OpenVPN community + Google Authenticator AUTH_ERROR

[perfecto25]

Hello, I am running Openvpn v 2.4.11 on Rocky linux 8, the basic setup is working and I am able to login as client and get my routes from the server

selinux is DISABLED

I am trying to add a 2FA functionality using the google-authenticator package, but unable to get OpenVPN to authenticate a user (google auth itself is working)

my server.conf, I'm using the OpenVPN plugin PAM here,

Code: Select all

port 1194
proto udp
dev tun-us
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
management 127.0.0.1 5555
server 10.8.24.0 255.255.255.0
ifconfig-pool-persist ipp.txt
duplicate-cn

push "route xxx.xxx.xxx.xxx 255.255.255.255"  # Elastic
push "dhcp-option DOMAIN mycorp.domain"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx"

crl-verify crl.pem
ca ca.crt
cert server_RQ7fpBxxx.crt
key server_RQ7fpBxxx.key

tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
cipher AES-128-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 5

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

my client file looks like this

Code: Select all

client
proto udp
remote <Pub IP of OpenVPN server> 1194
dev tun
dev-type tun
resolv-retry infinite
nobind
persist-key
persist-tun
verify-x509-name server_RQ7fpBIT7xxxx name
auth SHA256
auth-nocache
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
pull-filter ignore redirect-gateway
verb 3

remote-cert-tls server
auth-user-pass
static-challenge "Enter 2FA Authenticator code:" 1

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre
dhcp-option DOMAIN-ROUTE .

my /etc/pam.d/openvpn is this,

Code: Select all

auth	required	/usr/lib64/security/pam_google_authenticator.so secret=/opt/openvpn/google-auth/${USER} user=root authtok_prompt=pin debug allowed_perm=0400 echo_verification_code
auth [success=1 default=ignore]	pam_unix.so nullok_secure

I have a script that generates a new OpenVPN profile for a user, then creates a QR code and emails them the code so they can scan with their phone's Authy app, and then use this code as additional 2FA along with their Openvpn username+password,

this is how I generate the QR code:

Code: Select all

        google-authenticator -t -d -f -r 3 -R 30 -W -C -s "/opt/openvpn/google-auth/${CLIENT}" || { echo "error generating QR code"; exit 1; }
        secret=$(head -n 1 "/opt/openvpn/google-auth/${CLIENT}")
        qrencode -t PNG -o "/opt/openvpn/google-auth/$CLIENT.png" "otpauth://totp/${CLIENT}@qbvpn-us2?secret=${secret}&issuer=openvpn" || { echo "error generating PNG"; exit 1; }

everything seems to work up to the point where OpenVPN tries to authenticate this user,

heres a client logging in from their laptop, using 2FA code, looking at /var/log/messages on the Server, I can see the Google Auth is working for this user:

Accepted google_authenticator for bob
"/opt/openvpn/google-auth/bob" written
debug: end of google_authenticator for "bob". Result: Success

Code: Select all

Mar 13 11:09:42 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: start of google_authenticator for "bob"
Mar 13 11:09:42 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: Secret file permissions are 0400. Allowed permissions are 0400
Mar 13 11:09:42 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: "/opt/openvpn/google-auth/bob" read
Mar 13 11:09:42 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: shared secret in "/opt/openvpn/google-auth/bob" processed
Mar 13 11:09:42 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: google_authenticator for host "(null)"
Mar 13 11:09:42 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: no scratch code used from "/opt/openvpn/google-auth/bob"
Mar 13 11:09:42 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: Accepted google_authenticator for bob
Mar 13 11:09:42 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: "/opt/openvpn/google-auth/bob" written
Mar 13 11:09:42 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: [b]debug: end of google_authenticator for "bob". Result: Success[/b]
Mar 13 11:09:42 qbvpn-us2 openvpn[10842]: pam_unix(openvpn:auth): check pass; user unknown
Mar 13 11:09:42 qbvpn-us2 openvpn[10842]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

looking at /var/log/secure, OpenVPN is not authenticating this user however:

