openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

OpenVPN 2.5.7 server auth-user-pass-verify failure doesn't reach clients

Open kosli opened this issue 2 years ago • 3 comments

Describe the bug I am using a OpenVPN 2.5.7 server (OpenWRT openvpn-openssl package) with an external auth-user-pass-verify via-env script. When the script returns a success of user/pass authentication, everything works as expected. If the script returns a exit code of 1, the server logs it correctly, but the clients do not get a feedback and are waiting forever for a response. OpenVPN 2.5.7 server log show the following:

WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
TLS Auth Error: Auth Username/Password verification failed for peer
SIGTERM[soft,auth-control-exit] received, client-instance exiting

OpenVPN 2.6.5 client log shows the following:

2023-07-07 15:45:15 TLS: Initial packet from [AF_INET]xxxx:1194, sid=71f0fcfa d4ff3caf
2023-07-07 15:45:15 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-07-07 15:45:15 VERIFY OK: depth=1, C=xxx, O=xxx, CN=xxx CA, emailAddress=xxx
2023-07-07 15:45:15 VERIFY KU OK
2023-07-07 15:45:15 Validating certificate extended key usage
2023-07-07 15:45:15 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-07-07 15:45:15 VERIFY EKU OK
2023-07-07 15:45:15 VERIFY OK: depth=0, CN=test-ext

To Reproduce Use the OpenVPN 2.5.7 server with a ```auth-user-pass-verify via-env`` script that exits with 1 and see what a client with a auth-user-pass will do.

Expected behavior If the auth script exists with an exit code 1 the client should get informed and do the appropriate action, like the default auth-retry none

Version information (please complete the following information):

  • OS: OpenWRT 22.03.5
  • OpenVPN server: 2.5.7 (openvpn-openssl 2.5.7-3 from OpenWRT)
  • OpenVPN client: 2.6.5 (but also tested with 2.6.4, 2.5.9 and 2.5.7)

Additional context I haven't tested with another OpenVPN server version as the version is given by the OpenWRT release. I never had any issues with the auth-user-pass-verify on older OpenVPN server versions, so I am not sure if I missed any new configuration option (e.g. does the tls-crypt instead of tls-auth option would have any impact on that) or if it really is a problem with that specific OpenVPN version. I haven't found any references on regards of such an error on that version.

kosli avatar Jul 07 '23 13:07 kosli

Thanks to the OpenWRT community I found the problem: if the management interface is not compiled (which is the default for the OpenWRT OpenVPN packages), then the client does not receive the auth failed feedback. I have recompiled the same package with the --enable-management enabled and the client receives the auth failed, even if the management interface in the OpenVPN server config is not configured.

This should be added into the reference manual as there is no hint that the management interface needs to be enabled for the auth-user-pass-verify option to work properly.

kosli avatar Jul 11 '23 18:07 kosli

I have the same problem in OpenWRT。But I don't know how to compile, so the problem wasn't solved.

boywwb avatar Jan 08 '24 13:01 boywwb

@boywwb see the discussion here with the OpenWRT OpenVPN package maintainer.

kosli avatar Jan 08 '24 14:01 kosli