problem with --auth-user-pass-verify

noobzilla89 · Post by **noobzilla89** » Sat Aug 01, 2015 10:59 pm

hey guys,
i have a problem with my openvpn config. i wrote an sh-script for user-pass-verify which works stand-alone. but im always getting the error "WARNING: Failed running command (--auth-user-pass-verify): could not execute external program" in the log.
I googled a lot but have still no solution for it.

Here is my server.conf:

port 11950
proto udp
dev tap0
ca ca-homeserver.crt
cert homeserver.crt
key homeserver.key
dh dh4096.pem
server-bridge 10.5.9.1 255.255.255.0 10.5.9.201 10.5.9.250
push "route 10.5.9.0 255.255.255.0"
user root
reneg-sec 68400
tls-auth ta.key
username-as-common-name
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
client-to-client
keepalive 10 120
comp-lzo
max-clients 50
persist-key
persist-tun
script-security 3 system
status homeserver.log
log-append openvpn.log
verb 3

And the login.sh-script:

username=$1
password=$2

passwordhash=$(mysql -h'localhost' -P'3306' -u'dbuser' -p'dbpass' dbname -sN -e "select right((select password from table where uid = '$username'), 60)")

returnval=$(php /etc/openvpn/script/newhashtest.php "$password" "$passwordhash")

[ $returnval ] && echo "auth for user '$username' ok" && exit 0 || echo "auth failed"; exit 1

i think there are some problems with file permissions, but i tested "chmod 777 login.sh" and it had no effect. always getting the could-not-execute error...
i had the same server.conf running on my server before i formatted it with debian 8 jessie last week to give everything a new start.

i hope someone can help me fixing this problem. thanks a lot!

Post by **maikcat** » Sun Aug 02, 2015 8:52 am

please post full logs,

also try to change to this:

Code: Select all

auth-user-pass-verify "/etc/openvpn/script/login.sh" via-env

Michael.

noobzilla89 · Post by **noobzilla89** » Wed Aug 19, 2015 12:12 pm

thanks for your answer. i added the quotation marks, but still the same error...
Here is my log:

Wed Aug 19 14:01:00 2015 us=617385 Diffie-Hellman initialized with 4096 bit key
Wed Aug 19 14:01:00 2015 us=617868 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Aug 19 14:01:00 2015 us=617880 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 19 14:01:00 2015 us=617889 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 19 14:01:00 2015 us=617899 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Aug 19 14:01:00 2015 us=617914 Socket Buffers: R=[212992->131072] S=[212992->131072]
Wed Aug 19 14:01:00 2015 us=618012 TUN/TAP device tap0 opened
Wed Aug 19 14:01:00 2015 us=618027 TUN/TAP TX queue length set to 100
Wed Aug 19 14:01:00 2015 us=618052 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Aug 19 14:01:00 2015 us=619113 UID set to root
Wed Aug 19 14:01:00 2015 us=619169 UDPv4 link local (bound): [undef]
Wed Aug 19 14:01:00 2015 us=619183 UDPv4 link remote: [undef]
Wed Aug 19 14:01:00 2015 us=619196 MULTI: multi_init called, r=256 v=256
Wed Aug 19 14:01:00 2015 us=619276 IFCONFIG POOL: base=10.5.9.201 size=50, ipv6=0
Wed Aug 19 14:01:00 2015 us=619304 Initialization Sequence Completed
Wed Aug 19 14:01:21 2015 us=791103 MULTI: multi_create_instance called
Wed Aug 19 14:01:21 2015 us=791169 80.187.112.118:15995 Re-using SSL/TLS context
Wed Aug 19 14:01:21 2015 us=791210 80.187.112.118:15995 LZO compression initialized
Wed Aug 19 14:01:21 2015 us=791383 80.187.112.118:15995 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Aug 19 14:01:21 2015 us=791400 80.187.112.118:15995 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Aug 19 14:01:21 2015 us=791431 80.187.112.118:15995 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Aug 19 14:01:21 2015 us=791441 80.187.112.118:15995 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Aug 19 14:01:21 2015 us=791468 80.187.112.118:15995 Local Options hash (VER=V4): 'f7b041bb'
Wed Aug 19 14:01:21 2015 us=791485 80.187.112.118:15995 Expected Remote Options hash (VER=V4): '46a60371'
Wed Aug 19 14:01:21 2015 us=791521 80.187.112.118:15995 TLS: Initial packet from [AF_INET]80.187.112.118:15995, sid=6896e05e 325f408f
Wed Aug 19 14:01:24 2015 us=371595 80.187.112.118:15995 PID_ERR replay-window backtrack occurred [1] [TLS_AUTH-0] [0_0011111111111111111111122222222222222222222222222222222233333] 1439985679:63 1439985679:62 t=1439985684[0] r=[-3,64,15,$
Wed Aug 19 14:01:25 2015 us=672939 80.187.112.118:15995 VERIFY OK: depth=1, C=DE, ST=NS, L=Hannover, O=Wahnsinns-WG, OU=changeme, CN=changeme, name=CA-Homeserver, emailAddress=**@**.*
Wed Aug 19 14:01:25 2015 us=673399 80.187.112.118:15995 VERIFY OK: depth=0, C=DE, ST=NS, L=Hannover, O=Wahnsinns-WG, OU=christian, CN=christian, name=changeme, emailAddress=**@**.*
Wed Aug 19 14:01:25 2015 us=891797 80.187.112.118:15995 WARNING: Failed running command (--auth-user-pass-verify): could not execute external program
Wed Aug 19 14:01:25 2015 us=891852 80.187.112.118:15995 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Aug 19 14:01:25 2015 us=931164 80.187.112.118:15995 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Wed Aug 19 14:01:25 2015 us=931209 80.187.112.118:15995 [christian] Peer Connection Initiated with [AF_INET]80.187.112.118:15995
Wed Aug 19 14:01:28 2015 us=403304 80.187.112.118:15995 PUSH: Received control message: 'PUSH_REQUEST'
Wed Aug 19 14:01:28 2015 us=403333 80.187.112.118:15995 Delayed exit in 5 seconds
Wed Aug 19 14:01:28 2015 us=403352 80.187.112.118:15995 SENT CONTROL [christian]: 'AUTH_FAILED' (status=1)

