OpenVPN not starting. Reporting "Failed retrieving username and password"

iam_malc · December 16, 2022, 10:52am

Hi all,

First timer here. I've managed to install and get my OpenWRT setup on an x86 machine. I've set up OpenVPN using ExpressVPN but I can't get the instance to start. When I do, the system log says the following:

Fri Dec 16 12:40:01 2022 daemon.notice openvpn(NewYork)[11922]: library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
Fri Dec 16 12:40:01 2022 daemon.err openvpn(NewYork)[11922]: ERROR: Failed retrieving username or password
Fri Dec 16 12:40:01 2022 daemon.notice openvpn(NewYork)[11922]: Exiting due to fatal error

I followed this tutorial that was made on this forum to set me up, with a few modifications, but what I believe is the same end result.

Here's my ovpn file:

dev tun
fast-io
persist-key
persist-tun
nobind
remote server-name.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
askpass
auth-user-pass

<cert>
-----BEGIN CERTIFICATE-----
<cert here>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
<pkey here>
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<key here>
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
<cert here>
-----END CERTIFICATE-----
</ca>

And my openvpn config file (one of the servers):

config openvpn 'NewYork'
	option auth_user_pass '/etc/config/vpnfiles/user.auth'
	option proto 'udp'
	option config '/etc/config/vpnfiles/NewYork.ovpn'
	option enabled '1'

Any help would be greatly appreciated. I'm not sure what I may have done wrong. Thanks!

frollic · December 16, 2022, 10:56am

is /etc/config/vpnfiles/user.auth there? and got the right permissions + content ?

mk24 · December 16, 2022, 2:06pm

When an ovpn file is used, it replaces any other settings (except enabled) that may be in /etc/config/openvpn. So attempting to set the userpass file there has no effect. It needs to be in the .ovpn file.

iam_malc · December 16, 2022, 2:06pm

Yup, it's there and has the two lines for username and password

ulmwind · December 16, 2022, 2:07pm

@mk24 yes, it is.

mk24 · December 16, 2022, 2:07pm

The file path is not there. Having only auth-user-pass without a file will need to prompt the user for credentials at every startup. That does not work when running as a service.

ulmwind · December 16, 2022, 2:07pm

You have both strings in main config, and in OpenWRT-config. Remove one.

iam_malc · December 16, 2022, 2:13pm

Okay, I removed 'auth-user-pass' from the main openvpn config

Still getting the same error

iam_malc · December 16, 2022, 2:14pm

So I have to declare the file path in each .ovpn file that I have? I thought adding the
option auth_user_pass '/etc/config/vpnfiles/user.auth' line in the main config was meant to cover for that?

mk24 · December 16, 2022, 2:18pm

Yes.
option config will direct that OpenVPN instance to read the file instead of using UCI options. Without an option config, the options in /etc/config/openvpn are used to build a temporary .ovpn file that is then passed to OpenVPN. It's an either/or process. Configuration can't be combined from the two methods.

iam_malc · December 16, 2022, 2:30pm

Thank you!! I've been looking at this for 2 days now and it's been solved in such a short time

Though I would want to understand. If option config is only reading the file and not the contents of it, why is adding it to the .ovpn as a path then able to?

I also set it up according to the tutorial linked in the OP, and in there, the author set up not just the auth file, but also the certificate and key files as paths. And they were also not working. It's really confusing

mk24 · December 16, 2022, 2:41pm

When option config is used, the OpenWrt script that starts OpenVPN doesn't look inside the .ovpn file at all. It only passes the name to OpenVPN, which will then use the file the same as on any other system. You can see that by using ps to see the command line used to launch the OpenVPN process.

The "community" area of the OpenVPN official website describes the options that can be in an .ovpn file. These are not OpenWrt specific. It is possible to embed certificates and keys or to refer to them as separate files. Most commercial providers supply a file with embedded certificates to simplify it to only distributing one file.

iam_malc · December 16, 2022, 3:40pm

Perhaps you can help me out with another problem also, surround the ovpn config. Below is a test.ovpn file config that I created using LuCi interface:

config openvpn 'test'
	option dh 'dh1024.pem'
	option client '1'
	option reneg_sec '0'
	option verb '3'
	option nobind '1'
	option remote_cert_tls 'server'
	option comp_lzo 'no'
	list remote 'usa-newyork-ca-version-2.expressnetw.com'
	option port '1195'
	option dev_type 'tun'
	option proto 'udp'
	option key_direction '1'
	option dev 'tun'
	option persist_key '0'
	option tun_mtu '1500'
	option route_delay '2'
	option float '0'
	option persist_tun '0'
	option fast_io '0'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option ca '/etc/openvpn/ca2.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option sndbuf '524288'
	option rcvbuf '524288'

As you can see, the ca, cert and key files are defined as paths to existing files. This test.ovpn starts and stays on. But when I define those paths myself in the main openvpn config file as below:

config openvpn 'NewYork'
	option ca '/etc/config/vpnfiles/ca2.crt'
	option cert '/etc/config/vpnfiles/client.crt'
	option key '/etc/config/vpnfiles/client.key'
	option proto 'udp'
	option config '/etc/config/vpnfiles/ovpn/NewYork.ovpn'
	option enabled '1'

I get the following error in the system log:

Fri Dec 16 17:29:50 2022 daemon.err openvpn(NewYork)[20628]: Options error: You must define CA file (--ca) or CA path (--capath)

I ended up leaving the certificate in *.ovpn files because it was starting to grind my gears. Is it still the same issue as you described above? Am I supposed to find a path within the *.ovpn? I was attempting to avoid creating large files because of repeated information that can just be fed from one source

mk24 · December 16, 2022, 3:44pm

Yes it's the same issue.

If there is an option config present in an openvpn instance block in /etc/config/openvpn, nothing else in that block (other than option enabled ) will have any effect.

iam_malc · December 16, 2022, 4:22pm

Thanks @mk24, I modified the .ovpn file to add the paths to the certs and keys and it's proper now!

Thanks for all your help. When in doubt, ask ones that know more than you!

system · December 26, 2022, 4:23pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.