Username and password authentication not working when running in unprivileged mode

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ThePiratkapten
OpenVpn Newbie
Posts: 6
Joined: Sat May 20, 2017 9:11 am

Username and password authentication not working when running in unprivileged mode

Post by ThePiratkapten » Sat May 20, 2017 10:10 am

Hi all,

I'm trying to make my openvpn server run in unprivileged mode according to this page: https://community.openvpn.net/openvpn/w ... eLinuxonly

When I followed the guide everything worked fine, except my username and password authentication (the guide didn't mention such authentication). I perform that authentication with the openvpn-plugin-auth-pam.so plugin.

If I run OpenVPN as root there is no problem with autentication. So I assume the problem arises due to running from an unprivileged user. By the way, I run OpenVPN on a Raspberry Pi. Maybe I should add some privilege to the user with visudo, just like I did with the unpriv-ip script, to make the plugin work?
Server configuration
dev tun0
proto udp
port 1194
client-config-dir /etc/openvpn/ccd
keepalive 10 120
max-clients 20
tls-server
topology subnet
client-to-client
server 10.1.2.0 255.255.255.0
route 10.2.1.0 255.255.255.0 10.1.2.2 20
dh /etc/openvpn/auth/dh4096.pem
tls-auth /etc/openvpn/auth/static.key 0
ca /etc/openvpn/auth/ca.crt
cert /etc/openvpn/auth/serverA-v1.crt
key /etc/openvpn/auth/serverA-v1.key
crl-verify /etc/openvpn/auth/crl.pem
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
remote-cert-eku "TLS Web Client Authentication" # Extended key usage
remote-cert-tls client # Key usage
persist-key
persist-tun
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
iproute /usr/local/sbin/unpriv-ip
This is the server log. (I changed my IP to 1.2.3.4).Those replay warnings always show up when I connect.

Code: Select all

Sat May 20 11:13:14 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Sat May 20 11:13:14 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Sat May 20 11:13:14 2017 WARNING: file '/etc/openvpn/auth/serverA-v1.key' is group or others accessible
Sat May 20 11:13:14 2017 WARNING: file '/etc/openvpn/auth/static.key' is group or others accessible
Sat May 20 11:13:14 2017 Control Channel Authentication: using '/etc/openvpn/auth/static.key' as a OpenVPN static key file
Sat May 20 11:13:14 2017 TUN/TAP device tun0 opened
Sat May 20 11:13:14 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Sat May 20 11:13:14 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat May 20 11:13:14 2017 /usr/local/sbin/unpriv-ip link set dev tun0 up mtu 1500
Sat May 20 11:13:14 2017 /usr/local/sbin/unpriv-ip addr add dev tun0 10.1.2.1/24 broadcast 10.1.2.255
Sat May 20 11:13:14 2017 UDPv4 link local (bound): [undef]1.2.3.4
Sat May 20 11:13:14 2017 UDPv4 link remote: [undef]
Sat May 20 11:13:14 2017 Initialization Sequence Completed
Sat May 20 11:13:25 2017 1.2.3.4:31477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #59 / time = (1495271602) Sat May 20 11:13:22 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat May 20 11:13:25 2017 1.2.3.4:31477 TLS Error: incoming packet authentication failed from [AF_INET]1.2.3.4:31477
Sat May 20 11:13:25 2017 1.2.3.4:31477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #60 / time = (1495271602) Sat May 20 11:13:22 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat May 20 11:13:25 2017 1.2.3.4:31477 TLS Error: incoming packet authentication failed from [AF_INET]1.2.3.4:31477
Sat May 20 11:13:25 2017 1.2.3.4:31477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #61 / time = (1495271602) Sat May 20 11:13:22 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat May 20 11:13:25 2017 1.2.3.4:31477 TLS Error: incoming packet authentication failed from [AF_INET]1.2.3.4:31477
AUTH-PAM: BACKGROUND: user 'client1' failed to authenticate: Authentication failure
Sat May 20 11:13:25 2017 1.2.3.4:31477 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Sat May 20 11:13:25 2017 1.2.3.4:31477 TLS Auth Error: Auth Username/Password verification failed for peer
Sat May 20 11:13:25 2017 1.2.3.4:31477 [client1-1-v1] Peer Connection Initiated with [AF_INET]1.2.3.4:31477

Post Reply