Invoke exe program for auth (auth-user-pass-verify) not working? Windows Server

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
nraddatz
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2017 8:21 pm

Invoke exe program for auth (auth-user-pass-verify) not working? Windows Server

Post by nraddatz » Wed Nov 29, 2017 8:37 pm

Hi all,

So, i have spent a few hours trying to get the external program authentication piece working. I'm 100% sure my program works, provided I pass username/password in environment variables. My program logs activity into a txt file, so i can know when its being invoked.

No matter what i do, it doesn't seem like my program is being executed at all by OpenVPN, and from the client perspective, any username/password combination is accepted as good. I have already taken care to set script-security to 3, which seems to be the most common cause for this problem.

Any help would be greatly appreciated.

Details below:

Windows Server 2016
Open VPN 2.4.4.0
Open VPN Server running as local system
Config file C:\Program Files\OpenVPN\config\server.ovpn

Server Config

port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\xx.crt"
cert "C:\\Program Files\\OpenVPN\\config\\xx.crt"
key "C:\\Program Files\\OpenVPN\\config\\xx.key"
dh dh4096.pem
server xx.xx.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route xx.xx.xx.0 255.255.255.0"
push "route xx.xx.xx.0 255.255.255.0"
push "dhcp-option DNS xx.xx.xx.xx"
push "dhcp-option DNS xx.xx.xx.xx"
push "dhcp-option DOMAIN xx.xx"
push "dhcp-option SEARCH xx.xx"
client-to-client
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 5
explicit-exit-notify 1
#Custom auth
script-security 3
auth-user-pass-verify "C:/Progra~1/OpenVPN/bin/customauth/customauth.exe" via-env
client-cert-not-required
username-as-common-name

nraddatz
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2017 8:21 pm

Re: Invoke exe program for auth (auth-user-pass-verify) not working? Windows Server

Post by nraddatz » Wed Nov 29, 2017 9:02 pm

More info:

I have also tried invoking a dumb .bat file which returns error code "1". Same thing - user is still allowed to log in.

Bat file contents:
@echo 123>> test.txt
exit 1

If i execute the file manually, the "test.txt" file is created.

nraddatz
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2017 8:21 pm

Re: Invoke exe program for auth (auth-user-pass-verify) not working? Windows Server

Post by nraddatz » Wed Nov 29, 2017 9:22 pm

My client config...it still has some stuff related to my previous configuration which was all handled via certificates (no username/password). I'm unsure what should be removed here. I added the auth-user-pass and auth-retry-interact.

client

client
dev tun
proto udp
remote xx.xx.xx.xx xxxx
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\xx.crt"
cert "C:\\Program Files\\OpenVPN\\config\\xxxxxyyyy.crt"
key "C:\\Program Files\\OpenVPN\\config\\xxxxxyyyy.key"
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
auth-retry interact

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Invoke exe program for auth (auth-user-pass-verify) not working? Windows Server

Post by TinCanTech » Wed Nov 29, 2017 9:39 pm


TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Invoke exe program for auth (auth-user-pass-verify) not working? Windows Server

Post by TinCanTech » Thu Nov 30, 2017 1:38 pm

nraddatz wrote:
Wed Nov 29, 2017 8:37 pm
I have already taken care to set script-security to 3, which seems to be the most common cause for this problem
--script-security 3 is specifically required. See --script-security in The Manual v24x
nraddatz wrote:
Wed Nov 29, 2017 9:02 pm
have also tried invoking a dumb .bat file which returns error code "1". Same thing - user is still allowed to log in.
The batch file is not being called and is not present in your active config, otherwise the client connection would be refused.

You must post your logs at --verb 4 .. See --log & --verb in The Manual v24x

As per:
TinCanTech wrote:
Wed Nov 29, 2017 9:39 pm
Please see:
HOWTO: Request Help !

nraddatz
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2017 8:21 pm

Re: Invoke exe program for auth (auth-user-pass-verify) not working? Windows Server

Post by nraddatz » Thu Nov 30, 2017 5:57 pm

Just to clarify.

- I had already set script security to 3 (can be clearly seen in the server.ovpn config i shared on an earlier post).
- The bat file i tested, and then removed from the config. That's why you don't see it in the active config.

It seems the final culprit is that i had 2 .ovpn files in the config folder. I had assumed the server would only process server.ovpn, but for what i could gather actually it scans and processes any .config files. It seems that was the reason why i was having unexpected behavior.

Good news is, open vpn is now working exactly as i needed.

Thanks!

Post Reply