TLS Auth Error: Auth Username/Password verification failed for peer

Code: Select all

Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=154262 PLUGIN AUTH-PAM: BACKGROUND: USER: bob
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=154271 PLUGIN AUTH-PAM: BACKGROUND: parsed static challenge password
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=158787 PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=158803 PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=160025 PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='pin' style=2
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=160039 PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['pin', 'pin'] = 'OTP'
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=163559 PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=163578 PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=164823 PLUGIN AUTH-PAM: BACKGROUND: user 'bob' failed to authenticate: Authentication failure
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=165624 172.50.1.68:55092 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=165643 172.50.1.68:55092 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
[b]Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=165662 172.50.1.68:55092 TLS Auth Error: Auth Username/Password verification failed for peer
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: WWRRSun Mar 13 11:09:42 2022 us=182963 172.50.1.68:55092 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 3072 bit RSA
Mar 13 11:09:42 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:42 2022 us=183005 172.50.1.68:55092 [bob] Peer Connection Initiated with [AF_INET]172.50.1.68:55092
Mar 13 11:09:43 qbvpn-us2 openvpn[10841]: RSun Mar 13 11:09:43 2022 us=216084 172.50.1.68:55092 PUSH: Received control message: 'PUSH_REQUEST'
Mar 13 11:09:43 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:43 2022 us=216117 172.50.1.68:55092 Delayed exit in 5 seconds
Mar 13 11:09:43 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:43 2022 us=216135 172.50.1.68:55092 SENT CONTROL [bob]: 'AUTH_FAILED' (status=1)
Mar 13 11:09:43 qbvpn-us2 openvpn[10841]: RSun Mar 13 11:09:43 2022 us=216084 172.50.1.68:55092 PUSH: Received control message: 'PUSH_REQUEST'
Mar 13 11:09:43 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:43 2022 us=216117 172.50.1.68:55092 Delayed exit in 5 seconds
Mar 13 11:09:43 qbvpn-us2 openvpn[10841]: Sun Mar 13 11:09:43 2022 us=216135 172.50.1.68:55092 SENT CONTROL [bob]: 'AUTH_FAILED' (status=1)
Mar 13 11:09:48 qbvpn-us2 openvpn[10841]: WWWSun Mar 13 11:09:48 2022 us=351634 172.50.1.68:55092 SIGTERM[soft,delayed-exit] received, client-instance exiting
Mar 13 11:09:48 qbvpn-us2 openvpn[10841]: WWWSun Mar 13 11:09:48 2022 us=351634 172.50.1.68:55092 SIGTERM[soft,delayed-exit] received, client-instance exiting

Not sure where its breaking, the user "bob" is not a OS system user, only a VPN profile user, do I need to physically create users on the VPN server?

Is there an issue with the PAM plugin?

Thank you.

[TinCanTech]

Mar 13 11:09:42 qbvpn-us2 openvpn[10842]: pam_unix(openvpn:auth): check pass; user unknown
Mar 13 11:09:42 qbvpn-us2 openvpn[10842]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

Perhaps you over-looked that line ..

[perfecto25]

I added a system user to the openvpn server

useradd bob

root@qbvpn-us2# id bob
uid=5071(bob) gid=5071(bob) groups=5071(bob)


still getting same error



TLS Auth Error: Auth Username/Password verification failed for peer

Code: Select all

Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=638807 PLUGIN AUTH-PAM: BACKGROUND: received command code: 0
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=638838 PLUGIN AUTH-PAM: BACKGROUND: USER: bob
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=638847 PLUGIN AUTH-PAM: BACKGROUND: parsed static challenge password
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=641332 PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=641350 PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=642734 PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='pin' style=2
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=642749 PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['pin', 'pin'] = 'OTP'
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=645105 PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=645122 PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=645242 PLUGIN AUTH-PAM: BACKGROUND: user 'bob' failed to authenticate: Authentication failure
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=645856 172.50.1.68:48268 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=645873 172.50.1.68:48268 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=645893 172.50.1.68:48268 TLS Auth Error: Auth Username/Password verification failed for peer
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: WWRRSun Mar 13 14:30:07 2022 us=665388 172.50.1.68:48268 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 3072 bit RSA
Mar 13 14:30:07 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:07 2022 us=665423 172.50.1.68:48268 [bob] Peer Connection Initiated with [AF_INET]172.50.1.68:48268
Mar 13 14:30:08 qbvpn-us2 openvpn[10841]: RSun Mar 13 14:30:08 2022 us=808048 172.50.1.68:48268 PUSH: Received control message: 'PUSH_REQUEST'
Mar 13 14:30:08 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:08 2022 us=808084 172.50.1.68:48268 Delayed exit in 5 seconds
Mar 13 14:30:08 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:08 2022 us=808101 172.50.1.68:48268 SENT CONTROL [bob]: 'AUTH_FAILED' (status=1)
Mar 13 14:30:08 qbvpn-us2 openvpn[10841]: RSun Mar 13 14:30:08 2022 us=808048 172.50.1.68:48268 PUSH: Received control message: 'PUSH_REQUEST'
Mar 13 14:30:08 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:08 2022 us=808084 172.50.1.68:48268 Delayed exit in 5 seconds
Mar 13 14:30:08 qbvpn-us2 openvpn[10841]: Sun Mar 13 14:30:08 2022 us=808101 172.50.1.68:48268 SENT CONTROL [bob]: 'AUTH_FAILED' (status=1)

