after adding script server does not connect

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Frenk98K
OpenVpn Newbie
Posts: 3
Joined: Mon Jul 11, 2022 5:13 pm

after adding script server does not connect

Post by Frenk98K » Tue Jul 12, 2022 8:46 pm

This is the setup:
1) OrangePi Zero running armbian and Samba 4;
2) OrangePi Zero running armbian and PiVPN;

On the VPN "server" i've successfully created and tested working a script in perl to authenticate the users through samba's ldpa.

If i create a certificate with the default server.conf file all is well, but when i try to edit it and add the lines cited below, then the the client gets stuck on a server poll timeout, even when extended to 30 seconds.

Code: Select all

duplicate-cn
#client-cert-not-required
username-as-common-name
script-security 3
auth-user-pass-verify /etc/openvpn/ldap_auth.pl via-env
Is there some other line that can conflict with these?
Perhaps they're not correct or i'm missing something?
Can i use a certificate created through pivpn -a nopass (auto generated certificate without any possword) where i add the auth-user-pass line or do i have to somehow create my own .ovpn file?

Any help will be gladly accepted as i've banged my head on this for too long and without getting any closer to a solution so far...
Last edited by Frenk98K on Tue Jul 12, 2022 8:50 pm, edited 1 time in total.

Frenk98K
OpenVpn Newbie
Posts: 3
Joined: Mon Jul 11, 2022 5:13 pm

Re: after adding script server does not connect

Post by Frenk98K » Tue Jul 12, 2022 8:49 pm

also, if you need other informations, i'll provide them as needed as i'm not too sure of what is useful to post or not

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: after adding script server does not connect

Post by TinCanTech » Tue Jul 12, 2022 8:55 pm

Frenk98K wrote:
Tue Jul 12, 2022 8:49 pm
not too sure of what is useful
Try --verb 4 and check your log files for problems.

Frenk98K
OpenVpn Newbie
Posts: 3
Joined: Mon Jul 11, 2022 5:13 pm

Re: after adding script server does not connect

Post by Frenk98K » Wed Jul 13, 2022 8:34 am

TinCanTech wrote:
Tue Jul 12, 2022 8:55 pm
Try --verb 4 and check your log files for problems.
So, this is more complicated than i thought...

I found the following using grep VPN /var/log/syslog, which repeats every 4/5 seconds

Code: Select all

Jul 13 10:09:24 pivpn systemd[1]: Stopped OpenVPN connection to auth-ldap.
Jul 13 10:09:24 pivpn systemd[1]: Starting OpenVPN connection to auth-ldap...
Jul 13 10:09:24 pivpn systemd[1]: Stopped OpenVPN connection to server.
Jul 13 10:09:24 pivpn systemd[1]: Starting OpenVPN connection to server...
Jul 13 10:09:24 pivpn systemd[1]: Failed to start OpenVPN connection to auth-ldap.
Jul 13 10:09:25 pivpn systemd[1]: Failed to start OpenVPN connection to server.
And in /var/log/openvpn.log I found the following, again repeating every 4/5 seconds

Code: Select all

Jul 13 10:09:25 pivpn ovpn-server[21260]: Options error: --auth-user-pass-verify script fails with '/etc/openvpn/ldap_auth.pl': Permission denied (errno=13)
Jul 13 10:09:25 pivpn ovpn-server[21260]: Options error: Please correct this error.
Jul 13 10:09:25 pivpn ovpn-server[21260]: Use --help for more information.
I then tried to do chown -R openvpn:openvpn /etc/openvpn and restarting the service with both /etc/init.d/openvpn restart and service openvpn restart but didn't result in any changes...
Should I put the perl file elsewhere?

I also tried installing a ldap plugin and tools a few days ago but then reverted to using the perl script which i fould to be easier to make work more reliably, might that be what he's lamenting with the Failed to start OpenVPN connection to auth-ldap? ...these logs are continuous whether i try to connect or not.

Also, this is the log from the client trying to connect, also with verb 4.

