problem with auth-user-pass-verify option

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
cparker
OpenVpn Newbie
Posts: 4
Joined: Wed Jul 20, 2011 2:30 pm

problem with auth-user-pass-verify option

Post by cparker » Sat Jul 23, 2011 2:06 pm

Hello and thanks for your help
Sorry for my bad English.
I have tried to find a solution on the forum but without result
I have installed openvpn server on Windows xp sp3 with the parameter auth-user-pass-verify.
All is ok when I use the option via-env. My client can connect on the server. But when I use option via-file , I have this message in log file

10.165.15.25:49164 Note: cannot open d:/tmpvpn\openvpn_up_796b5fbbe827a3c3ffbab4fe41ef8518.tmp for WRITE
10.165.15.25:49164 TLS Auth Error: could not write username/password to file: d:/tmpvpn\openvpn_up_796b5fbbe827a3c3ffbab4fe41ef8518.tmp
10.165.15.25:49164 TLS Auth Error: Auth Username/Password verification failed for peer
Sat Jul 23 15:30:25 2011 us=725000 10.165.15.25:49164 SIGTERM[soft,auth-control-exit] received, client-instance exiting

I have changed the right with windows option and the command attrib in dos with attribu -r ; but without result
I don’t understand , could you help me please ?
Regards
My conf
#################################################
local 192.168.1.100
port 1200
proto tcp-server
dev tap
dev-node monvpn
ca ca.crt
cert server.crt
key server.key
script-security 3
tmp-dir d:/tmpvpn
auth-user-pass-verify test.bat via-file
dh dh1024.pem
server-bridge 192.168.0.1 255.255.255.0 192.168.0.2 192.168.0.5
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 4
mute 20

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: problem with auth-user-pass-verify option

Post by maikcat » Sat Jul 23, 2011 3:30 pm

hi there,

i noticed the following to your config:

local 192.168.1.100
server-bridge 192.168.0.1 255.255.255.0 192.168.0.2 192.168.0.5
push "route 192.168.1.0 255.255.255.0"

which exactly scenario are you trying to accomplish here?
routing or bridging?

the above will not work...

also

>tmp-dir d:/tmpvpn

is this folder exists?
which files are in it?
do you have WRITE permission in this folder?

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

cparker
OpenVpn Newbie
Posts: 4
Joined: Wed Jul 20, 2011 2:30 pm

Re: problem with auth-user-pass-verify option

Post by cparker » Sun Jul 24, 2011 5:22 pm

hello and thank you for your answer.

local 192.168.1.100 is the listening adresse on my server, because there are two networks cards.

server-brige 192.168.0.1 255.255.255.0 192.168.0.2 192.168.0.5 : 192.168.0.1 is ip adress taken by the vpn server and 192.168.0.2 192.168.0.5 is the adress pool free for the client.
push route 192.168.1.0 255.255.255.0 is route for allow a client reach an other subnet.

I specify that I make a bridging scenario and this configuration works when i don't use auth-user-pass-verify env-file option.

yes the d:\tmpvpn exit and when my client enter login and password, a file as openvpn_up_796b5fbbe827a3c3ffbab4fe41ef8518.tmp is create in this directory with error message in the log. see the first post .

And yes i have the write permission on this directory (I have even tested with all people full control). I have tried with an other directory and default directory %USERPROFILE%\Local Settings\Temp but i have the same error message.

thank
Regards

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Re: problem with auth-user-pass-verify option

Post by Mimiko » Sun Jul 24, 2011 7:01 pm

Windows use in paths backslash '\'. So correct it in your config. As can you see, OpenVPN itself prepends a backlash before file name.

Also, which account is OpenVPN running? As a service? Does that acount have full control to the folder?
%USERPROFILE%\Local Settings\Temp
For directories with spaces you must use double quotes to delimit the directory path.

cparker
OpenVpn Newbie
Posts: 4
Joined: Wed Jul 20, 2011 2:30 pm

Re: problem with auth-user-pass-verify option

Post by cparker » Mon Jul 25, 2011 4:22 pm

I have changed temp file with option tmp-dir, when i use d:/tmpvpn and i see the tmp file, but at the beginning i haven't used this option and temp directory was %USERPROFILE%\Local Settings\Temp by default.

