I am trying to set up an OpenVPN (2.4.9) server with PAM login on CentOS 8.2 and I am facing some strange issues.
Specifically, everything works finde if I start the server with
Code: Select all
sudo openvpn /etc/openvpn/server/server.conf
Code: Select all
sudo systemctl start openvpn-server@server
openvpn.log
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: XXXX
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: user 'XXXX' failed to authenticate: Authentication failure
2.204.43.58:49048 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2.204.43.58:49048 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
2.204.43.58:49048 TLS Auth Error: Auth Username/Password verification failed for peer
Is there anyone who knows what the issue might be?
Cheers!
Tobias
server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/server/easy-rsa/3/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/3/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/3/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/3/pki/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
cipher AES-128-GCM # AES
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 6
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
username-as-common-name
openvpn pam
#%PAM-1.0
auth required pam_succeed_if.so user ingroup vpnlogin
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so