Hey buddy,
Hope all is well with you. I started from scratch. This time I didn't attempt to compile it but instead I installed the OpenVPN from the Ubuntu repo.
While unrelated, I found the reason why it kept saying
Module is unknown.
It didn't like
required in /etc/pam.d/ovpn-0
I have now replaced it with
sufficient as mentioned in the Usage of
https://github.com/FreeRADIUS/pam_radiu ... ster/USAGE of PAM_radius plugin.
Code: Select all
account sufficient /usr/lib/x86_64-linux-gnu/security/pam_permit.so
auth sufficient /home/ubuntu/pam_radius/pam_radius_auth.so conf=/etc/pam.d/pam_radius_auth.conf
Now I get this in the server log:
Code: Select all
MULTI: multi_create_instance called
3.11.xx.xxx:60836 Re-using SSL/TLS context
3.11.xx.xxx:60836 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
3.11.xx.xxx:60836 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
3.11.xx.xxx:60836 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
3.11.xx.xxx:60836 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
3.11.xx.xxx:60836 TLS: Initial packet from [AF_INET]3.11.xx.xxx:60836, sid=88521bad 7a295892
3.11.xx.xxx:60836 VERIFY OK: depth=1, CN=Easy-RSA CA
3.11.xx.xxx:60836 VERIFY OK: depth=0, CN=client1
3.11.xx.xxx:60836 peer info: IV_VER=2.4.9
3.11.xx.xxx:60836 peer info: IV_PLAT=mac
3.11.xx.xxx:60836 peer info: IV_PROTO=2
3.11.xx.xxx:60836 peer info: IV_NCP=2
3.11.xx.xxx:60836 peer info: IV_LZ4=1
3.11.xx.xxx:60836 peer info: IV_LZ4v2=1
3.11.xx.xxx:60836 peer info: IV_LZO=1
3.11.xx.xxx:60836 peer info: IV_COMP_STUB=1
3.11.xx.xxx:60836 peer info: IV_COMP_STUBv2=1
3.11.xx.xxx:60836 peer info: IV_TCPNL=1
3.11.xx.xxx:60836 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5481_3.8.2a__build_5481)"
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: houman
AUTH-PAM: BACKGROUND: user 'houman' failed to authenticate: Permission denied
3.11.xx.xxx:60836 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
3.11.xx.xxx:60836 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
3.11.xx.xxx:60836 TLS Auth Error: Auth Username/Password verification failed for peer
3.11.xx.xxx:60836 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
3.11.xx.xxx:60836 [client1] Peer Connection Initiated with [AF_INET]3.11.xx.xxx:60836
3.11.xx.xxx:60836 PUSH: Received control message: 'PUSH_REQUEST'
3.11.xx.xxx:60836 Delayed exit in 5 seconds
3.11.xx.xxx:60836 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
And it is still not hitting the local freeradius server. It's such a shame, because when I do this:
Code: Select all
root@o1:/home/ubuntu# sudo pamtester -v ovpn-0 houman authenticate
pamtester: invoking pam_start(ovpn-0, houman, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
I can see it hits the local freeradius server and it even authenticates correctly. What gives that OpenVPN doesn't attempt to hit the local freeradius to fetch the username/password?
If you don't know the answer, do you know by any chance an OpenVPN colleague who has established a successful OpenVPN/Freeradius integration in the past and could advice me please? I'm happy to compensate for it.
Thank you so much,
Houman