• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3681
  • Last Modified:

OpenVPN auth-user-pass-verify

Hi experts, I've been trying to solve my problem hole night and I couldn't fix it. I am configuring OpenVPN server on my WinXP. It works when I don't  use user/pass verification, but when I use verification the client gets:
Sat Dec 26 13:46:14 2009 94.XXX.XXX.XXX:49312 SENT CONTROL [Client1]: 'AUTH_FAILED' (status=1)
Sat Dec 26 13:46:14 2009 94.XXX.XXX.XXX:49312 Connection reset, restarting [0]
Sat Dec 26 13:46:14 2009 94.XXX.XXX.XXX:49312 SIGUSR1[soft,connection-reset] received, client-instance restarting

My server config looks like:


local 192.168.1.100
port 1345
proto tcp
mssfix 1400
push "dhcp-option DNS 89.216.1.30"
push "dhcp-option DNS 89.216.1.2"
dev tap
ca ca.crt
auth-user-pass-verify "php check.php" via-env
cert server.crt
key server.key
dh dh2048.pem
crl-verify crl.pem
client-cert-not-required
server 192.168.10.0 255.255.255.128
push "redirect-gateway def1"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 10
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
status openvpn-status.log
verb 3

The PHP script is not even execute, because the PHP should write to log file and return 0;
I also tryed running a bot file wich returns 0, a python script, a pearl script but couldnt make it work.

The php looks like:

<?php
      $fh = fopen("valid.txt", "w");
      if (isset ($_ENV['username']) || isset($_ENV['password'])) {
            fwrite($fh, "Done!\r\n");
//            fwrite($fh, $_ENV['password']."\r\n");
            fclose($fh);
            exit;
      }
      else {
            fwrite($fh, "No username/password!\r\n");
            fclose($fh);
            exit;
      }
?>

Any help would be highly apreciated.
Thanck you!
0
avivshabo
Asked:
avivshabo
  • 3
  • 2
1 Solution
 
QlemoC++ DeveloperCommented:
If you are using OpenVPN 2.1 rc9 or above, you need
 --script-security 3
in addition, so that all credentials can be supplied in clear text (see http://www.openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html). However, the inability to call external programs, or restriction of password passing, should be reported when OpenVPN server starts.

Another reason could be that php is not found. Try to supply the full path when calling.

0
 
avivshaboAuthor Commented:
I changed server.ovpn:
script-security 3
auth-user-pass-verify "check.bat" via-env

And check.bat is now:
php "C:\Program Files\OpenVPN\config\check.php"

But it still doesn't work...

Any other idea?
Thanks!
0
 
avivshaboAuthor Commented:
Here is the log:
Sat Dec 26 16:52:21 2009 94.94.XXX.XXX.XXX:49358 TLS Auth Error: Auth Username/Password verification failed for peer
Sat Dec 26 16:52:21 2009 94.94.XXX.XXX.XXX:49358 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Sat Dec 26 16:52:21 2009 94.94.XXX.XXX.XXX:49358 [] Peer Connection Initiated with 94.94.XXX.XXX.XXX:49358
Sat Dec 26 16:52:22 2009 94.94.XXX.XXX.XXX:49358 PUSH: Received control message: 'PUSH_REQUEST'
Sat Dec 26 16:52:22 2009 94.94.XXX.XXX.XXX:49358 Delayed exit in 5 seconds
Sat Dec 26 16:52:22 2009 94.94.XXX.XXX.XXX:49358 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Sat Dec 26 16:52:22 2009 94.94.XXX.XXX.XXX:49358 Connection reset, restarting [0]
Sat Dec 26 16:52:22 2009 94.94.XXX.XXX.XXX:49358 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sat Dec 26 16:52:22 2009 TCP/UDP: Closing socket

Also i updated openvpn.
0
 
QlemoC++ DeveloperCommented:
Can you include test code to make sure that the batch file is called, the PHP  is called, and which exit code it returns? Something like

@echo off
> %~dpn0.log   echo %time% in %0
php "C:\Program Files\OpenVPN\config\check.php"
>> %~dpn0.log   echo Exit PHP %errorlevel%
REM uncomment for forced failure/success, and change 1 to 0
:: exit /b 1
0
 
avivshaboAuthor Commented:
Just changed the method and it works! Thanks!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now