You are not logged in.
I had OpenVPN set up with cert + unix username + unix password authentication set up and running for some time, but something has changed in the past few months in arch configuration that broke openvpn authentication. Right now, every authentication attempt is rejected (server log):
PLUGIN AUTH-PAM: BACKGROUND: received command code: 0
PLUGIN AUTH-PAM: BACKGROUND: USER: carbolymer
PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
PLUGIN AUTH-PAM: BACKGROUND: user 'carbolymer' failed to authenticate: Permission denied
10.0.0.1:53188 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.0.0.1:53188 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
10.0.0.1:53188 TLS Auth Error: Auth Username/Password verification failed for peer
MULTI: REAP range 0 -> 16in dmesg I can see:
[125781.897337] audit: type=1100 audit(1609803977.633:19896): pid=1093399 uid=979 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="carbolymer" exe="/usr/bin/openvpn" hostname=? addr=? terminal=? res=failed'here's my server.conf:
port 4443
proto udp
cipher AES-256-GCM
auth SHA512
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
tls-version-min 1.2
tls-crypt /etc/openvpn/keys/ta.key
tls-server
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 7
max-clients 100
user openvpn
group network
client-to-client
verify-client-cert require
username-as-common-name
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login
push "route 10.0.0.0 255.255.255.0"
dhcp-option DNS 10.0.0.1
dhcp-option DOMAIN home
dev-type tun
crl-verify /etc/openvpn/keys/crl.pemand example client.conf (with keys/certificates removed):
client
dev tun0
proto udp
auth SHA512
remote openvpn.host.com 4443
resolv-retry infinite
nobind
persist-key
persist-tun
<ca></ca>
<cert></cert>
<key></key>
key-direction 1
<tls-crypt></tls-crypt>
ns-cert-type server
verb 7
auth-user-passI've also added /etc/pam.d/openvpn:
auth include system-remote-login
account include system-remote-loginand it does not matter if I use PAM module or login.
My account isn't locked out in faillock so I have no clue what's going on. Any ideas how to debug this issue further?
looks like a similar issue, but it doesn't work in my case: https://serverfault.com/questions/10253 … nd-selinux
UPDATE:
I've found a workaround: when running openvpn service as a root, PAM authentication works without any issues. The problem appears when openvpn is being executed as (from systemd service file):
User=openvpn
Group=networkRelated bug report: https://bugs.archlinux.org/task/69216
Last edited by carbolymer (2021-01-05 10:35:41)
Offline
I'm noticing exactly the same thing. So far the only workaround I've found is also running it as root, with a systemd service override. I did use the 'user' and 'group' options in the server config file to put things back to openvpn and network, respectively, and that helps to step down the privileges while still allowing PAM to function.
Offline