i found the line " PID_ERR replay-window backtrack occurred" for the first time now and tried to set the protocol to tcp. the log shows the same "Failed running command (--auth-user-pass-verify)" as before, only the line "PID_ERR..." is missing with TCP instead of UDP so i changed server.conf (and client of course) back to UDP protocol.
Any other suggestions?

Post by **maikcat** » Wed Aug 19, 2015 12:38 pm

please post server logs using verb 5

Michael.

noobzilla89 · Post by **noobzilla89** » Wed Aug 19, 2015 12:48 pm

Wed Aug 19 14:40:49 2015 event_wait : Interrupted system call (code=4)
Wed Aug 19 14:40:49 2015 Closing TUN/TAP interface
Wed Aug 19 14:40:49 2015 SIGTERM[hard,] received, process exiting
Wed Aug 19 14:40:49 2015 us=129731 Current Parameter Settings:
Wed Aug 19 14:40:49 2015 us=129782 config = '/etc/openvpn/server.conf'
Wed Aug 19 14:40:49 2015 us=129795 mode = 1
Wed Aug 19 14:40:49 2015 us=129804 persist_config = DISABLED
Wed Aug 19 14:40:49 2015 us=129813 persist_mode = 1
Wed Aug 19 14:40:49 2015 us=129822 show_ciphers = DISABLED
Wed Aug 19 14:40:49 2015 us=129831 show_digests = DISABLED
Wed Aug 19 14:40:49 2015 us=129839 show_engines = DISABLED
Wed Aug 19 14:40:49 2015 us=129848 genkey = DISABLED
Wed Aug 19 14:40:49 2015 us=129857 key_pass_file = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=129865 show_tls_ciphers = DISABLED
Wed Aug 19 14:40:49 2015 us=129874 Connection profiles [default]:
Wed Aug 19 14:40:49 2015 us=129884 proto = udp
Wed Aug 19 14:40:49 2015 us=129893 local = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=129901 local_port = 11950
Wed Aug 19 14:40:49 2015 us=129910 remote = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=129918 remote_port = 11950
Wed Aug 19 14:40:49 2015 us=129927 remote_float = DISABLED
Wed Aug 19 14:40:49 2015 us=129936 bind_defined = DISABLED
Wed Aug 19 14:40:49 2015 us=129944 bind_local = ENABLED
Wed Aug 19 14:40:49 2015 us=129953 connect_retry_seconds = 5
Wed Aug 19 14:40:49 2015 us=129962 connect_timeout = 10
Wed Aug 19 14:40:49 2015 us=129971 connect_retry_max = 0
Wed Aug 19 14:40:49 2015 us=129979 socks_proxy_server = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=129988 socks_proxy_port = 0
Wed Aug 19 14:40:49 2015 us=129997 socks_proxy_retry = DISABLED
Wed Aug 19 14:40:49 2015 us=130006 tun_mtu = 1500
Wed Aug 19 14:40:49 2015 us=130014 tun_mtu_defined = ENABLED
Wed Aug 19 14:40:49 2015 us=130023 link_mtu = 1500
Wed Aug 19 14:40:49 2015 us=130032 link_mtu_defined = DISABLED
Wed Aug 19 14:40:49 2015 us=130040 tun_mtu_extra = 32
Wed Aug 19 14:40:49 2015 us=130049 tun_mtu_extra_defined = ENABLED
Wed Aug 19 14:40:49 2015 us=130058 mtu_discover_type = -1
Wed Aug 19 14:40:49 2015 us=130066 fragment = 0
Wed Aug 19 14:40:49 2015 us=130075 mssfix = 1450
Wed Aug 19 14:40:49 2015 us=130084 explicit_exit_notification = 0
Wed Aug 19 14:40:49 2015 us=130092 Connection profiles END
Wed Aug 19 14:40:49 2015 us=130101 remote_random = DISABLED
Wed Aug 19 14:40:49 2015 us=130110 ipchange = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130119 dev = 'tap0'
Wed Aug 19 14:40:49 2015 us=130128 dev_type = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130136 dev_node = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130145 lladdr = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130154 topology = 1
Wed Aug 19 14:40:49 2015 us=130162 tun_ipv6 = DISABLED
Wed Aug 19 14:40:49 2015 us=130171 ifconfig_local = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130180 ifconfig_remote_netmask = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130189 ifconfig_noexec = DISABLED
Wed Aug 19 14:40:49 2015 us=130197 ifconfig_nowarn = DISABLED
Wed Aug 19 14:40:49 2015 us=130206 ifconfig_ipv6_local = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130215 ifconfig_ipv6_netbits = 0
Wed Aug 19 14:40:49 2015 us=130224 ifconfig_ipv6_remote = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130233 shaper = 0
Wed Aug 19 14:40:49 2015 us=130242 mtu_test = 0
Wed Aug 19 14:40:49 2015 us=130251 mlock = DISABLED
Wed Aug 19 14:40:49 2015 us=130259 keepalive_ping = 10
Wed Aug 19 14:40:49 2015 us=130281 keepalive_timeout = 120
Wed Aug 19 14:40:49 2015 us=130291 inactivity_timeout = 0
Wed Aug 19 14:40:49 2015 us=130299 ping_send_timeout = 10
Wed Aug 19 14:40:49 2015 us=130307 ping_rec_timeout = 240
Wed Aug 19 14:40:49 2015 us=130315 ping_rec_timeout_action = 2
