openvpn+google-authenticator does not authenticate when started with systemctl
Posted: Sat Apr 03, 2021 8:49 pm
Who can help me?
As written in the subject... I have a openvpn configuration with a 2FA google-authentication.
situation A) When I start the /usr/sbin/openvpn process on the commandline with: " /usr/sbin/openvpn --config /etc/openvpn/server/server.conf --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC" the user can login with his USERNAME, PASSWORD and OTP, this also works.
situation B) When I start de openvpn-server with the "systemctl start openvpn-server@server.conf" command, the server start without problems, but the user cannot login.
Of course, I can write my own start|stop script but that is agains my nature
Who can point me in the right direction?
I was think like that systemctl is maybe running in different environment?... something like that the crontab runs in another environment than the cmdline.
Some facts:
I run the openvpn server on a "CentOS Stream 8"
[Unit]
Description=OpenVPN service for %i
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/w ... n24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/server/%i.conf --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure
[Install]
WantedBy=multi-user.target
local 192.168.3.5
port 3294
proto udp
dev tun3
ca /etc/openvpn/server/openvpn-server-ca.crt
cert /etc/openvpn/server/openvpn-server.crt
dh none
server 10.3.0.0 255.255.255.0
ifconfig-pool-persist server/ipp.txt
route 10.2.1.0 255.255.255.252
keepalive 20 120
cipher AES-256-GCM
auth SHA256
max-clients 25
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
float
opt-verify
remote-cert-tls client
verify-client-cert require
tls-server
auth-gen-token 43200
chroot /etc/openvpn/server/server/chroot
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
reneg-sec 0
As written in the subject... I have a openvpn configuration with a 2FA google-authentication.
situation A) When I start the /usr/sbin/openvpn process on the commandline with: " /usr/sbin/openvpn --config /etc/openvpn/server/server.conf --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC" the user can login with his USERNAME, PASSWORD and OTP, this also works.
situation B) When I start de openvpn-server with the "systemctl start openvpn-server@server.conf" command, the server start without problems, but the user cannot login.
Of course, I can write my own start|stop script but that is agains my nature
Who can point me in the right direction?
I was think like that systemctl is maybe running in different environment?... something like that the crontab runs in another environment than the cmdline.
Some facts:
I run the openvpn server on a "CentOS Stream 8"
openvpn-server
[Unit]
Description=OpenVPN service for %i
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/w ... n24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/server/%i.conf --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure
[Install]
WantedBy=multi-user.target
server.conf
local 192.168.3.5
port 3294
proto udp
dev tun3
ca /etc/openvpn/server/openvpn-server-ca.crt
cert /etc/openvpn/server/openvpn-server.crt
dh none
server 10.3.0.0 255.255.255.0
ifconfig-pool-persist server/ipp.txt
route 10.2.1.0 255.255.255.252
keepalive 20 120
cipher AES-256-GCM
auth SHA256
max-clients 25
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
float
opt-verify
remote-cert-tls client
verify-client-cert require
tls-server
auth-gen-token 43200
chroot /etc/openvpn/server/server/chroot
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
reneg-sec 0