Hi All, I am having a very strange problem. I want to have openvpn users uthenticate with google auth. I am trying to use this on Oracle Linux. I currently have SELinux disabled. My config files are below. The service starts fine. I can get the QR code. the user file is created in the google-authenticator directory. When I try to authenticate, I get the error:
PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
173.225.244.110:56503 TLS Auth Error: Auth Username/Password verification failed for peer
I am clueless. This exact config worked on a FreeBSD Server. I am forced to move it to Oracle Linux. Don't know why this is failing. Any help at all would be much appreciated.
[/etc/openvpn/server/server.conf]
local 192.168.0.87
port 1194
proto udp4
dev tun
remote-cert-tls client
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/pki/dh.pem
tls-crypt /etc/openvpn/easy-rsa/pki/tls_crypt.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "my-routes"
push "my-dhcp-options"
keepalive 10 120
cipher AES-256-GCM
data-ciphers AES-256-GCM
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-version-min 1.2
max-clients 20
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
auth SHA512
reneg-sec 28800
[/etc/pam.d/openvpn]
auth required /usr/lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass debug
Issue with google auth
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
Harmanogo
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Jul 06, 2023 9:12 pm
Re: Issue with google auth
Ok. So I managed to get this working. Took a while but it was worth it. I now have a setup where the user is prompted on the same screen for a username, password and an auth token. I could maybe post my config if anyone is interested. Perhaps the main thing I learned is I needed the line static-challenge "Enter Authenticator Code" 1 in the client. Things just wouldn't work without this line.