Wed Aug 19 14:40:49 2015 us=130323 ping_timer_remote = DISABLED
Wed Aug 19 14:40:49 2015 us=130332 remap_sigusr1 = 0
Wed Aug 19 14:40:49 2015 us=130340 persist_tun = ENABLED
Wed Aug 19 14:40:49 2015 us=130350 persist_local_ip = DISABLED
Wed Aug 19 14:40:49 2015 us=130359 persist_remote_ip = DISABLED
Wed Aug 19 14:40:49 2015 us=130367 persist_key = ENABLED
Wed Aug 19 14:40:49 2015 us=130375 passtos = DISABLED
Wed Aug 19 14:40:49 2015 us=130384 resolve_retry_seconds = 1000000000
Wed Aug 19 14:40:49 2015 us=130392 username = 'root'
Wed Aug 19 14:40:49 2015 us=130400 groupname = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130408 chroot_dir = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130416 cd_dir = '/etc/openvpn'
Wed Aug 19 14:40:49 2015 us=130424 writepid = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130432 up_script = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130440 down_script = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130448 down_pre = DISABLED
Wed Aug 19 14:40:49 2015 us=130456 up_restart = DISABLED
Wed Aug 19 14:40:49 2015 us=130464 up_delay = DISABLED
Wed Aug 19 14:40:49 2015 us=130472 daemon = ENABLED
Wed Aug 19 14:40:49 2015 us=130480 inetd = 0
Wed Aug 19 14:40:49 2015 us=130488 log = ENABLED
Wed Aug 19 14:40:49 2015 us=130496 suppress_timestamps = DISABLED
Wed Aug 19 14:40:49 2015 us=130504 nice = 0
Wed Aug 19 14:40:49 2015 us=130512 verbosity = 5
Wed Aug 19 14:40:49 2015 us=130520 mute = 0
Wed Aug 19 14:40:49 2015 us=130528 gremlin = 0
Wed Aug 19 14:40:49 2015 us=130537 status_file = 'homeserver.log'
Wed Aug 19 14:40:49 2015 us=130545 status_file_version = 1
Wed Aug 19 14:40:49 2015 us=130595 status_file_update_freq = 10
Wed Aug 19 14:40:49 2015 us=130605 occ = ENABLED
Wed Aug 19 14:40:49 2015 us=130613 rcvbuf = 65536
Wed Aug 19 14:40:49 2015 us=130622 sndbuf = 65536
Wed Aug 19 14:40:49 2015 us=130630 mark = 0
Wed Aug 19 14:40:49 2015 us=130638 sockflags = 0
Wed Aug 19 14:40:49 2015 us=130646 fast_io = DISABLED
Wed Aug 19 14:40:49 2015 us=130654 lzo = 7
Wed Aug 19 14:40:49 2015 us=130662 route_script = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130670 route_default_gateway = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130679 route_default_metric = 0
Wed Aug 19 14:40:49 2015 us=130687 route_noexec = DISABLED
Wed Aug 19 14:40:49 2015 us=130695 route_delay = 0
Wed Aug 19 14:40:49 2015 us=130704 route_delay_window = 30
Wed Aug 19 14:40:49 2015 us=130712 route_delay_defined = DISABLED
Wed Aug 19 14:40:49 2015 us=130720 route_nopull = DISABLED
Wed Aug 19 14:40:49 2015 us=130729 route_gateway_via_dhcp = DISABLED
Wed Aug 19 14:40:49 2015 us=130737 max_routes = 100
Wed Aug 19 14:40:49 2015 us=130745 allow_pull_fqdn = DISABLED
Wed Aug 19 14:40:49 2015 us=130753 management_addr = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130761 management_port = 0
Wed Aug 19 14:40:49 2015 us=130769 management_user_pass = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130778 management_log_history_cache = 250
Wed Aug 19 14:40:49 2015 us=130786 management_echo_buffer_size = 100
Wed Aug 19 14:40:49 2015 us=130794 management_write_peer_info_file = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130802 management_client_user = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130811 management_client_group = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130819 management_flags = 0
Wed Aug 19 14:40:49 2015 us=130827 shared_secret_file = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130835 key_direction = 0
Wed Aug 19 14:40:49 2015 us=130843 ciphername_defined = ENABLED
Wed Aug 19 14:40:49 2015 us=130851 ciphername = 'BF-CBC'
Wed Aug 19 14:40:49 2015 us=130860 authname_defined = ENABLED
Wed Aug 19 14:40:49 2015 us=130868 authname = 'SHA1'
Wed Aug 19 14:40:49 2015 us=130876 prng_hash = 'SHA1'
Wed Aug 19 14:40:49 2015 us=130890 prng_nonce_secret_len = 16
Wed Aug 19 14:40:49 2015 us=130899 keysize = 0
Wed Aug 19 14:40:49 2015 us=130908 engine = DISABLED
Wed Aug 19 14:40:49 2015 us=130916 replay = ENABLED
Wed Aug 19 14:40:49 2015 us=130924 mute_replay_warnings = DISABLED
Wed Aug 19 14:40:49 2015 us=130932 replay_window = 64
Wed Aug 19 14:40:49 2015 us=130940 replay_time = 15
Wed Aug 19 14:40:49 2015 us=130948 packet_id_file = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=130956 use_iv = ENABLED
Wed Aug 19 14:40:49 2015 us=130964 test_crypto = DISABLED
