Debugging Errors
Debugging this issue is a bit hard. At least here is a step-by-step guide to debug the cookie handling in the browser.
I assume you are using a Chrome-based Browser.
-
Before connecting to OpenVPN server, open a browser locally. On the new tab page, do right-click, inspect. The browser console appears. Important: click on the Network tab and ensure that "preserve log" is enabled.
-
Ideally, you aren't logged on Azure with your main browser, otherwise you are not intercept the flow.
-
Ensure, you have access to OpenVPN server logs in real-time. Tip: If you are using
journalctl, use the option--no-pager. This prevents that large links are truncated.
- Initiate connection to OpenVPN server, close the browser opened by OpenVPN client.
- Goto OpenVPN server logs, grab the line with
INFO_PRE,WEB_AUTHand copy the link with the full state. - Paste the link on the tab where the browser console is opened.
- Continue the auth flow.
- On the access-denied screen, check the Browser Console for any errors.
- Then get the Network tab again.
There is a request with
/oauth2/startor juststart. Click on Cookies and check if the response cookie is present. Example Screenshot:
- Then get the Network tab again.
There is a request with
/oauth2/callbackor justcallback. Click on Cookies and check if the request cookie is present. Example Screenshot:
Sometimes the client stuck at this stage Received control message: 'PUSH_REQUEST' and can't connect, and at the end it will time out like this message Connection Timeout, and you can see in the logs like this:
[Feb 14, 2024, 22:28:57] Session is ACTIVE
[Feb 14, 2024, 22:28:57] EVENT: GET_CONFIG
[Feb 14, 2024, 22:28:57] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:28:58] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:00] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:03] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:06] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:09] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:12] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:15] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:18] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:21] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:24] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:27] Sending PUSH_REQUEST to server...
[Feb 14, 2024, 22:29:29] Raw stats on disconnect:
BYTES_IN : 3483
BYTES_OUT : 4088
PACKETS_IN : 18
PACKETS_OUT : 20
If you see this message on the Client side (version3), you may want to make sure you add these lines to your oauth configuration file
| env/sysconfig configuration |
CONFIG_OAUTH2_REFRESH_ENABLED=true
CONFIG_OAUTH2_REFRESH_EXPIRES=24h
CONFIG_OAUTH2_REFRESH_SECRET=... # 16 or 24 characters |
| yaml configuration |
oauth2:
refresh:
enabled: true
expires: 24h
secret: "..." # 16 or 24 characters |
For reference, you can read more about these properties in the wiki at this link
If you are using the OpenVPN Connect app on your mobile device, you may have noticed that the app won't reconnect after a connection loss unless you open the app. This is a known issue and is caused by the app being put to sleep by the operating system. To fix this, configure
OpenVPN Server Configuration
auth-token-gen [lifetime] external-auth
openvpn-auth-oauth2 Configuration
| env/sysconfig configuration |
CONFIG_OAUTH2_REFRESH_ENABLED=true
CONFIG_OAUTH2_REFRESH_EXPIRES=8h
CONFIG_OAUTH2_REFRESH_SECRET=... # a static secret to encrypt token. Must be 16, 24 or 32
CONFIG_OAUTH2_REFRESH_USE__SESSION__ID=true |
| yaml configuration |
oauth2:
refresh:
enabled: true
expires: 8h
secret: "..." # 16 or 24 characters
use-session-id: true |
For reference, you can read more about these properties in the wiki at this link