the google auth token seems to be ok, but its failing on the OpenVPN PAM plugin

end of google_authenticator for "bob". Result: Success

Code: Select all

Mar 13 14:30:07 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: start of google_authenticator for "bob"
Mar 13 14:30:07 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: Secret file permissions are 0400. Allowed permissions are 0400
Mar 13 14:30:07 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: "/opt/openvpn/google-auth/bob" read
Mar 13 14:30:07 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: shared secret in "/opt/openvpn/google-auth/bob" processed
Mar 13 14:30:07 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: google_authenticator for host "(null)"
Mar 13 14:30:07 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: no scratch code used from "/opt/openvpn/google-auth/bob"
Mar 13 14:30:07 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: Accepted google_authenticator for bob
Mar 13 14:30:07 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: "/opt/openvpn/google-auth/bob" written
Mar 13 14:30:07 qbvpn-us2 openvpn(pam_google_authenticator)[10842]: debug: end of google_authenticator for "bob". Result: Success
Mar 13 14:30:07 qbvpn-us2 openvpn[10842]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=bob

[perfecto25]

this is what my /etc/pam.d/password-auth looks like, not sure if something here thats blocking VPN pam

Code: Select all

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

[TinCanTech]

Check your server plugin config against this: https://github.com/OpenVPN/openvpn/tree ... s/auth-pam

You may find upgrading your OpenVPN version helps ..

[perfecto25]

installed openvpn v2.5.5 (using Fedora Copr repo)

still getting same PAM error,

heres my /etc/pam.d/openvpn

Code: Select all

auth requisite /usr/lib64/security/pam_google_authenticator.so secret=/opt/openvpn/google-auth/${USER} user=root authtok_prompt=pin debug forward_pass
auth required pam_unix.so use_first_pass

my server.conf passes username, pw, OTP like this

Code: Select all

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

OTP is accepted, but AUTH PAM is not working

Code: Select all

Mar 14 12:15:06 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:06 us=605760 PLUGIN AUTH-PAM: BACKGROUND: USER: bob
Mar 14 12:15:06 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:06 us=605768 PLUGIN AUTH-PAM: BACKGROUND: parsed static challenge password
Mar 14 12:15:06 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:06 us=609266 PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
Mar 14 12:15:06 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:06 us=609282 PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
Mar 14 12:15:06 qbvpn-us2 openvpn(pam_google_authenticator)[10685]: debug: start of google_authenticator for "bob"
Mar 14 12:15:06 qbvpn-us2 openvpn(pam_google_authenticator)[10685]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Mar 14 12:15:06 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:06 us=610027 PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='pin' style=1
Mar 14 12:15:06 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:06 us=610040 PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['pin', 'pin'] = 'OTP'
Mar 14 12:15:06 qbvpn-us2 openvpn(pam_google_authenticator)[10685]: debug: "/opt/openvpn/google-auth/bob" read
Mar 14 12:15:06 qbvpn-us2 openvpn(pam_google_authenticator)[10685]: debug: shared secret in "/opt/openvpn/google-auth/bob" processed
Mar 14 12:15:06 qbvpn-us2 openvpn(pam_google_authenticator)[10685]: debug: google_authenticator for host "(null)"
Mar 14 12:15:06 qbvpn-us2 openvpn(pam_google_authenticator)[10685]: debug: no scratch code used from "/opt/openvpn/google-auth/bob"
Mar 14 12:15:06 qbvpn-us2 openvpn(pam_google_authenticator)[10685]: Accepted google_authenticator for bob
Mar 14 12:15:06 qbvpn-us2 openvpn(pam_google_authenticator)[10685]: debug: "/opt/openvpn/google-auth/bob" written
Mar 14 12:15:06 qbvpn-us2 openvpn(pam_google_authenticator)[10685]: debug: end of google_authenticator for "bob". Result: Success
Mar 14 12:15:06 qbvpn-us2 openvpn[10685]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=bob
Mar 14 12:15:08 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:08 us=588807 PLUGIN AUTH-PAM: BACKGROUND: user 'bob' failed to authenticate: Authentication failure
Mar 14 12:15:08 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:08 us=589567 71.1.150.32:48199 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mar 14 12:15:08 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:08 us=589587 71.1.150.32:48199 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Mar 14 12:15:08 qbvpn-us2 openvpn[10681]: 2022-03-14 12:15:08 us=589613 71.1.150.32:48199 TLS Auth Error: Auth Username/Password verification failed for peer