Wed Aug 19 14:40:49 2015 us=130972 tls_server = ENABLED
Wed Aug 19 14:40:49 2015 us=130980 tls_client = DISABLED
Wed Aug 19 14:40:49 2015 us=130988 key_method = 2
Wed Aug 19 14:40:49 2015 us=130996 ca_file = 'ca-homeserver.crt'
Wed Aug 19 14:40:49 2015 us=131004 ca_path = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131012 dh_file = 'dh4096.pem'
Wed Aug 19 14:40:49 2015 us=131021 cert_file = 'homeserver.crt'
Wed Aug 19 14:40:49 2015 us=131029 priv_key_file = 'homeserver.key'
Wed Aug 19 14:40:49 2015 us=131037 pkcs12_file = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131045 cipher_list = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131053 tls_verify = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131061 tls_export_cert = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131070 verify_x509_type = 0
Wed Aug 19 14:40:49 2015 us=131078 verify_x509_name = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131086 crl_file = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131094 ns_cert_type = 0
Wed Aug 19 14:40:49 2015 us=131102 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131110 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131118 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131127 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131135 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131142 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131150 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131158 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131166 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131174 remote_cert_ku = 0
Wed Aug 19 14:40:49 2015 us=131182 remote_cert_ku[i] = 0
Wed Aug 19 14:40:49 2015 us=131190 remote_cert_ku[i] = 0
Wed Aug 19 14:40:49 2015 us=131198 remote_cert_ku[i] = 0
Wed Aug 19 14:40:49 2015 us=131206 remote_cert_ku[i] = 0
Wed Aug 19 14:40:49 2015 us=131214 remote_cert_ku[i] = 0
Wed Aug 19 14:40:49 2015 us=131222 remote_cert_ku[i] = 0
Wed Aug 19 14:40:49 2015 us=131230 remote_cert_eku = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131238 ssl_flags = 2
Wed Aug 19 14:40:49 2015 us=131246 tls_timeout = 2
Wed Aug 19 14:40:49 2015 us=131254 renegotiate_bytes = 0
Wed Aug 19 14:40:49 2015 us=131262 renegotiate_packets = 0
Wed Aug 19 14:40:49 2015 us=131270 renegotiate_seconds = 68400
Wed Aug 19 14:40:49 2015 us=131278 handshake_window = 60
Wed Aug 19 14:40:49 2015 us=131286 transition_window = 3600
Wed Aug 19 14:40:49 2015 us=131295 single_session = DISABLED
Wed Aug 19 14:40:49 2015 us=131303 push_peer_info = DISABLED
Wed Aug 19 14:40:49 2015 us=131311 tls_exit = DISABLED
Wed Aug 19 14:40:49 2015 us=131319 tls_auth_file = 'ta.key'
Wed Aug 19 14:40:49 2015 us=131327 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131335 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131343 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131351 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131359 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131367 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131375 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131383 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131391 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131399 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131407 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131420 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131429 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131437 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131445 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131453 pkcs11_protected_authentication = DISABLED
Wed Aug 19 14:40:49 2015 us=131462 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131470 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131478 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131486 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131494 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131503 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131511 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131519 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131527 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131535 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131543 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131551 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131559 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131567 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131575 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131583 pkcs11_private_mode = 00000000
