OpenVPN sends encoded password with extrenious info in env

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
zonse
OpenVpn Newbie
Posts: 1
Joined: Sun Jun 07, 2015 7:43 am

OpenVPN sends encoded password with extrenious info in env

Post by zonse » Sun Jun 07, 2015 8:00 am

Hello,

I'm trying to setup OpenVPN to authenticate off of radius but am running into some problems with the OpenVPN's handling of the password. OpenVPN adds "SCRV1:" to the front of the password, base64 encodes the password, and attaches what looks to be some sort of challenge response to the password field as it's passed in the environment.

I can't for the life of me figure out if this is a setting in OpenVPN or just a bug. When I run the radiusplugin manually with the test env variables it authenticates properly.

server.conf
[quote]
local x.x.x.x

port 1194
proto tcp

# Which device
dev tun

user root
group root
persist-tun
persist-key

server 10.0.1.0 255.255.255.0
management 127.0.0.1 7505

#auth-user-pass-verify /etc/openvpn/auth-pam.pl via-env
username-as-common-name
client-cert-not-required
client-config-dir /etc/openvpn/ccd
client-to-client

push "redirect-gateway 206.217.193.166"
push "dhcp-option DOMAIN wizardvpn.com"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

ping-timer-rem
keepalive 10 60

# Use compression
#comp-lzo

#tls-server
#tls-auth /etc/openvpn/ssl/ta.key 0
dh /etc/openvpn/ssl/dh1024.pem
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
ca /etc/openvpn/ssl/ca.crt

verb 9
mute 20

topology net30

status /var/log/openvpn/status.log 1
log /var/log/openvpn/radiusvpn.log

#cipher BF-CBC
#auth SHA1

duplicate-cn

plugin /etc/openvpn/plugins/radiusplugin.so /etc/openvpn/radiusplugin.cnf

script-security 3
[/code]

Packet Received by Radius

Code: Select all

Received Access-Request Id 129 from x.x.x.x:55984 to x.x.x.x:1812 length 90
        User-Name = 'username'
        User-Password = 'SCRV1:dGVzdA==:Tm9uZQ=='
        NAS-IP-Address = 206.217.193.166
        NAS-Port = 1
        Service-Type = Outbound-User
        Calling-Station-Id = 'x.x.x.x'
        NAS-Identifier = 'OpenVpn'
        NAS-Port-Type = Virtual
The user-password is made split into "SCRV1 : base64 data : base64 data". The first set of base64 encoded data is the password. The is the environment variable that is received by the plugin from OpenVPN. This is the same if I use the pam radius plugin or the radiusplugin from OpenVPN.

What am I missing?

unblue
OpenVpn Newbie
Posts: 1
Joined: Tue Jan 28, 2020 10:13 pm

Re: OpenVPN sends encoded password with extrenious info in env

Post by unblue » Tue Jan 28, 2020 10:14 pm

Did you ever get a solution to this?!

It's driving me mad that openVPN + FreeRadius works fine on iOS, tests fine locally, but fails when a Windows 10 OpenVPN Connect client tries to connect. It's the same SCRV1:... entry being supplied and failing, and it's just because *something* is base64-encoding it!

rjj
OpenVpn Newbie
Posts: 1
Joined: Mon Feb 10, 2020 4:08 am

Re: OpenVPN sends encoded password with extrenious info in env

Post by rjj » Mon Feb 10, 2020 4:08 am

I am having the same issue. Is there a config setting I'm missing?

Post Reply