[arch-general] User authentication problems at OpenVPN on ArchLinux

Jordan Borgner jordan at manmtr.net
Thu Dec 31 13:08:10 UTC 2020


Good day everyone.

I'm facing a weird problem with my vpn. It fails to authenticate users 
despite the entered password is correct (copied and pasted).

OpenVPN (version 2.5.0 on ArchLinux) itself is serviced with systemd and 
runs fine. I'm using OpenVPN's auth-pam plugin to authenticate users. 
You find the configuration- and logfiles below.

When trying to log in, I get "User authentication failed" at my client 
and the following logging. The user was created with useradd and is able 
to login with ssh as well.

There is no pam config for openvpn in /etc/pam.d. But it worked before 
without it.

Does anyone have an idea on how to fix this or how to debug pam properly?

journalctl -r|grep username
===========================
Dec 26 13:42:41 hostname kernel: audit: type=1100 
audit(1608986561.263:1183): pid=678 uid=973 auid=4294967295 
ses=4294967295 msg='op=PAM:authentication grantors=? acct="username" 
exe="/usr/bin/openvpn" hostname=? addr=? terminal=? res=failed'

Dec 26 13:42:41 hostname audit[678]: USER_AUTH pid=678 uid=973 
auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? 
acct="username" exe="/usr/bin/openvpn" hostname=? addr=? terminal=? 
res=failed'

Dec 26 13:42:41 hostname openvpn[678]: pam_unix(login:auth): 
authentication failure; logname= uid=973 euid=973 tty= ruser= rhost= 
user=username

Dec 26 13:42:41 hostname unix_chkpwd[4160]: password check failed for 
user (username)

/var/log/openvpn.log
====================
ip-addr [username] Peer Connection Initiated with [AF_INET6]ip-addr:52991
ip-addr PUSH: Received control message: 'PUSH_REQUEST'
ip-addr Delayed exit in 5 seconds
ip-addr SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
ip-addr SIGTERM[soft,delayed-exit] received, client-instance exiting

server.conf
===========
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
port 1194

persist-key
persist-tun

proto udp
proto udp6

dev tun

ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/manmtr.crt
key /etc/openvpn/easy-rsa/pki/private/manmtr.key
dh /etc/openvpn/easy-rsa/pki/dh.pem

data-ciphers AES-256-GCM
;cipher AES-256-CBC
auth SHA512
reneg-sec 36000
inactive 0

server 192.168.200.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"

keepalive 10 36000

status openvpn-status.log

log /var/log/openvpn.log

verb 4

-- 
Jordan Borgner


More information about the arch-general mailing list