Wed Aug 19 14:40:49 2015 us=131591 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131599 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131607 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131615 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131623 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131631 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131639 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131647 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131655 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131663 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131671 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131679 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131687 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131695 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131703 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131711 pkcs11_cert_private = DISABLED
Wed Aug 19 14:40:49 2015 us=131719 pkcs11_pin_cache_period = -1
Wed Aug 19 14:40:49 2015 us=131727 pkcs11_id = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131736 pkcs11_id_management = DISABLED
Wed Aug 19 14:40:49 2015 us=131745 server_network = 0.0.0.0
Wed Aug 19 14:40:49 2015 us=131754 server_netmask = 0.0.0.0
Wed Aug 19 14:40:49 2015 us=131764 server_network_ipv6 = ::
Wed Aug 19 14:40:49 2015 us=131777 server_netbits_ipv6 = 0
Wed Aug 19 14:40:49 2015 us=131786 server_bridge_ip = 10.5.9.1
Wed Aug 19 14:40:49 2015 us=131796 server_bridge_netmask = 255.255.255.0
Wed Aug 19 14:40:49 2015 us=131805 server_bridge_pool_start = 10.5.9.201
Wed Aug 19 14:40:49 2015 us=131814 server_bridge_pool_end = 10.5.9.250
Wed Aug 19 14:40:49 2015 us=131823 push_entry = 'route 10.5.9.0 255.255.255.0'
Wed Aug 19 14:40:49 2015 us=131832 push_entry = 'route-gateway 10.5.9.1'
Wed Aug 19 14:40:49 2015 us=131840 push_entry = 'ping 10'
Wed Aug 19 14:40:49 2015 us=131848 push_entry = 'ping-restart 120'
Wed Aug 19 14:40:49 2015 us=131856 ifconfig_pool_defined = ENABLED
Wed Aug 19 14:40:49 2015 us=131866 ifconfig_pool_start = 10.5.9.201
Wed Aug 19 14:40:49 2015 us=131875 ifconfig_pool_end = 10.5.9.250
Wed Aug 19 14:40:49 2015 us=131884 ifconfig_pool_netmask = 255.255.255.0
Wed Aug 19 14:40:49 2015 us=131892 ifconfig_pool_persist_filename = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131900 ifconfig_pool_persist_refresh_freq = 600
Wed Aug 19 14:40:49 2015 us=131909 ifconfig_ipv6_pool_defined = DISABLED
Wed Aug 19 14:40:49 2015 us=131922 ifconfig_ipv6_pool_base = ::
Wed Aug 19 14:40:49 2015 us=131931 ifconfig_ipv6_pool_netbits = 0
Wed Aug 19 14:40:49 2015 us=131940 n_bcast_buf = 256
Wed Aug 19 14:40:49 2015 us=131948 tcp_queue_limit = 64
Wed Aug 19 14:40:49 2015 us=131956 real_hash_size = 256
Wed Aug 19 14:40:49 2015 us=131964 virtual_hash_size = 256
Wed Aug 19 14:40:49 2015 us=131972 client_connect_script = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131980 learn_address_script = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131989 client_disconnect_script = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=131997 client_config_dir = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=132005 ccd_exclusive = DISABLED
Wed Aug 19 14:40:49 2015 us=132013 tmp_dir = '/tmp'
Wed Aug 19 14:40:49 2015 us=132021 push_ifconfig_defined = DISABLED
Wed Aug 19 14:40:49 2015 us=132030 push_ifconfig_local = 0.0.0.0
Wed Aug 19 14:40:49 2015 us=132039 push_ifconfig_remote_netmask = 0.0.0.0
Wed Aug 19 14:40:49 2015 us=132048 push_ifconfig_ipv6_defined = DISABLED
Wed Aug 19 14:40:49 2015 us=132057 push_ifconfig_ipv6_local = ::/0
Wed Aug 19 14:40:49 2015 us=132065 push_ifconfig_ipv6_remote = ::
Wed Aug 19 14:40:49 2015 us=132074 enable_c2c = ENABLED
Wed Aug 19 14:40:49 2015 us=132082 duplicate_cn = DISABLED
Wed Aug 19 14:40:49 2015 us=132090 cf_max = 0
Wed Aug 19 14:40:49 2015 us=132098 cf_per = 0
Wed Aug 19 14:40:49 2015 us=132107 max_clients = 50
Wed Aug 19 14:40:49 2015 us=132115 max_routes_per_client = 256
Wed Aug 19 14:40:49 2015 us=132123 auth_user_pass_verify_script = '/etc/openvpn/script/login.sh'