Code: Select all

Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_private_mode = 00000000
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_cert_private = DISABLED
Wed Jul 13 10:25:57 2022   pkcs11_pin_cache_period = -1
Wed Jul 13 10:25:57 2022   pkcs11_id = '[UNDEF]'
Wed Jul 13 10:25:57 2022   pkcs11_id_management = DISABLED
Wed Jul 13 10:25:57 2022   server_network = 0.0.0.0
Wed Jul 13 10:25:57 2022   server_netmask = 0.0.0.0
Wed Jul 13 10:25:57 2022   server_network_ipv6 = ::
Wed Jul 13 10:25:57 2022   server_netbits_ipv6 = 0
Wed Jul 13 10:25:57 2022   server_bridge_ip = 0.0.0.0
Wed Jul 13 10:25:57 2022   server_bridge_netmask = 0.0.0.0
Wed Jul 13 10:25:57 2022   server_bridge_pool_start = 0.0.0.0
Wed Jul 13 10:25:57 2022   server_bridge_pool_end = 0.0.0.0
Wed Jul 13 10:25:57 2022   ifconfig_pool_defined = DISABLED
Wed Jul 13 10:25:57 2022   ifconfig_pool_start = 0.0.0.0
Wed Jul 13 10:25:57 2022   ifconfig_pool_end = 0.0.0.0
Wed Jul 13 10:25:57 2022   ifconfig_pool_netmask = 0.0.0.0
Wed Jul 13 10:25:57 2022   ifconfig_pool_persist_filename = '[UNDEF]'
Wed Jul 13 10:25:57 2022   ifconfig_pool_persist_refresh_freq = 600
Wed Jul 13 10:25:57 2022   ifconfig_ipv6_pool_defined = DISABLED
Wed Jul 13 10:25:57 2022   ifconfig_ipv6_pool_base = ::
Wed Jul 13 10:25:57 2022   ifconfig_ipv6_pool_netbits = 0
Wed Jul 13 10:25:57 2022   n_bcast_buf = 256
Wed Jul 13 10:25:57 2022   tcp_queue_limit = 64
Wed Jul 13 10:25:57 2022   real_hash_size = 256
Wed Jul 13 10:25:57 2022   virtual_hash_size = 256
Wed Jul 13 10:25:57 2022   client_connect_script = '[UNDEF]'
Wed Jul 13 10:25:57 2022   learn_address_script = '[UNDEF]'
Wed Jul 13 10:25:57 2022   client_disconnect_script = '[UNDEF]'
Wed Jul 13 10:25:57 2022   client_config_dir = '[UNDEF]'
Wed Jul 13 10:25:57 2022   ccd_exclusive = DISABLED
Wed Jul 13 10:25:57 2022   tmp_dir = 'C:\Users\******************\AppData\Local\Temp\'
Wed Jul 13 10:25:57 2022   push_ifconfig_defined = DISABLED
Wed Jul 13 10:25:57 2022   push_ifconfig_local = 0.0.0.0
Wed Jul 13 10:25:57 2022   push_ifconfig_remote_netmask = 0.0.0.0
Wed Jul 13 10:25:57 2022   push_ifconfig_ipv6_defined = DISABLED
Wed Jul 13 10:25:57 2022   push_ifconfig_ipv6_local = ::/0
Wed Jul 13 10:25:57 2022   push_ifconfig_ipv6_remote = ::
Wed Jul 13 10:25:57 2022   enable_c2c = DISABLED
Wed Jul 13 10:25:57 2022   duplicate_cn = DISABLED
Wed Jul 13 10:25:57 2022   cf_max = 0
Wed Jul 13 10:25:57 2022   cf_per = 0
Wed Jul 13 10:25:57 2022   max_clients = 1024
Wed Jul 13 10:25:57 2022   max_routes_per_client = 256
Wed Jul 13 10:25:57 2022   auth_user_pass_verify_script = '[UNDEF]'
Wed Jul 13 10:25:57 2022   auth_user_pass_verify_script_via_file = DISABLED
Wed Jul 13 10:25:57 2022   auth_token_generate = DISABLED
Wed Jul 13 10:25:57 2022   auth_token_lifetime = 0
Wed Jul 13 10:25:57 2022   auth_token_secret_file = '[UNDEF]'
Wed Jul 13 10:25:57 2022   vlan_tagging = DISABLED
Wed Jul 13 10:25:57 2022   vlan_accept = all
Wed Jul 13 10:25:57 2022   vlan_pvid = 1
Wed Jul 13 10:25:57 2022   client = ENABLED
Wed Jul 13 10:25:57 2022   pull = ENABLED
Wed Jul 13 10:25:57 2022   auth_user_pass_file = 'stdin'
Wed Jul 13 10:25:57 2022   show_net_up = DISABLED
Wed Jul 13 10:25:57 2022   route_method = 3
Wed Jul 13 10:25:57 2022   block_outside_dns = DISABLED
Wed Jul 13 10:25:57 2022   ip_win32_defined = DISABLED
Wed Jul 13 10:25:57 2022   ip_win32_type = 3
Wed Jul 13 10:25:57 2022   dhcp_masq_offset = 0
Wed Jul 13 10:25:57 2022   dhcp_lease_time = 31536000
Wed Jul 13 10:25:57 2022   tap_sleep = 0
Wed Jul 13 10:25:57 2022   dhcp_options = DISABLED
Wed Jul 13 10:25:57 2022   dhcp_renew = DISABLED
Wed Jul 13 10:25:57 2022   dhcp_pre_release = DISABLED
Wed Jul 13 10:25:57 2022   domain = '[UNDEF]'
Wed Jul 13 10:25:57 2022   netbios_scope = '[UNDEF]'
Wed Jul 13 10:25:57 2022   netbios_node_type = 0
Wed Jul 13 10:25:57 2022   disable_nbt = DISABLED
Wed Jul 13 10:25:57 2022 OpenVPN 2.5.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 27 2022
Wed Jul 13 10:25:57 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Wed Jul 13 10:25:57 2022 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
