Failed running command --auth-user-pass-verify openvpn

max · June 18, 2020, 7:08pm

Hello,

I am running the latest openwrt 19.7.3 on TP-Link Archer C7 AC1750 v5. I have a problem setting up openvpn. With NM on Debian Buster I don't even get to the server, so since NM on Debian is a bit buggy I tried it with the CLI:

# openvpn --config /etc/openvpn/home.ovpn

on Debian client I get the following in syslog:

Thu Jun 18 20:37:27 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jun 18 20:37:27 2020 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jun 18 20:37:27 2020 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jun 18 20:37:27 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.30.1:1194
Thu Jun 18 20:37:27 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Jun 18 20:37:27 2020 UDP link local: (not bound)
Thu Jun 18 20:37:27 2020 UDP link remote: [AF_INET]10.0.30.1:1194
Thu Jun 18 20:37:27 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jun 18 20:37:27 2020 TLS: Initial packet from [AF_INET]10.0.30.1:1194, sid=2d8f09bd f60a6f48
Thu Jun 18 20:37:27 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jun 18 20:37:27 2020 VERIFY OK: depth=1, CN=Easy-RSA CA
Thu Jun 18 20:37:27 2020 VERIFY KU OK
Thu Jun 18 20:37:27 2020 Validating certificate extended key usage
Thu Jun 18 20:37:27 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jun 18 20:37:27 2020 VERIFY EKU OK
Thu Jun 18 20:37:27 2020 VERIFY OK: depth=0, CN=server
Thu Jun 18 20:38:27 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jun 18 20:38:27 2020 TLS Error: TLS handshake failed
Thu Jun 18 20:38:27 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Jun 18 20:38:27 2020 Restart pause, 5 second(s)

on openwrt openvpn.log:

Thu Jun 18 18:37:26 2020 10.0.30.200:47828 TLS: Initial packet from [AF_INET]10.0.30.200:47828, sid=8f289a13 9eead910
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_VER=2.4.7
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_PLAT=linux
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_PROTO=2
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_NCP=2
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_LZ4=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_LZ4v2=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_LZO=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_COMP_STUB=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_COMP_STUBv2=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_TCPNL=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_HWADDR=3c:97:0e:41:32:fc
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_SSL=OpenSSL_1.1.1d__10_Sep_2019
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 TLS Auth Error: Auth Username/Password verification failed for peer
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 SIGTERM[soft,auth-control-exit] received, client-instance exiting

here is my server config:

config openvpn 'homevpn'
	option local '10.0.30.1'
	option enabled '1'
	option dev 'tun'
	option port '1194'
	option comp_lzo 'yes'
	option status '/var/log/openvpn_status.log'
	option log '/var/log/openvpn.log'
	option mute '5'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option group 'nogroup'
	option ca '/etc/openvpn/easyrsa/pki/ca.crt'
	option cert '/etc/openvpn/easyrsa/pki/issued/server.crt'
	option key '/etc/openvpn/easyrsa/pki/private/server.key'
	option dh '/etc/openvpn/easyrsa/pki/dh.pem'
	option mode 'server'
	option tls_server '1'
	option server '10.8.0.0 255.255.255.0'
	option route_gateway 'dhcp'
	option client_to_client '1'
	option tls_auth '/etc/openvpn/easyrsa/pki/private/ta.key 0'
	option key_direction '0'
	option duplicate_cn '1'
	option sndbuf '393216'
	option rcvbuf '393216'
	option auth 'SHA256'
	option cipher 'AES-256-CBC'
	option verify_client_cert 'none'
	option username_as_common_name '1'
	list push 'comp-lzo yes'
	list push 'persist-key'
	list push 'persist-tun'
	list push 'user nobody'
	list push 'group nogroup'
	list push 'topology subnet'
	list push 'route-gateway dhcp'
	list push 'redirect-gateway def1 bypass-dhcp'
	list push 'route 10.0.30.0 255.255.255.0'
	list push 'dhcp-option DNS 10.0.30.1'
	list push 'dhcp-option DNS 1.1.1.1'
	list push 'sndbuf 393216'
	list push 'rcvbuf 393216'
	option verb '3'
	option auth_user_pass_verify '/etc/openvpn/config/ovpnauth.sh via-file'
	option script_security '2'

and the client config:

###############################################################################
# OpenVPN Client Configuration for Remote Access VPN at Home
###############################################################################

# Specify that we are a client
client
remote 10.0.30.1 1194

# TUN server
dev tun

# VPN protocol
proto udp

# allow a remote peer to change it's IP address and/or port number
# Essentially, --float tells OpenVPN to accept authenticated packets 
# from any address, not only the address which was specified in the --remote option.
float