Wed Aug 19 14:40:49 2015 us=132132 auth_user_pass_verify_script_via_file = DISABLED
Wed Aug 19 14:40:49 2015 us=132140 port_share_host = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=132148 port_share_port = 0
Wed Aug 19 14:40:49 2015 us=132156 client = DISABLED
Wed Aug 19 14:40:49 2015 us=132164 pull = DISABLED
Wed Aug 19 14:40:49 2015 us=132172 auth_user_pass_file = '[UNDEF]'
Wed Aug 19 14:40:49 2015 us=132182 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 1 2014
Wed Aug 19 14:40:49 2015 us=132196 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Wed Aug 19 14:40:49 2015 us=132287 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Wed Aug 19 14:40:49 2015 us=132376 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Aug 19 14:40:49 2015 us=189052 Diffie-Hellman initialized with 4096 bit key
Wed Aug 19 14:40:49 2015 us=189314 WARNING: file 'homeserver.key' is group or others accessible
Wed Aug 19 14:40:49 2015 us=189527 WARNING: file 'ta.key' is group or others accessible
Wed Aug 19 14:40:49 2015 us=189538 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Aug 19 14:40:49 2015 us=189550 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 19 14:40:49 2015 us=189559 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 19 14:40:49 2015 us=189570 TLS-Auth MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Aug 19 14:40:49 2015 us=189584 Socket Buffers: R=[212992->131072] S=[212992->131072]
Wed Aug 19 14:40:49 2015 us=189682 TUN/TAP device tap0 opened
Wed Aug 19 14:40:49 2015 us=189698 TUN/TAP TX queue length set to 100
Wed Aug 19 14:40:49 2015 us=189723 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Aug 19 14:40:49 2015 us=191000 UID set to root
Wed Aug 19 14:40:49 2015 us=191047 UDPv4 link local (bound): [undef]
Wed Aug 19 14:40:49 2015 us=191056 UDPv4 link remote: [undef]
Wed Aug 19 14:40:49 2015 us=191066 MULTI: multi_init called, r=256 v=256
Wed Aug 19 14:40:49 2015 us=191128 IFCONFIG POOL: base=10.5.9.201 size=50, ipv6=0
Wed Aug 19 14:40:49 2015 us=191147 Initialization Sequence Completed
Wed Aug 19 14:43:36 2015 us=203537 MULTI: multi_create_instance called
Wed Aug 19 14:43:36 2015 us=203610 80.187.112.118:13830 Re-using SSL/TLS context
Wed Aug 19 14:43:36 2015 us=203652 80.187.112.118:13830 LZO compression initialized
Wed Aug 19 14:43:36 2015 us=203817 80.187.112.118:13830 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Aug 19 14:43:36 2015 us=203835 80.187.112.118:13830 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Aug 19 14:43:36 2015 us=203865 80.187.112.118:13830 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Aug 19 14:43:36 2015 us=203876 80.187.112.118:13830 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Aug 19 14:43:36 2015 us=203909 80.187.112.118:13830 Local Options hash (VER=V4): 'f7b041bb'
Wed Aug 19 14:43:36 2015 us=203927 80.187.112.118:13830 Expected Remote Options hash (VER=V4): '46a60371'
RWed Aug 19 14:43:36 2015 us=203968 80.187.112.118:13830 TLS: Initial packet from [AF_INET]80.187.112.118:13830, sid=33a661ba a6f177a9
WRWRWRWRWRWRWRWRWRWRWRWR
Wed Aug 19 14:43:37 2015 us=641169 80.187.112.118:13830 VERIFY OK: depth=1, C=DE, ST=NS, L=Hannover, O=Wahnsinns-WG, OU=changeme, CN=changeme, name=CA-Homeserver, emailAddress=emailAddress=***@**.*
Wed Aug 19 14:43:37 2015 us=641614 80.187.112.118:13830 VERIFY OK: depth=0, C=DE, ST=NS, L=Hannover, O=Wahnsinns-WG, OU=christian, CN=christian, name=changeme, emailAddress=***@**.*
WRWRWRWRWRWRWRWRWRWRWRWRWRWRWR
Wed Aug 19 14:43:38 2015 us=6402 80.187.112.118:13830 WARNING: Failed running command (--auth-user-pass-verify): could not execute external program
Wed Aug 19 14:43:38 2015 us=6444 80.187.112.118:13830 TLS Auth Error: Auth Username/Password verification failed for peer
WWWRRRWed Aug 19 14:43:38 2015 us=88706 80.187.112.118:13830 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Wed Aug 19 14:43:38 2015 us=88743 80.187.112.118:13830 [christian] Peer Connection Initiated with [AF_INET]80.187.112.118:13830
RWed Aug 19 14:43:40 2015 us=332209 80.187.112.118:13830 PUSH: Received control message: 'PUSH_REQUEST'
Wed Aug 19 14:43:40 2015 us=332240 80.187.112.118:13830 Delayed exit in 5 seconds
Wed Aug 19 14:43:40 2015 us=332269 80.187.112.118:13830 SENT CONTROL [christian]: 'AUTH_FAILED' (status=1)
WWWWed Aug 19 14:43:46 2015 us=44010 80.187.112.118:13830 SIGTERM[soft,delayed-exit] received, client-instance exiting

