OpenVPN server fails to start when using auth-user-pass-verify

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
mathewparet
OpenVpn Newbie
Posts: 9
Joined: Tue Jan 21, 2020 9:30 am

OpenVPN server fails to start when using auth-user-pass-verify

Post by mathewparet » Tue Jan 21, 2020 9:33 am

This is my OpenVPN server configuration (it works perfectly)

Server Config
local mydomain.com
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DOMAIN subdomain.mydomain.com"
push "dhcp-option DNS 192.168.157.149"
push "block-outside-dns"
push "route 192.168.157.149 255.255.255.0"
push "route 0.0.0.0 192.0.0.0 net_gateway"
push "route 64.0.0.0 192.0.0.0 net_gateway"
push "route 128.0.0.0 192.0.0.0 net_gateway"
push "route 192.0.0.0 192.0.0.0 net_gateway"
push "route 10.0.0.0 255.255.255.0"
push "route 10.1.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify


I wanted to enable use of same client with different usernames. So I edited the config and added the below lines in the server.conf file

Server Config Additions
script-security 2 # must be at least 2
auth-user-pass-verify /home/forge/scripts/checkUser.sh via-file
username-as-common-name # without this openvpn will use cn in the certificate as username
duplicate-cn # you may need this if everyone is using same certificate

With this (above) additions in the config, openvpn server refuses to start.

To debug, I commented the above lines and uncommented one by one. So now I can pin point that the line

Code: Select all

auth-user-pass-verify /home/forge/scripts/checkUser.sh via-file
is causing the issue.

There was no clue on why it is failing in the

Code: Select all

systemctl status
or

Code: Select all

journalctl -xe
. The file

Code: Select all

checkUser.sh
is fully executable by any user in the system. The log file

Code: Select all

status-server.log
is also empty.

Though ```sudo systemctl start openvpn-server``` fails, running openvpn directly works: ```sudo openvpn --config /etc/openvpn/server/server.conf```!!!

This is how ```/lib/systemd/system/openvpn-server@.service``` looks:

Code: Select all

[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target
Could someone please point out what could be the issue?

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN server fails to start when using auth-user-pass-verify

Post by TinCanTech » Tue Jan 21, 2020 2:04 pm

mathewparet wrote:
Tue Jan 21, 2020 9:33 am
auth-user-pass-verify /home/forge/scripts/checkUser.sh via-file
You cannot use scripts hosted in home because it is protected by systemd.

Put your script in /etc/openvpn or similar.

mathewparet
OpenVpn Newbie
Posts: 9
Joined: Tue Jan 21, 2020 9:30 am

Re: OpenVPN server fails to start when using auth-user-pass-verify

Post by mathewparet » Wed Jan 22, 2020 9:51 am

TinCanTech wrote:
Tue Jan 21, 2020 2:04 pm
mathewparet wrote:
Tue Jan 21, 2020 9:33 am
auth-user-pass-verify /home/forge/scripts/checkUser.sh via-file
You cannot use scripts hosted in home because it is protected by systemd.

Put your script in /etc/openvpn or similar.
Thank you, it worked when I copied to /etc/openvpn.

Post Reply