Page 1 of 1

OpenVPN sends encoded password with extrenious info in env

Posted: Sun Jun 07, 2015 8:00 am
by zonse

I'm trying to setup OpenVPN to authenticate off of radius but am running into some problems with the OpenVPN's handling of the password. OpenVPN adds "SCRV1:" to the front of the password, base64 encodes the password, and attaches what looks to be some sort of challenge response to the password field as it's passed in the environment.

I can't for the life of me figure out if this is a setting in OpenVPN or just a bug. When I run the radiusplugin manually with the test env variables it authenticates properly.

local x.x.x.x

port 1194
proto tcp

# Which device
dev tun

user root
group root

management 7505

#auth-user-pass-verify /etc/openvpn/ via-env
client-config-dir /etc/openvpn/ccd

push "redirect-gateway"
push "dhcp-option DOMAIN"
push "dhcp-option DNS"
push "dhcp-option DNS"

keepalive 10 60

# Use compression

#tls-auth /etc/openvpn/ssl/ta.key 0
dh /etc/openvpn/ssl/dh1024.pem
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
ca /etc/openvpn/ssl/ca.crt

verb 9
mute 20

topology net30

status /var/log/openvpn/status.log 1
log /var/log/openvpn/radiusvpn.log

#cipher BF-CBC
#auth SHA1


plugin /etc/openvpn/plugins/ /etc/openvpn/radiusplugin.cnf

script-security 3

Packet Received by Radius

Code: Select all

Received Access-Request Id 129 from x.x.x.x:55984 to x.x.x.x:1812 length 90
        User-Name = 'username'
        User-Password = 'SCRV1:dGVzdA==:Tm9uZQ=='
        NAS-IP-Address =
        NAS-Port = 1
        Service-Type = Outbound-User
        Calling-Station-Id = 'x.x.x.x'
        NAS-Identifier = 'OpenVpn'
        NAS-Port-Type = Virtual
The user-password is made split into "SCRV1 : base64 data : base64 data". The first set of base64 encoded data is the password. The is the environment variable that is received by the plugin from OpenVPN. This is the same if I use the pam radius plugin or the radiusplugin from OpenVPN.

What am I missing?

Re: OpenVPN sends encoded password with extrenious info in env

Posted: Tue Jan 28, 2020 10:14 pm
by unblue
Did you ever get a solution to this?!

It's driving me mad that openVPN + FreeRadius works fine on iOS, tests fine locally, but fails when a Windows 10 OpenVPN Connect client tries to connect. It's the same SCRV1:... entry being supplied and failing, and it's just because *something* is base64-encoding it!

Re: OpenVPN sends encoded password with extrenious info in env

Posted: Mon Feb 10, 2020 4:08 am
by rjj
I am having the same issue. Is there a config setting I'm missing?