OpenVPN not starting. Reporting "Failed retrieving username and password"

Hi all,

First timer here. I've managed to install and get my OpenWRT setup on an x86 machine. I've set up OpenVPN using ExpressVPN but I can't get the instance to start. When I do, the system log says the following:

Fri Dec 16 12:40:01 2022 daemon.notice openvpn(NewYork)[11922]: library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
Fri Dec 16 12:40:01 2022 daemon.err openvpn(NewYork)[11922]: ERROR: Failed retrieving username or password
Fri Dec 16 12:40:01 2022 daemon.notice openvpn(NewYork)[11922]: Exiting due to fatal error

I followed this tutorial that was made on this forum to set me up, with a few modifications, but what I believe is the same end result.

Here's my ovpn file:

dev tun
remote 1195

comp-lzo no
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288

<cert here>
<pkey here>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
<key here>
-----END OpenVPN Static key V1-----
<cert here>

And my openvpn config file (one of the servers):

config openvpn 'NewYork'
	option auth_user_pass '/etc/config/vpnfiles/user.auth'
	option proto 'udp'
	option config '/etc/config/vpnfiles/NewYork.ovpn'
	option enabled '1'

Any help would be greatly appreciated. I'm not sure what I may have done wrong. Thanks!

is /etc/config/vpnfiles/user.auth there? and got the right permissions + content ?

1 Like

When an ovpn file is used, it replaces any other settings (except enabled) that may be in /etc/config/openvpn. So attempting to set the userpass file there has no effect. It needs to be in the .ovpn file.

Yup, it's there and has the two lines for username and password

@mk24 yes, it is.

The file path is not there. Having only auth-user-pass without a file will need to prompt the user for credentials at every startup. That does not work when running as a service.

You have both strings in main config, and in OpenWRT-config. Remove one.

Okay, I removed 'auth-user-pass' from the main openvpn config

Still getting the same error

So I have to declare the file path in each .ovpn file that I have? I thought adding the
option auth_user_pass '/etc/config/vpnfiles/user.auth' line in the main config was meant to cover for that?

option config will direct that OpenVPN instance to read the file instead of using UCI options. Without an option config, the options in /etc/config/openvpn are used to build a temporary .ovpn file that is then passed to OpenVPN. It's an either/or process. Configuration can't be combined from the two methods.

Thank you!! I've been looking at this for 2 days now and it's been solved in such a short time :smile:

Though I would want to understand. If option config is only reading the file and not the contents of it, why is adding it to the .ovpn as a path then able to?

I also set it up according to the tutorial linked in the OP, and in there, the author set up not just the auth file, but also the certificate and key files as paths. And they were also not working. It's really confusing

When option config is used, the OpenWrt script that starts OpenVPN doesn't look inside the .ovpn file at all. It only passes the name to OpenVPN, which will then use the file the same as on any other system. You can see that by using ps to see the command line used to launch the OpenVPN process.

The "community" area of the OpenVPN official website describes the options that can be in an .ovpn file. These are not OpenWrt specific. It is possible to embed certificates and keys or to refer to them as separate files. Most commercial providers supply a file with embedded certificates to simplify it to only distributing one file.

1 Like

Perhaps you can help me out with another problem also, surround the ovpn config. Below is a test.ovpn file config that I created using LuCi interface:

config openvpn 'test'
	option dh 'dh1024.pem'
	option client '1'
	option reneg_sec '0'
	option verb '3'
	option nobind '1'
	option remote_cert_tls 'server'
	option comp_lzo 'no'
	list remote ''
	option port '1195'
	option dev_type 'tun'
	option proto 'udp'
	option key_direction '1'
	option dev 'tun'
	option persist_key '0'
	option tun_mtu '1500'
	option route_delay '2'
	option float '0'
	option persist_tun '0'
	option fast_io '0'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option ca '/etc/openvpn/ca2.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option sndbuf '524288'
	option rcvbuf '524288'

As you can see, the ca, cert and key files are defined as paths to existing files. This test.ovpn starts and stays on. But when I define those paths myself in the main openvpn config file as below:

config openvpn 'NewYork'
	option ca '/etc/config/vpnfiles/ca2.crt'
	option cert '/etc/config/vpnfiles/client.crt'
	option key '/etc/config/vpnfiles/client.key'
	option proto 'udp'
	option config '/etc/config/vpnfiles/ovpn/NewYork.ovpn'
	option enabled '1'

I get the following error in the system log:

Fri Dec 16 17:29:50 2022 daemon.err openvpn(NewYork)[20628]: Options error: You must define CA file (--ca) or CA path (--capath)

I ended up leaving the certificate in *.ovpn files because it was starting to grind my gears. Is it still the same issue as you described above? Am I supposed to find a path within the *.ovpn? I was attempting to avoid creating large files because of repeated information that can just be fed from one source

Yes it's the same issue.

If there is an option config present in an openvpn instance block in /etc/config/openvpn, nothing else in that block (other than option enabled ) will have any effect.

1 Like

Thanks @mk24, I modified the .ovpn file to add the paths to the certs and keys and it's proper now!

Thanks for all your help. When in doubt, ask ones that know more than you!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.