Post by **maikcat** » Thu Aug 20, 2015 10:36 am

just curious...

can you post the output of:

Code: Select all

ls -l /etc/openvpn/script/login.sh

Michael.

Traffic · Post by **Traffic** » Thu Aug 20, 2015 1:31 pm

noobzilla89 wrote:And the login.sh-script:
Quote:
username=$1
password=$2

passwordhash=$(mysql -h'localhost' -P'3306' -u'dbuser' -p'dbpass' dbname -sN -e "select right((select password from table where uid = '$username'), 60)")

returnval=$(php /etc/openvpn/script/newhashtest.php "$password" "$passwordhash")

[ $returnval ] && echo "auth for user '$username' ok" && exit 0 || echo "auth failed"; exit 1

This could be due to OpenVPN requiring /full/path/to/.. mysql & php ...

( also --verb 5 long lines yuk ...

)

Post by **maikcat** » Fri Aug 21, 2015 5:48 am

Traffic wrote: This could be due to OpenVPN requiring /full/path/to/.. mysql & php ...

( also --verb 5 long lines yuk ... )

openvpn complains that

Failed running command (--auth-user-pass-verify): could not execute external program

could not execute script at all , not someting like "i executed it but i deny access..."

just my 2 cents though...

please post the output i requested...

Michael.

Traffic · Post by **Traffic** » Fri Aug 21, 2015 12:48 pm

Further testing reveals:

noobzilla89 wrote:WARNING: Failed running command (--auth-user-pass-verify): could not execute external program

"external program" indicates that the script has failed to execute the external program ..

My log:

Fri Aug 21 13:22:55 2015 us=855235 88.105.115.118:3036 WARNING: Failed running command (--auth-user-pass-verify): could not execute external program

My config (Default server config plus this):

auth-user-pass-verify '/etc/openvpn/testmore.ovsh' via-env

/etc/openvpn/testmore.ovsh:

username=$1
password=$2

passwordhash=$(mysql -h'localhost' -P'3306' -u'dbuser' -p'dbpass' dbname -sN -e "select right((select password from table where uid = '$username'), 60)")

returnval=$(php /etc/openvpn/script/newhashtest.php "$password" "$passwordhash")

[ $returnval ] && echo "auth for user '$username' ok" && exit 0 || echo "auth failed"; exit 1

Attributes:

Code: Select all

13:37:13 $ ls -l testmore.ovsh
-rwxr-xr-x 1 root root 428 Aug 21 12:20 testmore.ovsh

It is worth pointing out this is wrong:

Traffic wrote:And the login.sh-script:
Quote:
username=$1
password=$2

$1 and $2 do not contain the username and password .. they are passed via environment variables ...

