OpenVPN authentication isssue

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
jfj43v@
OpenVpn Newbie
Posts: 2
Joined: Fri Feb 28, 2014 6:41 am

OpenVPN authentication isssue

Post by jfj43v@ » Fri Feb 28, 2014 7:31 am

Hi,

I have configured openvpn server (openvpn 2.3.2 version) with domain authentication on Windows Server 2012. When I run this command in server "C:/Windows/System32/cscript.exe /H:cscript C:/Progra~1/OpenVPN/config/Auth4OpenVPN.vbs <domain username> <domain password> , I got result in which the authentication successful. But when i want connect client to the openvpn server I got error as below:

--------------------------------------------------------------------------------------------------------------
Fri Feb 28 15:20:22 2014 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\client01.log: Access is denied. (errno=5)
Fri Feb 28 15:20:22 2014 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Fri Feb 28 15:20:22 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Feb 28 15:20:22 2014 Need hold release from management interface, waiting...
Fri Feb 28 15:20:22 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Feb 28 15:20:22 2014 MANAGEMENT: CMD 'state on'
Fri Feb 28 15:20:22 2014 MANAGEMENT: CMD 'log all on'
Fri Feb 28 15:20:22 2014 MANAGEMENT: CMD 'hold off'
Fri Feb 28 15:20:22 2014 MANAGEMENT: CMD 'hold release'
Fri Feb 28 15:20:32 2014 MANAGEMENT: CMD 'username "Auth" "nuruljannah"'
Fri Feb 28 15:20:32 2014 MANAGEMENT: CMD 'password [...]'
Fri Feb 28 15:20:33 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 28 15:20:33 2014 UDPv4 link local: [undef]
Fri Feb 28 15:20:33 2014 UDPv4 link remote: [AF_INET]192.168.103.76:1194
Fri Feb 28 15:20:33 2014 MANAGEMENT: >STATE:1393572033,WAIT,,,
Fri Feb 28 15:20:33 2014 MANAGEMENT: >STATE:1393572033,AUTH,,,
Fri Feb 28 15:20:33 2014 TLS: Initial packet from [AF_INET]192.168.103.76:1194, sid=49293fda 7d5594f8
Fri Feb 28 15:20:33 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 28 15:20:33 2014 VERIFY OK: depth=1, C=MY, ST=SE, L=PJ, O=ECSM, OU=KUSH, CN=ecsvpn, name=admin, emailAddress=is@ecsm.com.my
Fri Feb 28 15:20:33 2014 VERIFY OK: nsCertType=SERVER
Fri Feb 28 15:20:33 2014 VERIFY OK: depth=0, C=MY, ST=SE, L=PJ, O=ECSM, OU=KUSH, CN=ecsvpn, name=admin, emailAddress=is@ecsm.com.my
Fri Feb 28 15:20:33 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 28 15:20:33 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 28 15:20:33 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 28 15:20:33 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 28 15:20:33 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 28 15:20:33 2014 [ecsvpn] Peer Connection Initiated with [AF_INET]server ip address:1194
Fri Feb 28 15:20:34 2014 MANAGEMENT: >STATE:1393572034,GET_CONFIG,,,
Fri Feb 28 15:20:35 2014 SENT CONTROL [ecsvpn]: 'PUSH_REQUEST' (status=1)
Fri Feb 28 15:20:35 2014 AUTH: Received control message: AUTH_FAILED
Fri Feb 28 15:20:35 2014 SIGUSR1[soft,auth-failure] received, process restarting
Fri Feb 28 15:20:35 2014 MANAGEMENT: >STATE:1393572035,RECONNECTING,auth-failure,,
Fri Feb 28 15:20:35 2014 Restart pause, 2 second(s)
--------------------------------------------------------------------------------------------------------------

And why suddenly when I would like to restart the openvpn service in services, the services will stop automatically?
I'm stuck on this. Please help me. Thank you.

jfj43v@
OpenVpn Newbie
Posts: 2
Joined: Fri Feb 28, 2014 6:41 am

Re: OpenVPN authentication isssue

Post by jfj43v@ » Mon Mar 03, 2014 9:01 am

Hi,

Below are the configuration of server and client. Goal: OpenVPN authentication with Active Directory. But I face a problem in which when I run
--------------------------------------------------------------------------------------------------------
server.ovpn configuration:

port 1194
proto udp
dev tun

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"

server 10.88.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo

persist-tun
status openvpn-status.log
verb 3

script-security 3
auth-user-pass-verify "C:/Windows/System32/cscript.exe /H:cscript C:/Program Files/OpenVPN/config/Auth4OpenVPN.vbs" via-env
--------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------
client.ovpn

client
dev tun
proto udp

remote [server ip address] 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client01.crt"
key "C:\\Program Files\\OpenVPN\\config\\client01.key"

ns-cert-type server
comp-lzo
verb 3

auth-user-pass
auth-retry interact

--------------------------------------------------------------------------------------------------------
Auth4OpenVPN.ini configuration

