OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

ALL clients disconnected when user inputs incorrect password

https://forums.openvpn.net/viewtopic.php?t=22363

Page 1 of 1

ALL clients disconnected when user inputs incorrect password

Posted: Tue Aug 30, 2016 1:56 am
by toddbaumann
Looking for some suggestions on where to look for this. I have a very vanilla configuration for OpenVPN server. It's installed through the Ubuntu community repos and is using the openvpn-auth-ldap module plugin.

All of my clients connect and everyone is happy until ONE user has an issue with a password and then ALL of the clients are disconnected and have to reconnect. I have tried to make sure this isn't related to the client side (some are on Mac and use Tunnelblick) and some use the traditional OpenVPN client compiled from source on Linux. Anyone ever run into this before ?

Re: ALL clients disconnected when user inputs incorrect password

Posted: Tue Aug 30, 2016 12:16 pm
by TinCanTech
Can you please post your server log at verb 4 showing this problem.

Re: ALL clients disconnected when user inputs incorrect password

Posted: Tue Aug 30, 2016 1:08 pm
by toddbaumann

Code: Select all

Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: MULTI: multi_create_instance called
Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Re-using SSL/TLS context
Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 LZO compression initialized
Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Local Options hash (VER=V4): '79a26cd9'
Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Expected Remote Options hash (VER=V4): 'fc8ba345'
Aug 30 07:56:37 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 TLS: Initial packet from [AF_INET]129.42.208.167:27408, sid=eed6b723 abb99863
Aug 30 07:56:38 openvpnpoc01 ovpn-server[3493]: LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C0903C9, comment: AcceptSecurityContext error, data 52e, v23f0)
Aug 30 07:56:38 openvpnpoc01 ovpn-server[3493]: Incorrect password supplied for LDAP DN "CN=Frank  Smith,OU=UserAccts,DC=abc,DC=ad,DC=def,DC=acme,DC=com".
Aug 30 07:56:38 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Aug 30 07:56:38 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Aug 30 07:56:38 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 TLS Auth Error: Auth Username/Password verification failed for peer
Aug 30 07:56:38 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Aug 30 07:56:38 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Peer Connection Initiated with [AF_INET]129.42.208.167:27408
Aug 30 07:56:40 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 PUSH: Received control message: 'PUSH_REQUEST'
Aug 30 07:56:40 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 Delayed exit in 5 seconds
Aug 30 07:56:40 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Aug 30 07:56:45 openvpnpoc01 ovpn-server[3493]: 192.168.10.167:27408 SIGTERM[soft,delayed-exit] received, client-instance exiting

Re: ALL clients disconnected when user inputs incorrect password

Posted: Tue Aug 30, 2016 1:34 pm
by TinCanTech
The log snippet you have supplied only shows the password failure, what else is in the log referring to the other clients being dropped ?

What would be best is to post your server and client config files and complete logs at verb 4 (remove private data you do not want to share)

Take your time and post as much detail as possible .. Thanks.

Re: ALL clients disconnected when user inputs incorrect password

Posted: Wed Aug 31, 2016 1:50 pm
by toddbaumann
I am testing a configuration change that seems to have solved the issue. Still in the process of testing it out but we don't see the problem since I commented out
`client-config-dir /etc/openvpn/clients` in the server.conf file.

Re: ALL clients disconnected when user inputs incorrect password

Posted: Fri Sep 02, 2016 12:00 am
by TinCanTech
Can we presume you fixed it ?
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/