Post by **maikcat** » Sat Aug 22, 2015 4:06 pm

traffic is right....

If method is set to "via-env", OpenVPN will call script with the environmental variables username and password set to the username/password strings provided by the client. Be aware that this method is insecure on some platforms which make the environment of a process publicly visible to other unprivileged processes.

Michael.

noobzilla89 · Post by **noobzilla89** » Thu Aug 27, 2015 9:26 am

output of ls is:

Code: Select all

-rwsrwsrwt 1 root root 365 Aug  2 07:49 /etc/openvpn/script/login.sh

(i did a chmod 777 to avoid permission errors)
ohh, what a big mistake with the variables... but even if i dont set the variables (commented the two lines out) but only use them given from openvpn process, the error is still alive. i also changed the mysql and php command to /bin/usr/..., but that didnt have any effect.
maybe the error is that the database password has a " inside? i escaped it and if i call the script from bash it works correctly, so i think there shouldnt be an error...
But i dont think that openvpn will tell me, if a command inside my script fails. it will only give me an "auth ok" or "auth failed". so the main thing is still the permission to execute the script.
any other ideas?

Post by **maikcat** » Thu Aug 27, 2015 9:57 am

noobzilla89 wrote:output of ls is:
Code: Select all
-rwsrwsrwt 1 root root 365 Aug  2 07:49 /etc/openvpn/script/login.sh
(i did a chmod 777 to avoid permission errors)
ohh, what a big mistake with the variables... but even if i dont set the variables (commented the two lines out) but only use them given from openvpn process, the error is still alive. i also changed the mysql and php command to /bin/usr/..., but that didnt have any effect.
maybe the error is that the database password has a " inside? i escaped it and if i call the script from bash it works correctly, so i think there shouldnt be an error...
But i dont think that openvpn will tell me, if a command inside my script fails. it will only give me an "auth ok" or "auth failed". so the main thing is still the permission to execute the script.
any other ideas?

2 things,

you issued an chmod 7777 not an chmod 777...
use chmod 0777 on login.sh please.

OpenVPN will call script with the environmental variables username and password set to the username/password strings provided by the client

what traffic and i posted earlier is that instead of $1 and $2 you should use $username & $password variables which openvpn uses for the credentials...

Michael.

noobzilla89 · Post by **noobzilla89** » Thu Aug 27, 2015 10:14 am

i used chmod 0777 now, but still the same error.

the variables i tried to fill with $1 and $2 were called username and password so there is no need to apply any other changes in the script. script looks now like:

passwordhash=$(/usr/bin/mysql -h'localhost' -P'3306' -u'owncloud' -p"Oc\"0!5" owncloud -sN -e "select right((select password from oc_users where uid = '$username'), 60)")

returnval=$(/usr/bin/php /etc/openvpn/script/newhashtest.php "$password" "$passwordhash")

[ $returnval ] && echo "auth for user '$username' ok" && exit 0 || echo "auth failed"; exit 1

noobzilla89 · Post by **noobzilla89** » Thu Aug 27, 2015 11:58 am

i also tried to make a new script login2.sh which i used to "confirm" login. this consists only of the line "exit 0", which confirms authorization. i of course did chmod +x, but still the same error. the openvpn process is running as root properly.
any other suggestions?

Traffic · Post by **Traffic** » Thu Aug 27, 2015 12:05 pm

noobzilla89 wrote:i also tried to make a new script login2.sh

Did you change your server config to match:

noobzilla89 wrote:auth-user-pass-verify /etc/openvpn/script/login2.sh via-env

and restart the server ?

[stupid verb 5 long lines

]

noobzilla89 · Post by **noobzilla89** » Thu Aug 27, 2015 1:22 pm

Did you change your server config to match and restart the server?

of course i did...

any other suggestions?

Traffic · Post by **Traffic** » Thu Aug 27, 2015 1:36 pm

noobzilla89 wrote:i also tried to make a new script login2.sh which i used to "confirm" login. this consists only of the line "exit 0",

Try this:

Code: Select all

#!/bin/bash

exit 0

Traffic wrote:[stupid verb 5 long lines ]

Thanks Michael

OpenVPN Support Forum

problem with --auth-user-pass-verify

problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify

Re: problem with --auth-user-pass-verify