Server = "ip address of AD"

Domain = "company domain"

DN = "dc="",dc="",dc=""

Group = "vpnusers"

Logging = "On"

--------------------------------------------------------------------------------------------------------

when I run the script using this syntax: auth4openvpn.vbs <user> <password>, the result is "Authentication Successful" but when I connect the client to the server there is an error as below:

****
Fri Feb 28 15:20:22 2014 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\client01.log: Access is denied. (errno=5)
Fri Feb 28 15:20:22 2014 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Fri Feb 28 15:20:22 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Feb 28 15:20:22 2014 Need hold release from management interface, waiting...
Fri Feb 28 15:20:22 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Feb 28 15:20:22 2014 MANAGEMENT: CMD 'state on'
Fri Feb 28 15:20:22 2014 MANAGEMENT: CMD 'log all on'
Fri Feb 28 15:20:22 2014 MANAGEMENT: CMD 'hold off'
Fri Feb 28 15:20:22 2014 MANAGEMENT: CMD 'hold release'
Fri Feb 28 15:20:32 2014 MANAGEMENT: CMD 'username "Auth" "nuruljannah"'
Fri Feb 28 15:20:32 2014 MANAGEMENT: CMD 'password [...]'
Fri Feb 28 15:20:33 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 28 15:20:33 2014 UDPv4 link local: [undef]
Fri Feb 28 15:20:33 2014 UDPv4 link remote: [AF_INET]192.168.103.76:1194
Fri Feb 28 15:20:33 2014 MANAGEMENT: >STATE:1393572033,WAIT,,,
Fri Feb 28 15:20:33 2014 MANAGEMENT: >STATE:1393572033,AUTH,,,
Fri Feb 28 15:20:33 2014 TLS: Initial packet from [AF_INET]192.168.103.76:1194, sid=49293fda 7d5594f8
Fri Feb 28 15:20:33 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 28 15:20:33 2014 VERIFY OK: depth=1, C=MY, ST=SE, L=PJ, O=ECSM, OU=KUSH, CN=ecsvpn, name=admin, emailAddress=is@ecsm.com.my
Fri Feb 28 15:20:33 2014 VERIFY OK: nsCertType=SERVER
Fri Feb 28 15:20:33 2014 VERIFY OK: depth=0, C=MY, ST=SE, L=PJ, O=ECSM, OU=KUSH, CN=ecsvpn, name=admin, emailAddress=is@ecsm.com.my
Fri Feb 28 15:20:33 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 28 15:20:33 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 28 15:20:33 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 28 15:20:33 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 28 15:20:33 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 28 15:20:33 2014 [ecsvpn] Peer Connection Initiated with [AF_INET]server ip address:1194
Fri Feb 28 15:20:34 2014 MANAGEMENT: >STATE:1393572034,GET_CONFIG,,,
Fri Feb 28 15:20:35 2014 SENT CONTROL [ecsvpn]: 'PUSH_REQUEST' (status=1)
Fri Feb 28 15:20:35 2014 AUTH: Received control message: AUTH_FAILED
Fri Feb 28 15:20:35 2014 SIGUSR1[soft,auth-failure] received, process restarting
Fri Feb 28 15:20:35 2014 MANAGEMENT: >STATE:1393572035,RECONNECTING,auth-failure,,
Fri Feb 28 15:20:35 2014 Restart pause, 2 second(s)

DL6720
OpenVpn Newbie
Posts: 1
Joined: Wed Apr 09, 2014 8:19 pm

Re: OpenVPN authentication isssue

Post by DL6720 » Wed Apr 09, 2014 8:22 pm

Hello
I have the same problem on an w2012 - openvpn 2.3.2
It works on MS-DOS command line. When using script, it logs 'Auth4OpenVPN: -2147221164, Classe non enregistrée' in w2012 events.

Did you find something to solve your problem ?

Thanks

iceh
OpenVpn Newbie
Posts: 9
Joined: Sat May 03, 2014 10:59 am

Re: OpenVPN authentication isssue

Post by iceh » Sat Dec 20, 2014 7:48 pm

Hi!

I got a fix for this.

Can you please test?

post47736.html?hilit=Auth4OpenVPN#p47736

Thx.

Post Reply