Can't log into openvpn user account any time the server's been restarted until password is reset

[gawainxr]

Greetings, I'm currently running OpenVPN AS 2.11.3 on Ubuntu Server 20.04 LTS

I'm having the problem that upon restarting the server I receive an incorrect login message when trying to log in to the openvpn user account.
I can reset the account password via the OS shell using the steps in the following link, but the issue will immediate return the next time I restart the server.

https://openvpn.net/vpn-server-resource ... ive-access

Any ideas what can be causing this or how to resolve it?

Thank you!

[openvpn_inc]

Hello gawainxr,

I have a suspicion about what's going on. Assuming the username is 'openvpn' (if not replace in commands below) try these commands as root user;

cd /usr/local/openvpn_as/scripts/
./sacli --pfilt "openvpn" userpropget

This shows information on the 'openvpn' user and how it is authenticated. Does the user_auth_type here state local when things are working, and pam after you restart Access Server and it stops working? If so, you probably have a left-over bootstrap user reference in /usr/local/openvpn_as/etc/as.conf that you should remove. Basically such a reference instructs the Access Server to force authentication via pam and Access Server will reset this at every service startup. You can resolve that by looking up this line and commenting it out in as.conf, setting openvpn user back to user_auth_type = local, and restarting Access Server service.

The line in as.conf to comment out by putting a # in front:
# boot_pam_users.0=openvpn

This problem can normally only occur if you migrated an older configuration to a newer Access Server, or possibly if you found some third-party or outdated documentation that refers to implementing a bootstrap account. See this page for more details on this:
https://openvpn.net/vpn-server-resource ... r-versions

If this doesn't solve your problem, I suggest to contact https://openvpn.net/support and send over some logs and maybe even a copy of your userprop.db (if requested by support) to see what's going on.

Good luck,
Johan

[gawainxr]

Hello gawainxr,

I have a suspicion about what's going on. Assuming the username is 'openvpn' (if not replace in commands below) try these commands as root user;

cd /usr/local/openvpn_as/scripts/
./sacli --pfilt "openvpn" userpropget

This shows information on the 'openvpn' user and how it is authenticated. Does the user_auth_type here state local when things are working, and pam after you restart Access Server and it stops working? If so, you probably have a left-over bootstrap user reference in /usr/local/openvpn_as/etc/as.conf that you should remove. Basically such a reference instructs the Access Server to force authentication via pam and Access Server will reset this at every service startup. You can resolve that by looking up this line and commenting it out in as.conf, setting openvpn user back to user_auth_type = local, and restarting Access Server service.

The line in as.conf to comment out by putting a # in front:
# boot_pam_users.0=openvpn

This problem can normally only occur if you migrated an older configuration to a newer Access Server, or possibly if you found some third-party or outdated documentation that refers to implementing a bootstrap account. See this page for more details on this:
https://openvpn.net/vpn-server-resource ... r-versions

If this doesn't solve your problem, I suggest to contact https://openvpn.net/support and send over some logs and maybe even a copy of your userprop.db (if requested by support) to see what's going on.

Good luck,
Johan

That did it! Thank you!!

[openvpn_inc]

Alright,

Glad that worked,

Have a nice day.
Johan