I have installed openvpn with an administrator account but not as a service. it's the same which lauches the application.
The account can create a file without problem in the directory.
On the other hand i noticed that the tmp file openvpn_up_796b5fbbe827a3c3ffba.....tmp is always in read only in the windows properties,I don't know why

I tried to give all people full control on the directory to test d:/tmpvpn but without result

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Re: problem with auth-user-pass-verify option

Post by Mimiko » Mon Jul 25, 2011 5:33 pm

So, I've added

Code: Select all

tmp-dir d:/tmpvpn
auth-user-pass-verify test.bat via-file
in my server's config.
The created test.bat in the folder where *.ovpn resides with the following:

Code: Select all

echo "%~1" >> d:\aa.txt
type "%~1" >> d:\aa.txt
echo -------------------- >> d:\aa.txt
exit 0
Then I start server and client. On client I input some user and password (user: a, pass: v).
Clients connects well. The output to aa.txt is:
"d:/tmpvpn\openvpn_up_f968aaeaa4f48312d00cbd0f32d90b4e.tmp"
a
v
--------------------
The loggin on the server is:
D:\openvpn_server\config>echo "d:/tmpvpn\openvpn_up_f968aaeaa4f48312d00cbd0f32d90b4e.tmp" 1>>d:\aa.txt
D:\openvpn_server\config>type "d:/tmpvpn\openvpn_up_f968aaeaa4f48312d00cbd0f32d90b4e.tmp" 1>>d:\aa.txt
D:\openvpn_server\config>echo -------------------- 1>>d:\aa.txt
D:\openvpn_server\config>exit 0
Mon Jul 25 20:26:35 2011 192.168.0.1:2109 TLS: Username/Password authentication succeeded for username 'a'
So its definettly folder security access problem. read-only flag is obsolete for OpenVPN, does not interfere.
What version of OpenVPN you are running?

cparker
OpenVpn Newbie
Posts: 4
Joined: Wed Jul 20, 2011 2:30 pm

Re: problem with auth-user-pass-verify option

Post by cparker » Tue Jul 26, 2011 7:42 pm

Hello

I have tried like you, with the same script and i have the log :
10.165.15.25:49175 Note: cannot open d:/tmpvpn\openvpn_up_03854301076623c9e160689327e166fe.tmp for WRITE
10.165.15.25:49175 TLS Auth Error: could not write username/password to file: p/tmpvpn\openvpn_up_03854301076623c9e160689327e166fe.tmp
us=511000 10.165.15.25:49175 TLS Auth Error: Auth Username/Password verification failed for peer
us=511000 10.165.15.25:49175 SIGTERM[soft,auth-control-exit] received, client-instance exiting
us=511000 TCP/UDP: Closing socket
us=578000 MULTI: multi_create_instance called


my version is OpenVPN 2.2.1 -- released on 2011.07.06

on the tmpvpn directory the right are all peole full control

I must have a right problem but I don't know where .

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Re: problem with auth-user-pass-verify option

Post by Mimiko » Tue Jul 26, 2011 8:02 pm

Try to reinstall OpenVPN. Then delete tmpvpn folder. Create it again. Go to sequrity tab of the folder, add Everyone and tick full control box, click Apply, then click Advanced, check Replace permissions on all child box (just to be sure), and press ok, and ok. And try again.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: problem with auth-user-pass-verify option

Post by janjust » Mon Aug 01, 2011 1:00 pm

this looks like a bug in openvpn 2.2.0+ ; try downgrading to 2.1.4. The problem is with the ':' character. If you can confirm that 2.1.4 works then I'll open a bug for 2.2.0+.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: problem with auth-user-pass-verify option

Post by dazo » Mon Aug 01, 2011 1:33 pm

Hmmm ... I notice this in the log:

Code: Select all

d:/tmpvpn\openvpn_up_03854301076623c9e160689327e166fe.tmp
It's a mixture of backslash and (forward) slash ... this might cause confusion as well. Try using only backslash in the path argument to --tmpdir.

puri
OpenVpn Newbie
Posts: 1
Joined: Mon May 07, 2012 10:36 am

Re: problem with auth-user-pass-verify option

Post by puri » Mon May 07, 2012 10:44 am

The problem still seems to exist using the latest binary from openvpn.net (OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11])

Code: Select all

Mon May 07 12:40:01 2012 192.168.151.78:62058 Re-using SSL/TLS context
Mon May 07 12:40:01 2012 192.168.151.78:62058 LZO compression initialized
Mon May 07 12:40:01 2012 192.168.151.78:62058 WARNING: normally if you use --mss
fix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1492)

Mon May 07 12:40:01 2012 192.168.151.78:62058 Control Channel MTU parms [ L:1566
 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon May 07 12:40:01 2012 192.168.151.78:62058 Data Channel MTU parms [ L:1566 D:
1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon May 07 12:40:01 2012 192.168.151.78:62058 Local Options hash (VER=V4): '07ee
0ac2'
Mon May 07 12:40:01 2012 192.168.151.78:62058 Expected Remote Options hash (VER=
V4): 'c69db0ac'
Mon May 07 12:40:01 2012 192.168.151.78:62058 VERIFY OK: depth=1, /C=US/ST=CA/L=
SanFrancisco/O=OpenVPN/OU=openvpnserver/CN=openvpnserver/name=openvpnserver/emai
lAddress=mail@host.domain
Mon May 07 12:40:01 2012 192.168.151.78:62058 VERIFY OK: depth=0, /C=US/ST=CA/L=
SanFrancisco/O=OpenVPN/OU=openvpnserver/CN=openvpnserver/name=vpnclient01/emailA
ddress=mail@host.domain
Mon May 07 12:40:01 2012 192.168.151.78:62058 Note: cannot open c:\tmp\openvpn_u
p_34240a548fb0d296f480be5254bd9428.tmp for WRITE
Mon May 07 12:40:01 2012 192.168.151.78:62058 TLS Auth Error: could not write us
ername/password to file: c:\tmp\openvpn_up_34240a548fb0d296f480be5254bd9428.tmp
Mon May 07 12:40:01 2012 192.168.151.78:62058 TLS Auth Error: Auth Username/Pass
word verification failed for peer
He creates the file in the directory, but seems not to be able to write in it.
Any advice here?

