GUI?
Could this be fixed? :)

Regarding the OpenVPN GUI showing the persistent connections, it only shows it when one profile connects successfully. If there is a problem (like my case), then the OpenVPN GUI doesn't show the sub-menu for persistent connections.

Thanks again for your help!

[selvanair]

That's a bug.
In the GUI, the max length of password is 15 (excluding NUL termination) but OpenVPN will accept passwords up to 127 bytes (4095 bytes in some cases). This was never a problem before persistent connection/PLAP support as the GUI chooses a random password and sets it for normal connections.

Now that we allow user to set management password through a file, we have to support longer passwords. Will fix.

Regarding the OpenVPN GUI showing the persistent connections, it only shows it when one profile connects successfully. If there is a problem (like my case), then the OpenVPN GUI doesn't show the sub-menu for persistent connections.

I tested using a long password. The config does still show up in the menu and continues to show even though connection attempts fail. Even when there are no other configs. Also, I do get a warning in the EventLog saying management password mismatch. Please check again -- in the event log look for OpenVPN-GUI as the source. Once the event is found, you have to go to its details tab to see the actual error.

The GUI should ignore a persistent config only if parsing the config fails as that could be legitimate -- like an admin sets restrictive permissions to block users from accessing these configs. Otherwise it should show up in the menu even if the connection cannot be successfully completed.

If there is only one config in total, the GUI always uses an alternate format for the menu where connect/disconnect etc are directly displayed in the main menu with no config-specific sub-menus. This has always been the case.

[gitnewcomer]

Thanks @selvanair!

Please ignore the OpenVPN GUI problem, this was a fault on my side, it works now correctly...

Merry Christmas! :)