# Set output verbosity to n (default=1).
verb 3

# Push additional information about the client to server.
push-peer-info

# Keep trying indefinitely to resolve the host name of the OpenVPN server.  Very useful
resolv-retry infinite

# Most clients don't need to bind to a specific local port number.
nobind

# Downgrade privileges after initialization (uncomment for non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# Enable compression on the VPN link. Don't enable this unless it is also enabled in the server config file.
comp-lzo

# Authentication with user/password on server depending on the module in use.
auth-user-pass

###########################################################################
# This script uses the resolvconf utility to update DNS information for Linux clients.
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

###########################################################################
# TLS-Settings for authentication of the connection from client to server
tls-client
remote-cert-tls server

# Encrypt data channel packets with cipher algorithm AES-128-CBC
cipher AES-256-CBC

# Authenticate packets with HMAC using message digest algorithm SHA256.
auth SHA256

key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
ca.crt
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
ta.key
-----END OpenVPN Static key V1-----
</tls-auth>

the ovpnauth.sh is from github here

I tried almost every thing the internet suggested, changing the script security, using via-env instead of via-file, I tried to put the script body in a function and call at the end of the file, and a lot of strange suggestions, but non has worked for me.
For now I cannot have any down time in our internet connection, (which is another TP-Link runs openwrt as well), that is why I am testing now with the LAN IP of my new TP-Link, which I cannot access via internet.

Thanks for any help.

mk24 · June 18, 2020, 7:15pm

When running OpenVpn non-interactively, auth-user-pass needs a filename. The file contains the username and password.

max · June 18, 2020, 7:37pm

Hi Mike,

the file that contains username and password is hard coded in the script:

conf=/etc/openvpn/config/ovpnauth.conf

with the following content:

user3=md5-password1
user3=md5-password2
user3=md5-password3

and here is the script:

#!/bin/sh

# Config parameters

conf="/etc/openvpn/config/ovpnauth.conf"
logfile="/var/log/ovpnauth.log"

# End of config parameters

if [ "$1" = "" ] || [ "$1" = "help" ]
then
	echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db"
	echo "                   for use withauth-user-pass-verify via-file option"
	echo ""
	echo "help - prints help"
	echo "md5 password - to compute password md5 checksum"
	exit 1
fi

md5(){
        echo "$1.`uname -n`" > /tmp/$$.md5calc
        sum="`md5sum /tmp/$$.md5calc | awk '{print $1}'`"
        rm /tmp/$$.md5calc
        echo "$sum"
}

if [ "$1" = "md5" ]
then
        echo `md5 $2`
	exit 1
fi

log(){
	echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile
}

logenv(){
	enviroment="`env | awk '{printf "%s ", $0}'`"
	echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile
}

envr="`echo `env``"
userpass=`cat $1`
username=`echo $userpass | awk '{print $1}'`
password=`echo $userpass | awk '{print $2}'`

# computing password md5
password=`md5 $password`
userpass=`cat $conf | grep $username= | awk -F= '{print $2}'`

if [ "$password" = "$userpass" ] 
then
	log "OpenVPN authentication successfull: $username"
	logenv
	exit 0
fi

log "OpenVPN authentication failed"
log `cat $1`
logenv
exit 1

I even tried this with no success:

#!/bin/sh

username=`head -1 $1`
password=`tail -1 $1`

if grep "$username=$password" /etc/openvpn/config/ovpnauth.conf > /dev/null 2>&1
then
    exit 0
else
    exit 1
fi

Further more the openvpn-auth-pam.so is not present on openwrt, otherwise I'd have used it instead. BTW the script is executable.

lantis1008 · June 18, 2020, 10:05pm

Pretty sure script security needs to be set to 3 for it to send the password to an external script. Script security 2 only allows external scripts to run.

max · June 19, 2020, 5:24am

Hi Michael, unfortunately it is not working neither. I already tried it. Is there any way to authenticate users with password? maybe another vpn solution for openwrt?

max · June 19, 2020, 6:12am

I don't know if it is worth mentioning, but I am running openwrt from a JetFlash USB 8GB.

lantis1008 · June 19, 2020, 9:26am

I assume the script is executable? Might as well set it 777 for testing.
I would just fill the script with logger calls and find out exactly what is going wrong.

I've never used password auth, I've used a tls-verify script to reject users not in a whitelist.

max · June 19, 2020, 9:43am

I finally found it. The md5 password must be created by the script it self:

# sh ovpnauth.sh md5 password

trying this:

echo -n password | md5sum

will create a different md5 hash than the script expects, so the authentication fails, it is a bit funny since the authentication error appears later in the openvpn log, the first logged error the failed running command stuff, which is totally misleading.

any way thanks to every one who tried to help me out on this.

Cheers

system · June 29, 2020, 9:43am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.