Wed Jul 13 10:25:57 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Jul 13 10:25:57 2022 Need hold release from management interface, waiting...
Wed Jul 13 10:25:57 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Jul 13 10:25:57 2022 MANAGEMENT: CMD 'state on'
Wed Jul 13 10:25:57 2022 MANAGEMENT: CMD 'log all on'
Wed Jul 13 10:25:58 2022 MANAGEMENT: CMD 'echo all on'
Wed Jul 13 10:25:58 2022 MANAGEMENT: CMD 'bytecount 5'
Wed Jul 13 10:25:58 2022 MANAGEMENT: CMD 'hold off'
Wed Jul 13 10:25:58 2022 MANAGEMENT: CMD 'hold release'
Wed Jul 13 10:26:04 2022 MANAGEMENT: CMD 'username "Auth" "*****************"'
Wed Jul 13 10:26:04 2022 MANAGEMENT: CMD 'password [...]'
Wed Jul 13 10:26:04 2022 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Jul 13 10:26:04 2022 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 13 10:26:04 2022 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Jul 13 10:26:04 2022 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 13 10:26:04 2022 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Wed Jul 13 10:26:04 2022 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Jul 13 10:26:04 2022 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Wed Jul 13 10:26:04 2022 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Wed Jul 13 10:26:04 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]***.***.***.***:****
Wed Jul 13 10:26:04 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jul 13 10:26:04 2022 UDP link local: (not bound)
Wed Jul 13 10:26:04 2022 UDP link remote: [AF_INET]***.***.***.***:****
Wed Jul 13 10:26:04 2022 MANAGEMENT: >STATE:1657700764,WAIT,,,,,,
Wed Jul 13 10:26:34 2022 Server poll timeout, restarting
Wed Jul 13 10:26:34 2022 TCP/UDP: Closing socket
Wed Jul 13 10:26:34 2022 SIGUSR1[soft,server_poll] received, process restarting
Wed Jul 13 10:26:34 2022 MANAGEMENT: >STATE:1657700794,RECONNECTING,server_poll,,,,,
Wed Jul 13 10:26:34 2022 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Jul 13 10:26:34 2022 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 13 10:26:34 2022 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Jul 13 10:26:34 2022 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 13 10:26:34 2022 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Wed Jul 13 10:26:34 2022 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Jul 13 10:26:34 2022 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Wed Jul 13 10:26:34 2022 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Wed Jul 13 10:26:34 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]***.***.***.***:****
Wed Jul 13 10:26:34 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jul 13 10:26:34 2022 UDP link local: (not bound)
Wed Jul 13 10:26:34 2022 UDP link remote: [AF_INET]***.***.***.***:****
Wed Jul 13 10:26:34 2022 MANAGEMENT: >STATE:1657700794,WAIT,,,,,,
Is there another log file I'm missing?

And Finally, for good measure, here the current server.conf file.

Code: Select all

dev tun
proto udp
port ****
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/PIVPN_e30589ae-e65d-4652-b5b2-4831ac106ecf.crt
key /etc/openvpn/easy-rsa/pki/private/PIVPN_e30589ae-e65d-4652-b5b2-4831ac106ecf.key
dh none
ecdh-curve prime256v1
topology subnet
server ***.***.***.*** ***.***.***.***
# Set your primary domain name server address for clients
push "dhcp-option DOMAIN ***************"
push "dhcp-option DNS ***.***.***.***"
push "dhcp-option DNS ***.***.***.***"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 4
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io

duplicate-cn
#client-cert-not-required
username-as-common-name
script-security 3
auth-user-pass-verify /etc/openvpn/ldap_auth.pl via-env
I've tried different combinations but never worked, so right now I stuck with default settings and just added the changes...

Hope this information is helpful...

[Edit]:
I also uninstalled the openvpn-auth-ldap as I thought it was making trouble, but didn't change anything...

Post Reply