Well, not how can I not overcome the authorization, help please, where i make mistakes

openvpn.conf
Code: Select all
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/vpn-server.crt
dh /usr/local/etc/openvpn/keys/dh2048.pem
server 192.168.254.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
explicit-exit-notify 1
client-cert-not-required
auth-user-pass-verify "/usr/local/etc/openvpn/verify.sh /usr/local/etc/openvpn/user.pass" via-file
Code: Select all
dev tun
proto udp
remote mail.delta.in.ua 1194
resolv-retry infinite
nobind
keepalive 10 120
comp-lzo
;user nobody
;group nobody
persist-key
persist-tun
;ca ca.crt
;cert client.crt
;key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
tls-client
;push "dhcp-option DNS 192.168.1.250"
;auth MD5
auth-user-pass
Code: Select all
#!/bin/sh
# Config parameters
conf="/usr/local/etc/openvpn/user.pass"
logfile="/var/log/ovpnauth.log"
# End of config parameters
if [ "$1" = "" ] || [ "$1" = "help" ]
then
echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db"
echo " for use withauth-user-pass-verify via-file option"
echo ""
echo "help - prints help"
echo "md5 password - to compute password md5 checksum"
exit 1
fi
md5(){
echo "$1.`uname -n`" > /tmp/$$.md5calc
sum="`md5sum /tmp/$$.md5calc | awk '{print $1}'`"
rm /tmp/$$.md5calc
echo "$sum"
}
if [ "$1" = "md5" ]
then
echo `md5 $2`
exit 1
fi
log(){
echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile
}
logenv(){
enviroment="`env | awk '{printf "%s ", $0}'`"
echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile
}
envr="`echo `env``"
userpass=`cat $1`
username=`echo $userpass | awk '{print $1}'`
password=`echo $userpass | awk '{print $2}'`
# computing password md5
password=`md5 $password`
userpass=`cat $conf | grep $username= | awk -F= '{print $2}'`
if [ "$password" = "$userpass" ]
then
log "OpenVPN authentication successfull: $username"
logenv
exit 0
fi
log "OpenVPN authentication failed"
log `cat $1`
logenv
exit 1
Code: Select all
username=MD5 pass
Client log==> /var/log/openvpn.log <==
Mon Sep 18 00:04:13 2017 46.98.240.199 TLS: Initial packet from [AF_INET6]::ffff:46.98.240.199:37958, sid=fd962e72 3ebaa2cd
Mon Sep 18 00:04:13 2017 46.98.240.199 peer info: IV_VER=2.3.17
Mon Sep 18 00:04:13 2017 46.98.240.199 peer info: IV_PLAT=linux
Mon Sep 18 00:04:13 2017 46.98.240.199 peer info: IV_PROTO=2
Mon Sep 18 00:04:13 2017 46.98.240.199 WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Mon Sep 18 00:04:13 2017 46.98.240.199 WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
Mon Sep 18 00:04:13 2017 46.98.240.199 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Sep 18 00:04:13 2017 46.98.240.199 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Mon Sep 18 00:04:13 2017 46.98.240.199 Peer Connection Initiated with [AF_INET6]::ffff:46.98.240.199:37958
Mon Sep 18 00:04:16 2017 46.98.240.199 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 18 00:04:16 2017 46.98.240.199 Delayed exit in 5 seconds
Mon Sep 18 00:04:16 2017 46.98.240.199 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Sep 18 00:04:21 2017 46.98.240.199 SIGTERM[soft,delayed-exit] received, client-instance exiting
Code: Select all
Mon Sep 18 00:04:22 2017 OpenVPN 2.3.17 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 20 2017
Mon Sep 18 00:04:22 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Enter Auth Username: ****
Enter Auth Password: ****
Mon Sep 18 00:04:25 2017 Control Channel Authentication: tls-auth using INLINE static key file
Mon Sep 18 00:04:25 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 00:04:25 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 00:04:25 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Sep 18 00:04:25 2017 UDPv4 link local: [undef]
Mon Sep 18 00:04:25 2017 UDPv4 link remote: [AF_INET]195.248.184.7:1194
Mon Sep 18 00:04:25 2017 TLS: Initial packet from [AF_INET]195.248.184.7:1194, sid=f32c6ae4 a55eb273
Mon Sep 18 00:04:25 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 18 00:04:25 2017 VERIFY OK: depth=1, CN=Easy-RSA CA
Mon Sep 18 00:04:25 2017 Validating certificate key usage
Mon Sep 18 00:04:25 2017 ++ Certificate has key usage 00a0, expects 00a0
Mon Sep 18 00:04:25 2017 VERIFY KU OK
Mon Sep 18 00:04:25 2017 Validating certificate extended key usage
Mon Sep 18 00:04:25 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Sep 18 00:04:25 2017 VERIFY EKU OK
Mon Sep 18 00:04:25 2017 VERIFY OK: depth=0, CN=vpn-server
Mon Sep 18 00:04:25 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Sep 18 00:04:25 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 00:04:25 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Sep 18 00:04:25 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 00:04:25 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Sep 18 00:04:25 2017 [vpn-server] Peer Connection Initiated with [AF_INET]195.248.184.7:1194
Mon Sep 18 00:04:28 2017 SENT CONTROL [vpn-server]: 'PUSH_REQUEST' (status=1)
Mon Sep 18 00:04:28 2017 AUTH: Received control message: AUTH_FAILED
Mon Sep 18 00:04:28 2017 SIGTERM[soft,auth-failure] received, process exiting