Viscosity, PriTunl, and Pins

Got a problem with Viscosity or need help? Ask here!

dbolack

Posts: 2
Joined: Sat Dec 21, 2019 2:41 am

Post by dbolack » Sat Dec 21, 2019 4:21 am
Hello!

We've had a number of Mac users happily using Viscosity for some time, so when we rolled out a PriTunl based solution for different VPN environment they expected ( and succeeded at ) continuing to use Viscosity *except* when they've added a pin to their profile.

When a pin is set, the client goes into a failed authentication loop where it pops up a pin entry box then immediately fails and attempts a new connection, reminiscent of early 00s browser pop-up spam. :) We are unable to enter the pin

On instances with OTP enabled, we have the same issue - if it prompts ( sometimes it doesn't. The client just seems to loop.

Is this an issue with the configuration import I'm simply unable to spot? The only change I'm making to the import is unchecking use username and password.

Any suggestions?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Jan 03, 2020 9:55 pm
Hi dbolack,

We'll take a look and post back when we know more.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Jan 06, 2020 10:17 pm
We've performed some testing with the latest version of Viscosity and Pritunl - more information below:
The only change I'm making to the import is unchecking use username and password.
This appears to be the cause of the problem. Pritunl is using OpenVPN's authentication system to accept the PIN/Password. Without it the connection attempt is initially allowed to proceed (based off certificate authentication alone) and a PIN/password challenge issued, but then the connection is immediately severed by the server.

The solution is to ensure that the "Use Username/Password authentication" checkbox is ticked. The configuration files generated by Pritunl appear to have it enabled by default. For users without a password set it looks like you just just leave the password field blank in the authentication prompt.
On instances with OTP enabled, we have the same issue - if it prompts ( sometimes it doesn't. The client just seems to loop.
This is caused by the same issue as above. Ensuring "Use Username/Password authentication" is ticked should resolve it.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

dbolack

Posts: 2
Joined: Sat Dec 21, 2019 2:41 am

Post by dbolack » Wed Jan 08, 2020 10:19 am
Thank you, this wasn't entirely clear to me as past openvpn setups I have worked with didn't attach user names and it didn't occur to me these were since you don't need it with their client.
4 posts Page 1 of 1