OpenVPN auth-user-pass-verify not sending auth_failed to clients

Hi
I am using OpenWRT 22.03.5 with the openvpn-openssl package 2.5.7-3 on x86 hardware (PC enginges APU2 boards). I have configured the OpenVPN server with a auth-user-pass-verify env script. When the script returns a success of user/pass authentication, everything works as expected. If the script returns a exit code of 1, the server logs it correctly, but the clients do not get a feedback and are waiting forever for a response.
As I never had problems with other systems and older versions of OpenVPN, I am not sure if this may be configuration related (no idea which configuration options would have any impact on the feedback being sent to the user) issue, a problem with that specific OpenVPN version, or a problem related to OpenWRT.

Is somebody running a OpenWRT OpenVPN 2.5.7 server with and using the auth-user-pass-verify option with an external script and gets the right behaviour on failed authentication?

I have opened an issue with OpenVPN, see here https://github.com/OpenVPN/openvpn/issues/362.

greets
KoS

Dunno what the answer to your query is, but it prompted me to double-check my own OpenVPN instance.

Despite prompting for user authentication upon connection, I was able to connect with a deliberately wrong password. Oops!

Guess I need to dig into the config and check my work...

Dug into my config, and realised I had user/password authentication set in the client config, but not in the server config.

So I followed the instructions at https://openvpn.net/community-resources/using-alternative-authentication-methods/ and added plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login to the server config.

Now, if I enter a bad password the login attempt is rejected immediately. And it sounds like your problem is that in certain scenarios you don't get an immediate response.

OpenVPN's documentation suggests that using openvpn-auth-pam.so offers additional benefits over auth-user-pass-verify. Do you have a compelling need to use auth-user-pass-verify?

Thanks @iplaywithtoys. Yes, i have my own authentication script that needs to be run as I am not authenticating against local users but against a custom API. (Yes I am aware of the disadvantages of this way of authentication).

Possibly a daft question (apologies if so), but do you have script-security set to "3"?

Another potentially daft question: do you have any prohibited characters in the username or password?

yes, script-security is set to 3. and as mentioned, if the username/password provided are correct, everything works as expected (script returns exit code 0 and openvpn clients moves on). i have put the log details in the openvpn issue https://github.com/OpenVPN/openvpn/issues/362

You need to enable "Management Server" support in OpenVPN, which is a compile time option available in the config menu after running make menuconfig.

Thanks @codemarauder
Why do you think that the "Management Interface Options" of OpenVPN are needed for the feedback to the client? Despite that, I have tried on another system where the failed auth gets propagated to the client just fine to not use the management option and it works even without that option.

@codemarauder
You are right! You're my hero!
I recompiled the package with the management interface and indeed, the client receives the auth failed feedback. Really weird that this is related to the management interface (even if it is NOT activated in the actual openvpn config) being compiled in.
Thanks a lot!
I'll open an issue for the OpenWRT package so that the management interface always gets compiled.

see the issue in the OpenWRT pacakges repo: https://github.com/openwrt/packages/issues/21534 and a pull request to enable it by default on openvpn-openssl

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.