could not read Auth username from stdin

[robertas]

I am setting up site to site vpn, so I've setup a service on a debian which starts on boot. But after some time(~1h) my tunnel disappears. So after digging around in logs I found that it complains about auth from stdin, but my config has a password in it.

OpenVPN version:
OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015

Logs(hostname redacted):

Code: Select all

May 18 12:38:39 vpn-hostname ovpn-client[3185]: ERROR: could not read Auth username from stdin
May 18 12:38:39 vpn-hostname  ovpn-client[3185]: Exiting due to fatal error
May 18 12:38:39 vpn-hostname  ovpn-client[3185]: /sbin/ip addr del dev tun0 192.168.61.3/24
May 18 12:38:39 vpn-hostname  systemd[1]: openvpn@client.service: main process exited, code=exited, status=1/FAILURE
May 18 12:38:39 vpn-hostname  systemd[1]: Unit openvpn@client.service entered failed state.

My configuration exported from pfsense(public domain redacted), pfsense-auth is a file with user/password and it works first time and should be ok, I can restart openvpn service and it works again for about 1h.

View OriginalClient

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
auth-user-pass pfsense-auth
auth-nocache
remote my-redacted-vpn.com 1194 udp
lport 0
verify-x509-name "my-redacted-vpn.com" name
pkcs12 pfSense-udp-1194-scaleway1.my-redacted-vpn.com.p12
tls-auth pfSense-udp-1194-scaleway1.my-redacted-vpn.com-tls.key 1
ns-cert-type server

[Traffic]

You need --auth-retry nointeract

See --auth-retry in The Manual v23x

[robertas]

That makes sense, but it doesn't seem to work. I've added config option "auth-retry nointeract" which should reread username/passworod from given file. But my connection seems to keep dropping on reauth. I tried rebooting server, which didn't help either. Maybe options order is incorrect?

Updated configuration:

View Originalupdated configuration

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
auth-user-pass pfsense-auth
auth-retry nointeract
auth-nocache
remote vpn.my-redacted-domain.com 1194 udp
lport 0
verify-x509-name "vpn.my-redacted-domain.com" name
pkcs12 pfSense-udp-1194-scaleway1.my-redacted-domain.com.p12
tls-auth pfSense-udp-1194-scaleway1.my-redacted-domain.com-tls.key 1
ns-cert-type server

Relevant logs:

Code: Select all

May 19 14:10:19 scw-f1e4c6 ovpn-client[3165]: UDPv4 link local (bound): [undef]
May 19 14:10:19 scw-f1e4c6 ovpn-client[3165]: UDPv4 link remote: [AF_INET]1.2.3.4:1194
May 19 14:10:19 scw-f1e4c6 ovpn-client[3165]: [my-redacted-domain.com] Peer Connection Initiated with [AF_INET]1.2.3.4:1194
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: TUN/TAP device tun0 opened
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: /sbin/ip link set dev tun0 up mtu 1500
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: /sbin/ip addr add dev tun0 192.168.61.3/24 broadcast 192.168.61.255
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: Initialization Sequence Completed
May 19 15:11:49 scw-f1e4c6 ovpn-client[3165]: ERROR: could not read Auth username from stdin
May 19 15:11:49 scw-f1e4c6 ovpn-client[3165]: Exiting due to fatal error
May 19 15:11:49 scw-f1e4c6 ovpn-client[3165]: /sbin/ip addr del dev tun0 192.168.61.3/24

[Traffic]

It works for me .. I presume you are not dropping privileges ?

Things you can try:

• Specify the complete path to the user/pass file ..
  Although, that does not appear to be that problem .. ie. this error:

  Code: Select all

  ERROR: could not read Auth username from stdin

• Install the version from the OpenVPN Repo:
  https://community.openvpn.net/openvpn/w ... twareRepos

Let us know

[robertas]

I am using standard openvpn installation on centos 7 using systemd provided openvpn service, so I'm not sure about privileges. Will try absolute path. Link you provided seems to be ubuntu/debian repository, could try building latest version from source if that's not too difficult.

Thanks for help!

[Traffic]

I am using standard openvpn installation on centos 7 using systemd provided openvpn service

Please post the service file.

[robertas]

openvpn.service

Code: Select all

# This service is actually a systemd target,
# but we are using a service since targets cannot be reloaded.

[Unit]
Description=OpenVPN service
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/etc/openvpn

[Install]
WantedBy=multi-user.target

Openvpn client template(openvpn@.service)

Code: Select all

[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service

[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn

[Install]
WantedBy=multi-user.target

[robertas]

And absolute path didn't work, so I'm will be building openvpn from source through the weekend.

[Traffic]

I've setup a service on a debian

I am using standard openvpn installation on centos 7

which is it ? be specific ..

[robertas]

Sorry for messing that up, I'm using debian 8.

Just tried passing passing pkcs12 and tls-auth options using absolute paths(previously tried adding absolute path to auth-user-pass) which didn't help either.

It takes an hour to debug it, so its quite slow process. Next I'm trying to launch openvpn --config client.conf to rule out if it's the service problem or the configuration.

[Traffic]

Sorry for messing that up, I'm using debian 8.

OK .. I strongly recommend the OpenVPN repo:
https://community.openvpn.net/openvpn/w ... twareRepos

Could you also post the complete output for openvpn --version

[robertas]

Just upgraded to 2.3.11 and it is working! Thanks for your help!

[Traffic]

Excellent .. thanks for letting us know the solution

I expect it was an old compile time setting in the version you were using.