AUTH: Received control message: AUTH_FAILED

[grin_phi]

Hi there,

I'm trying to set up OpenVPN between my QNAP NAS and about 20 users. For many, it works fine, for others nothing seems to work. The problems seem to port across all attempted configurations including using OpenVPN Community and OpenVPN Connect on Windows and Mac.

The basic issue is that certain users can never connect to the VPN. Authentication fails.

Thank you in advance for telling me if there is anything sensitive below.

Here is a log file from such a user on a Windows 10 64bit machine:

Code: Select all

Thu Mar 12 16:59:24 2020 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Thu Mar 12 16:59:24 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Mar 12 16:59:24 2020 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Enter Management Password:
Thu Mar 12 16:59:40 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]81.134.43.220:1194
Thu Mar 12 16:59:40 2020 UDP link local: (not bound)
Thu Mar 12 16:59:40 2020 UDP link remote: [AF_INET]81.134.43.220:1194
Thu Mar 12 16:59:40 2020 [TS Series NAS] Peer Connection Initiated with [AF_INET]81.134.43.220:1194
Thu Mar 12 16:59:41 2020 AUTH: Received control message: AUTH_FAILED
Thu Mar 12 16:59:41 2020 SIGUSR1[soft,auth-failure] received, process restarting
Thu Mar 12 16:59:58 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]81.134.43.220:1194
Thu Mar 12 16:59:58 2020 UDP link local: (not bound)
Thu Mar 12 16:59:58 2020 UDP link remote: [AF_INET]81.134.43.220:1194
Thu Mar 12 16:59:58 2020 [TS Series NAS] Peer Connection Initiated with [AF_INET]81.134.43.220:1194
Thu Mar 12 16:59:59 2020 AUTH: Received control message: AUTH_FAILED
Thu Mar 12 16:59:59 2020 SIGUSR1[soft,auth-failure] received, process restarting
Thu Mar 12 17:00:09 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]81.134.43.220:1194
Thu Mar 12 17:00:09 2020 UDP link local: (not bound)
Thu Mar 12 17:00:09 2020 UDP link remote: [AF_INET]81.134.43.220:1194
Thu Mar 12 17:00:09 2020 [TS Series NAS] Peer Connection Initiated with [AF_INET]81.134.43.220:1194
Thu Mar 12 17:00:11 2020 AUTH: Received control message: AUTH_FAILED
Thu Mar 12 17:00:11 2020 SIGUSR1[soft,auth-failure] received, process restarting
Thu Mar 12 17:01:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]81.134.43.220:1194
Thu Mar 12 17:01:47 2020 UDP link local: (not bound)
Thu Mar 12 17:01:47 2020 UDP link remote: [AF_INET]81.134.43.220:1194
Thu Mar 12 17:01:47 2020 [TS Series NAS] Peer Connection Initiated with [AF_INET]81.134.43.220:1194
Thu Mar 12 17:01:49 2020 AUTH: Received control message: AUTH_FAILED
Thu Mar 12 17:01:49 2020 SIGUSR1[soft,auth-failure] received, process restarting
Thu Mar 12 17:06:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]81.134.43.220:1194
Thu Mar 12 17:06:17 2020 UDP link local: (not bound)
Thu Mar 12 17:06:17 2020 UDP link remote: [AF_INET]81.134.43.220:1194
Thu Mar 12 17:06:18 2020 [TS Series NAS] Peer Connection Initiated with [AF_INET]81.134.43.220:1194
Thu Mar 12 17:06:19 2020 AUTH: Received control message: AUTH_FAILED
Thu Mar 12 17:06:19 2020 SIGUSR1[soft,auth-failure] received, process restarting
Thu Mar 12 17:06:26 2020 ERROR: could not read Auth username/password/ok/string from management interface
Thu Mar 12 17:06:26 2020 Exiting due to fatal error

Here is my configuration file - this has worked perfectly on 4 machines:

## How to setup OpenVPN client?
## 1. Install OpenVPN software on your platform.
## 2. Double click blendnas.ovpn file to create new connection profile.
## 3. Type username and password while connection.

View OriginalClient config

client
dev tun
script-security 3
remote 81.134.43.220 1194
resolv-retry infinite
nobind
auth-nocache
auth-user-pass
remote-cert-tls server
reneg-sec 0
cipher AES-256-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
comp-lzo
proto udp
explicit-exit-notify 1
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

I don't have a certification file - this does not seem to be required by the server.

My router config appears to be correct, with UPnP forwarding UDP port 1194.

The user in question is definitely using the correct credentials, and the number of concurrent connections is far higher than active at any time so far.

EDIT: Just to add, if I use my credentials on their machine, it connects fine. If I try their credentials on my machine, same error.

Thanks for any help.

[Pippin]

You'll probably have more luck getting help on QNAP forum.

That said,

certain users can never connect to the VPN

They all get

Code: Select all

"AUTH: Received control message: AUTH_FAILED"

?
Special characters involved?
Compare with the good ones.

[TinCanTech]

certain users can never connect to the VPN
They all get

Code: Select all

"AUTH: Received control message: AUTH_FAILED"

?

Special characters involved?
Compare with the good ones.

I believe this message is only used if the password is mismatched.

[grin_phi]

You'll probably have more luck getting help on QNAP forum.

That said,

certain users can never connect to the VPN

They all get

Code: Select all

"AUTH: Received control message: AUTH_FAILED"

?
Special characters involved?
Compare with the good ones.

Thank you - I'll try there too.

Regarding characters - I believe I've eliminated this. One of the users in question now has no special characters, just lowercase letters, and still nothing. Other users have complex passwords and it works fine. Same goes for username, no special characters there either.

[Pippin]

Do those users have the right to use OpenVPN?

With Synology NAS, you must grant access to OpenVPN for each user.
If QNAP does the same, maybe you forgot?

[grin_phi]

Do those users have the right to use OpenVPN?

With Synology NAS, you must grant access to OpenVPN for each user.
If QNAP does the same, maybe you forgot?

Hi - Yes, they do all have OpenVPN privileges on the server. Thanks for your suggestion.

[grin_phi]

Update - based on my reading around the subject this could be due to:

- OpenVPN bug around special characters - although it doesn't seem to affect all
- Issue when copy pasting complex passwords with hidden quotes and char's being inserted.

Do you think this could be the issue?

[jeff2021]

I fixed my issue with this by making the user a local admin in the settings. So, it must be related to this for whatever reason.

[TinCanTech]

Openvpn does not require that your user be a local admin for any reason not even installing the software.

So, making your user a local admin to solve any Openvpn problem means that you have compromised your security
and you have not solved your problem.

[katsiadask]

Check for capital letters in the username. Better always user small letters...
It maybe not related to pwd, but to capital-small letters used in the username...
Openvpn seems to be sensitive in the encrypting of the username and giving another value to a AND another value to A even when it is at the login...