this user 'bob' exists on system, I even set this account pw to be the same as openvpn passwd

this is from client's side, connecting using username, pw, OTP, key pw

Code: Select all

Downloads λ sudo openvpn --config bob.ovpn
2022-03-14 12:19:09 Unrecognized option or missing or extra parameter(s) in bob.ovpn:19: block-outside-dns (2.5.1)
2022-03-14 12:19:09 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
2022-03-14 12:19:09 library versions: OpenSSL 1.1.1j  16 Feb 2021, LZO 2.10
🔐 Enter Auth Username: bob
🔐 Enter Auth Password: ***************         
🔐 CHALLENGE: Enter 2FA Authenticator code: 830281
🔐 Enter Private Key Password: ***************         
2022-03-14 12:19:24 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-03-14 12:19:24 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-14 12:19:24 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-03-14 12:19:24 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-14 12:19:24 TCP/UDP: Preserving recently used remote address: [AF_INET]54.xxxxx:1194
2022-03-14 12:19:24 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-03-14 12:19:24 UDP link local: (not bound)
2022-03-14 12:19:24 UDP link remote: [AF_INET]54.xxxx:1194
2022-03-14 12:19:24 TLS: Initial packet from [AF_INET]54.xxxxxx:1194, sid=bff86ccc 751f1f44
2022-03-14 12:19:24 VERIFY OK: depth=1, CN=cn_GJVFxxxxz5APXw43
2022-03-14 12:19:24 VERIFY KU OK
2022-03-14 12:19:24 Validating certificate extended key usage
2022-03-14 12:19:24 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-03-14 12:19:24 VERIFY EKU OK
2022-03-14 12:19:24 VERIFY X509NAME OK: CN=server_k5gM8KaxxxxxxxvW
2022-03-14 12:19:24 VERIFY OK: depth=0, CN=server_k5gM8xxxxxRXqvW
2022-03-14 12:19:26 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
2022-03-14 12:19:26 [server_k5gM8Kannu0Rxxxxx Peer Connection Initiated with [AF_INET]54.xxxxx :1194
2022-03-14 12:19:27 SENT CONTROL [server_k5gMxxxxxxxqvW]: 'PUSH_REQUEST' (status=1)
2022-03-14 12:19:27 AUTH: Received control message: AUTH_FAILED
2022-03-14 12:19:27 SIGTERM received, sending exit notification to peer
2022-03-14 12:19:29 SIGTERM[soft,exit-with-notification] received, process exiting

heres ovpn server version

Code: Select all

root@qbvpn-us2 /e/openvpn# openvpn --version
OpenVPN 2.5.5 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021
library versions: OpenSSL 1.1.1k  FIPS 25 Mar 2021, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

[TinCanTech]

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

I believe this syntax is incorrect.

[perfecto25]

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

I believe this syntax is incorrect.

