openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

OpenVPN 2.5.7 server auth-user-pass-verify failure doesn't reach clients

Open kosli opened this issue 1 year ago • 3 comments

Describe the bug I am using a OpenVPN 2.5.7 server (OpenWRT openvpn-openssl package) with an external auth-user-pass-verify via-env script. When the script returns a success of user/pass authentication, everything works as expected. If the script returns a exit code of 1, the server logs it correctly, but the clients do not get a feedback and are waiting forever for a response. OpenVPN 2.5.7 server log show the following:

WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
TLS Auth Error: Auth Username/Password verification failed for peer
SIGTERM[soft,auth-control-exit] received, client-instance exiting

OpenVPN 2.6.5 client log shows the following:

2023-07-07 15:45:15 TLS: Initial packet from [AF_INET]xxxx:1194, sid=71f0fcfa d4ff3caf
2023-07-07 15:45:15 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-07-07 15:45:15 VERIFY OK: depth=1, C=xxx, O=xxx, CN=xxx CA, emailAddress=xxx
2023-07-07 15:45:15 VERIFY KU OK
2023-07-07 15:45:15 Validating certificate extended key usage
2023-07-07 15:45:15 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-07-07 15:45:15 VERIFY EKU OK
2023-07-07 15:45:15 VERIFY OK: depth=0, CN=test-ext

To Reproduce Use the OpenVPN 2.5.7 server with a ```auth-user-pass-verify via-env`` script that exits with 1 and see what a client with a auth-user-pass will do.

Expected behavior If the auth script exists with an exit code 1 the client should get informed and do the appropriate action, like the default auth-retry none

Version information (please complete the following information):

  • OS: OpenWRT 22.03.5
  • OpenVPN server: 2.5.7 (openvpn-openssl 2.5.7-3 from OpenWRT)
  • OpenVPN client: 2.6.5 (but also tested with 2.6.4, 2.5.9 and 2.5.7)

Additional context I haven't tested with another OpenVPN server version as the version is given by the OpenWRT release. I never had any issues with the auth-user-pass-verify on older OpenVPN server versions, so I am not sure if I missed any new configuration option (e.g. does the tls-crypt instead of tls-auth option would have any impact on that) or if it really is a problem with that specific OpenVPN version. I haven't found any references on regards of such an error on that version.

kosli avatar Jul 07 '23 13:07 kosli