OpenVPN with PAM on CentOS

check0104 · Post by **check0104** » Sat Jun 27, 2020 12:10 pm

Hello everyone,

I am trying to set up an OpenVPN (2.4.9) server with PAM login on CentOS 8.2 and I am facing some strange issues.
Specifically, everything works finde if I start the server with

Code: Select all

sudo openvpn /etc/openvpn/server/server.conf

However, if I start the server via sytemd

Code: Select all

sudo systemctl start openvpn-server@server

I see the following authentication error:

openvpn.log

AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: XXXX
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: user 'XXXX' failed to authenticate: Authentication failure
2.204.43.58:49048 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2.204.43.58:49048 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
2.204.43.58:49048 TLS Auth Error: Auth Username/Password verification failed for peer

Is there anyone who knows what the issue might be?

Cheers!

Tobias

server.conf

port 1194
proto udp
dev tun

ca /etc/openvpn/server/easy-rsa/3/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/3/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/3/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/3/pki/dh.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

duplicate-cn
keepalive 10 120

cipher AES-128-GCM # AES

comp-lzo

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log

verb 6

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
username-as-common-name

openvpn pam

#%PAM-1.0
auth required pam_succeed_if.so user ingroup vpnlogin
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so