OpenVPN Support Forum

Here is the script that I am using. I am receiving an error: failed login attempt. Any feedback is appreciated. The perl module that the script is using is installed. I found this script on a website and am a little skeptical of the username and password portion of the script. If the below information is correct should it work? FYI I replaced the actual username and password with placeholders.

path and name of script: /etc/openvpn/openvpn-ad-auth2.pl

#!/usr/bin/perl

use strict;
use Authen::Simple::ActiveDirectory;

my $adserver = '172.16.1.70';
my $principal = 'mydomain.local';

my ($u,$p) = @ENV{qw/username password/};
my $ad = Authen::Simple::ActiveDirectory->new(
host => $adserver,
principal => $principal,
);

exit ( $ad->authenticate($u, $p) ) ? 0 : 128;

Here is my server.conf as well

dev tun
# Server and client IP and Pool
server 172.19.238.0 255.255.254.0
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

#client-config-dir ccd
push "route 172.16.0.0 255.255.0.0"

push "dhcp-option DNS 172.16.1.70"

# Use compression on the VPN link
comp-lzo

# Make the link more resistant to connection failures

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon

log openvpn.log
log-append openvpn.log

verb 2
--duplicate-cn

client-cert-not-required
auth-user-pass-verify /etc/openvpn/openvpn-ad-auth2.pl via-env

I will suggest to ask the question to the script's developer. Maybe you are not configuring script correctly.

the script might work if you use In that mode env vars like username and password are passed onto scripts, such as your Perl script.

I switched gears and am trying to use the openvpn-ldap plugin. I created the config and added the plugin to my server.conf and received this error when I restarted openvpn (openvpn failed to start):

Auth-LDAP Configuration Error: membership key is unknown (auth-ldap.cfg:25).

Thanks for any help you can provide!

I had made a mistake in my config. Here is the new error:

Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 TLS Auth Error: Auth Username/Password verification failed for peer
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA

This is what I am seeing in the logs now after trying to connect:

Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Re-using SSL/TLS context
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 LZO compression initialized
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel MTU parms [ L:1542 D: 1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Local Options hash (VER=V4): '530f dded'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Expected Remote Options hash (VER= V4): '41690919'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 TLS: Username/Password authenticat ion succeeded for username 'john_smith'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Encrypt: Cipher 'BF-C BC' initialized with 128 bit key
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Encrypt: Using 160 bi t message hash 'SHA1' for HMAC authentication
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Decrypt: Cipher 'BF-C BC' initialized with 128 bit key
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Decrypt: Using 160 bi t message hash 'SHA1' for HMAC authentication
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Control Channel: TLSv1, cipher TLS v1/SSLv3 DHE-RSA-AES256-SHA
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 [] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:64077
LDAP user "john_smith" was not found.
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 PLUGIN_CALL: plugin function PLUGI N_CLIENT_CONNECT failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 WARNING: client-connect plugin cal l failed

The openvpn-ldap plugin is installed

Here are the new configs:

openvpn server.conf:

dev tun
# Server and client IP and Pool
server 172.19.238.0 255.255.254.0
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

#client-config-dir ccd
push "route 172.16.0.0 255.255.0.0"

push "dhcp-option DNS 172.16.1.70"

# Use compression on the VPN link
comp-lzo

# Make the link more resistant to connection failures

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon

log openvpn.log
log-append openvpn.log

verb 2
--duplicate-cn

script-security 3
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-ldap.so auth-ldap.cfg

openvpn-ldap auth-ldap.cfg:

<LDAP>
# LDAP server URL
URL ldap://172.16.1.70

# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN "CN=vpnauth,OU=LDAP,DC=mydomain,DC=local"

# Bind Password
# Password SecretPassword
Password xxxxxx
# Network timeout (in seconds)
Timeout 15

# Enable Start TLS
#TLSEnable yes
TLSEnable no

</LDAP>

<Authorization>

# For active directory, I used sAMAccountName to search by username
# I also configured the original search filter to contain the group membership, instead of using the
# RequireGroup directive below

# Base DN
BaseDN "DC=mydomain,DC=local"

# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "(&(sAMAccountName=%u)(memberOf=cn=_VPN,OU=_Groups,DC=mydomain,DC=local))"

# Require Group Membership
RequireGroup false

</Authorization>

LDAP user "john_smith" was not found.

Doesn't this seen odd? LDAP plugin worked and tryied to authenticate, but that user does not exists in the Active Directory.

I placed that there as a placeholder to hide the actual user name. The user definitely exists. Could you suggest where I may be able to get more feedback on this issue?

At this point I am trying to use PAM and radius to authenticate against our Windows radius server for our vpn users. I have googled the heck out of this and can't seem to make it work. Please let me know!

Thanks!

I downloaded the virtual appliance and configured LDAP on it, got it to a point where it's working. Is there a way to see how it was configured and match the ldap authentication piece? Do they allow access to the configs? If so, does anyone know where I might find them?

Could you suggest where I may be able to get more feedback on this issue?

I will suggest to get answers on LDAP forums, as how to configure LDAP access. Also, make a search on this forum for LDAP authentication configuration. For example:
http://forums.openvpn.net/topic8647.html
http://www.howtoforge.com/set-up-openvp ... .0-squeeze

I've finally been able to authenticate the user which is amazing! I am using a radius plugin to accomplish this. I am still having problems but maybe at this point it's something that you guys can help me address.

The client error log reported this:

Thu Oct 27 14:38:42 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:11: topology (2.0.9)
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: route options modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Oct 27 14:38:42 2011 CreateFile failed on TAP device: \\.\Global\{DC090850-52C8-4496-8227-90D67D1E6966}.tap
Thu Oct 27 14:38:42 2011 All TAP-Win32 adapters on this system are currently in use.

I am running Windows 7 64 bit so I am not sure if that has something to do with it. I feel like I almost there. Any help you can provide is much appreciated!

Ok so I was able to get connected but no traffic is being allowed to pass. Here is what I am seeing in the log. It does show me as being successfully connected, I pulled an ip address and what not but can't ping or access any devices on the remote end.

Thu Oct 27 15:08:18 2011 xxx.xxx.xxx.xxx:50161 Need IPv6 code in mroute_extract_addr_from_packet

I can ping the ip address of the openvpn server on the 172.16.0 subnet but can't get past that.

Disable IPv6 on tun adapter.
Also check firewall rules on server. Forwarding is enabled?