I tried it like this,

Code: Select all

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

but then the OTP code is not passed to PAM, so the user gets failed login due to missing OTP token

also tried

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "login login USERNAME password PASSWORD pin OTP"

but this doesnt work with OTP either,

was looking at the PAM source code, dont see anything for the correct syntax

[perfecto25]

also tested the Google Auth pam, this seems to work,

Code: Select all

root@qbvpn-us2:openvpn $ pamtester openvpn bob authenticate -v
pin801128
pamtester: successfully authenticated

seems like its only failing on the Openvpn Auth PAM plugin

Code: Select all

 openvpn[12087]: 2022-03-14 19:46:29 us=816345 1.287.52.148:36490 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so

[TinCanTech]

Try removing this from your server config:

Code: Select all

user nobody
group nobody

[perfecto25]

tried removing those, restarted server, same error,

changed to
user root
group root

same error,

but interestingly, if I use the "Login" module like this,

Code: Select all

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "login login USERNAME password PASSWORD"

this works, the client authenticates and connects

theres something with this line, has to be related to the way it passes the goole auth OTP token or the user password to the AUTH plugin

Code: Select all

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

not sure how to debug this, the logs

if I change my openvpn PAM to this,

Code: Select all

auth requisite /usr/lib64/security/pam_google_authenticator.so secret=/opt/openvpn/google-auth/${USER} user=root authtok_prompt=pin debug echo_verification_code forward_pass

account required  pam_permit.so debug

it allows a valid OTP token and valid username, but will also allow an invalid password.

I also tried passing the password from client as "password+OTP token" along with OTP token, but same AUTH error

[TinCanTech]

To my knowledge, use the plugin like this:

Code: Select all

For example:

  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP"

tells auth-pam to (a) use the "login" PAM module, (b) answer a
"login" query with the username given by the OpenVPN client,
(c) answer a "password" query with the password, and (d) answer a
"pin" query with the OTP given by the OpenVPN client.

If you believe there is a bug then please submit a report. You certainly know more about your setup than I do.

[perfecto25]

ok looks like its working, was playing around with pam configs, this seems to work,

server.conf uses this line

Code: Select all

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

my /etc/pam.d/openvpn

Code: Select all

account required pam_unix.so
auth    required pam_unix.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
auth requisite /usr/lib64/security/pam_google_authenticator.so secret=/opt/openvpn/google-auth/${USER} user=root authtok_prompt=pin

here, I am checking the system user account 1st, if the user's system password does not match to what the client is providing, I get a AUTH_FAILED

2nd check is the OTP - if the OTP code doesnt line up to google_authenticator code, also AUTH_FAILED

by placing the google-auth line last, it seems to work, but breaks if its placed 1st in the stack.

I'll need to create system users + password for every new VPN user, but not a big deal, I'll add them with /bin/nologin

also, if the system user acct doesnt have a password on the system, the client auth request fails, the VPN pw has to match the system pw (pam_unix.so)

[TinCanTech]

by placing the google-auth line last, it seems to work, but breaks if its placed 1st in the stack.

That is quite interesting, I've passed on your details.

[TinCanTech]

by placing the google-auth line last, it seems to work, but breaks if its placed 1st in the stack.

What you have described is that if google-auth is placed first then PAM-auth fails.

This is probably due to this:

Code: Select all

plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP"

• tells auth-pam to
  • (a) use the "login" PAM module,
  • (b) answer a "login" query with the username given by the OpenVPN client,
  • (c) answer a "password" query with the password, and
  • (d) answer a "pin" query with the OTP given by the OpenVPN client.

As with many Openvpn things .. order is important.

[perfecto25]

in my case Im using the openvpn PAM, not login pam

Code: Select all

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

but from all examples Ive seen for this setup, the 1st one was always the google-auth.so in the PAM file. Strange that it was working that way.

[TinCanTech]

I don't have an openvpn PAM module, what do you have ?

[perfecto25]

it has to be created manually, I wrote up the entire process of setting this up here

https://perfecto25.medium.com/openvpn-c ... 2a7cb08128

been testing this for few days, its working from both Ubuntu and MacOS clients, (auth + 2FA)

[meliskg]

Hi @perfecto25

Thank you for your time creating the manual https://perfecto25.medium.com/openvpn-c ... 2a7cb08128

Seems I managed to install as you described on centos7, but GoogleAuthenticator is not giving me access.
May be now you know how to fix it pls? If yes pls share, been working to fix this for last two days

Thank you.