gloner
OpenVpn Newbie
Posts: 8
Joined: Fri Mar 16, 2012 1:42 pm

Re: problem with auth-user-pass-verify option

Post by gloner » Fri May 11, 2012 4:16 am

0. The right syntax for path specify must be:

Code: Select all

tmp-dir "drive:\\tmpdir"
1. C:\tmp is not standard temp directory in windows systems therefore you should check the user rights on it and correct it to Full Access for Everyone (All).
2. How is your OpenVPN server started? As service or started by user?
3. Check the syntax of "script-security" directive, maybe it has a wrong symbol in your native language.

User avatar
bv
OpenVpn Newbie
Posts: 2
Joined: Sat Jul 21, 2012 3:41 pm

Re: problem with auth-user-pass-verify option

Post by bv » Sat Jul 21, 2012 3:59 pm

I do not speak English, sorry

The problem is the same
With the rights to the folder is OK

Code: Select all

Sat Jul 21 15:31:54 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
...
Sat Jul 21 15:32:26 2012 37.17.115.116:63214 Note: cannot open C:\Windows\Temp\openvpn_up_c25ea9fca14111311d62284e08a306b3.tmp for WRITE
Sat Jul 21 15:32:26 2012 37.17.115.116:63214 TLS Auth Error: could not write username/password to file: C:\Windows\Temp\openvpn_up_c25ea9fca14111311d62284e08a306b3.tmp

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Re: problem with auth-user-pass-verify option

Post by Mimiko » Thu Aug 23, 2012 5:38 am

Which windows version you are using?

User avatar
bv
OpenVpn Newbie
Posts: 2
Joined: Sat Jul 21, 2012 3:41 pm

Re: problem with auth-user-pass-verify option

Post by bv » Fri Aug 31, 2012 8:30 am

Microsoft Windows Server 2003 R2 Standart Edition Service Pack 2

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Re: problem with auth-user-pass-verify option

Post by Mimiko » Thu Sep 06, 2012 11:18 am

C:\windows\temp
is not usually permited to write for users. Try using different path with tmp-dir option.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: problem with auth-user-pass-verify option

Post by dazo » Thu Sep 06, 2012 11:37 am

gloner wrote:0. The right syntax for path specify must be:

Code: Select all

tmp-dir "drive:\\tmpdir"
I think I saw you use OpenVPN 2.2. Have you tried not providing the --tmp-dir in your config file? In this case OpenVPN should pick up whatever the temp dir is configured to be for the user openvpn runs as. That should not fail, as then a lot of other Windows programs would fail too.

marcelomaciel
OpenVpn Newbie
Posts: 1
Joined: Fri Dec 14, 2012 1:19 pm

Re: problem with auth-user-pass-verify option

Post by marcelomaciel » Fri Dec 14, 2012 1:22 pm

Hello,

Has anyone managed to solve this problem?
I'm having the same problem and I detected that the temporary file is created in read-only mode, so the error during authentication. I took the test on Windows Server 2008 R2 and Windows XP, both with the same problem.

I configured the tmp-dir to a drive formatted in FAT, and yet he lets you create the file, but not write information.

Thanks,
Marcelo Maciel

seq
OpenVpn Newbie
Posts: 2
Joined: Wed Oct 20, 2021 5:30 pm

Re: problem with auth-user-pass-verify option

Post by seq » Wed Oct 20, 2021 5:35 pm

Hello,

I have the same problem, OpenVPN 2.5.4 on Windows

Note: cannot open c:\tmp\openvpn_up_660cb7c5511db2e4.tmp for WRITE
TLS Auth Error: could not write username/password to file: c:\tmp\openvpn_up_660cb7c5511db2e4.tmp
TLS Auth Error: Auth Username/Password verification failed for peer

Created temporary files always have read only attribute. Any ideas?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: problem with auth-user-pass-verify option

Post by TinCanTech » Wed Oct 20, 2021 5:57 pm

The version you are using has a bug and a new version is available here:
https://openvpn.net/community-downloads/

Post Reply