openvpn+google-authenticator does not authenticate when started with systemctl

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
dreetje
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2013 5:35 pm

openvpn+google-authenticator does not authenticate when started with systemctl

Post by dreetje » Sat Apr 03, 2021 8:49 pm

Who can help me?
As written in the subject... I have a openvpn configuration with a 2FA google-authentication.

situation A) When I start the /usr/sbin/openvpn process on the commandline with: " /usr/sbin/openvpn --config /etc/openvpn/server/server.conf --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC" the user can login with his USERNAME, PASSWORD and OTP, this also works.

situation B) When I start de openvpn-server with the "systemctl start openvpn-server@server.conf" command, the server start without problems, but the user cannot login.

Of course, I can write my own start|stop script but that is agains my nature :D
Who can point me in the right direction?
I was think like that systemctl is maybe running in different environment?... something like that the crontab runs in another environment than the cmdline.

Some facts:
I run the openvpn server on a "CentOS Stream 8"

openvpn-server

[Unit]
Description=OpenVPN service for %i
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/w ... n24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/server/%i.conf --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target


server.conf

local 192.168.3.5
port 3294
proto udp
dev tun3
ca /etc/openvpn/server/openvpn-server-ca.crt
cert /etc/openvpn/server/openvpn-server.crt
dh none
server 10.3.0.0 255.255.255.0
ifconfig-pool-persist server/ipp.txt
route 10.2.1.0 255.255.255.252
keepalive 20 120
cipher AES-256-GCM
auth SHA256
max-clients 25
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
float
opt-verify
remote-cert-tls client
verify-client-cert require
tls-server
auth-gen-token 43200
chroot /etc/openvpn/server/server/chroot
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
reneg-sec 0

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8983
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn+google-authenticator does not authenticate when started with systemctl

Post by TinCanTech » Sat Apr 03, 2021 8:59 pm

dreetje wrote:
Sat Apr 03, 2021 8:49 pm
Of course, I can write my own start|stop script but that is agains my nature
Then who wrote your systemd-unit file ?

dreetje
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2013 5:35 pm

Re: openvpn+google-authenticator does not authenticate when started with systemctl

Post by dreetje » Sat Apr 03, 2021 9:04 pm

I could have changed a bit on the ExecStart line myself, but the other lines are from the rpm.
I think

dreetje
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2013 5:35 pm

Re: openvpn+google-authenticator does not authenticate when started with systemctl

Post by dreetje » Sat Apr 03, 2021 9:25 pm

To be sure, I just reinstalled the openvpn package.
The service file is definitely placed there by the package.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8983
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn+google-authenticator does not authenticate when started with systemctl

Post by TinCanTech » Sat Apr 03, 2021 10:02 pm

dreetje wrote:
Sat Apr 03, 2021 9:25 pm
The service file is definitely placed there by the package
So be it - I would write my own in that case .. but what-ever.

I doubt I will be able to help much with what your distro is putting out but
if you care to sanitize and post your logs then I'll take a look.

dreetje
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2013 5:35 pm

Re: openvpn+google-authenticator does not authenticate when started with systemctl

Post by dreetje » Sun Apr 04, 2021 11:44 am

this morning I decided to give it a try on fedora 33 (the centos stream 8 is maybe (for now) a bit to special).
I installed the openvpn packages, copied the /etc/openvpn directory with its configuration to the f33 server. Had to fix some selinux labels, and it worked like expected.
I do not have any clue on what the difference is between the two installations/configurations... but what-ever ;)
TinCanTech, thank you!

dreetje
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2013 5:35 pm

Re: openvpn+google-authenticator does not authenticate when started with systemctl

Post by dreetje » Sun Apr 04, 2021 4:44 pm

I just read someone else who had a simular (same) error.
https://bbs.archlinux.org/viewtopic.php?id=262346

dreetje
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2013 5:35 pm

Re: openvpn+google-authenticator does not authenticate when started with systemctl

Post by dreetje » Mon Apr 05, 2021 4:30 pm

FYI
After many hours of stracing and try-and-error by changing configuration settings I found the solution for my problem.
The only thing I had to do was in "/usr/lib/systemd/system/openvpn-server@.service" changing ProtectHome=true to ProtectHome=false.
I did try it before with just putting a '#' in front of the line, but that was not enough. I guess the default is also true.

Post Reply