troubleshooting Question

OpenVPN

Avatar of RichardPWolf
RichardPWolfFlag for United States of America asked on
LinuxVPN
23 Comments1 Solution1898 ViewsLast Modified:
Trying to setup an OpenVPN server that will authenticate users against active directory.
I currently have it running using client/server certificates and all is good. When I add the approprate settings for user authentication I can't connect.
I'm using IPFIRE 3.2.48-ipfire-pae. Not sure what flavor linux it's built around. Website is ipfire.org.


Server.conf ->
#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local 24.242.180.212
dev tun
proto udp
port 1194
script-security 3 system
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.46.108.0 255.255.255.0
tun-mtu 1500
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
push "route 192.168.7.0 255.255.255.0"
push "route 192.168.8.0 255.255.255.0"
push "route 192.168.9.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
mtu-disc maybe
keepalive 10 60
status-version 1
status /var/log/ovpnserver.log 30
cipher AES-256-CBC
comp-lzo
push "redirect-gateway def1"
push "dhcp-option DOMAIN hoodview.fcu"
push "dhcp-option DNS 192.168.6.1"
max-clients 100
tls-verify /var/ipfire/ovpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
#client-cert-not-required
username-as-common-name
user nobody
group nobody
persist-key
persist-tun
verb 5

Client conf.->
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1500
remote 24.242.180.212 1194
pkcs12 TPClient1.p12
cipher AES-256-CBC
comp-lzo
verb 3
ns-cert-type server
tls-remote rrcs-24-242-180-212.sw.biz.rr.com
route-method exe
route-delay 2
#mtu-disc maybe

Other information from the Web Gui setup->
Base DN; CN=Users,DC=hoodview,DC=fcu
LDAP type: Active Directory
Port: 389
LDAP Server: (IP of Active directory server)
Bind DN username: CN=ipldap,DC=hoodview,DC=fcu
Bind DN password: (correct password)

Log from server->
13:21:08      openvpnserver[24720]:       MULTI: multi_create_instance called
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Re-using SSL/TLS context
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 LZO compression initialized
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL: 0 ]
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL: 0 AF:3/1 ]
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2 ,tls-server'
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Expected Remote Options String: 'V4,dev-type tun,link-mtu 15 58,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,ke y-method 2,tls-client'
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Local Options hash (VER=V4): 'a8f55717'
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Expected Remote Options hash (VER=V4): '22188c5b'
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 TLS: Initial packet from 166.161.51.82:57552, sid=9663f7bf e 051062c
13:21:15      openvpnserver[24720]:       166.161.51.82:57552 VERIFY SCRIPT OK: depth=1, /C=US/O=Texas_Partners_FCU/CN=Tex as_Partners_FCU_CA
13:21:15      openvpnserver[24720]:       166.161.51.82:57552 CRL CHECK OK: /C=US/O=Texas_Partners_FCU/CN=Texas_Partners_F CU_CA
13:21:15      openvpnserver[24720]:       166.161.51.82:57552 VERIFY OK: depth=1, /C=US/O=Texas_Partners_FCU/CN=Texas_Part ners_FCU_CA
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 VERIFY SCRIPT OK: depth=0, /C=US/ST=Texas/O=Texas_Partners_F CU/OU=IT-Dept/CN=TPClient1
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 CRL CHECK OK: /C=US/ST=Texas/O=Texas_Partners_FCU/OU=IT-Dept /CN=TPClient1
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 VERIFY OK: depth=0, /C=US/ST=Texas/O=Texas_Partners_FCU/OU=I T-Dept/CN=TPClient1
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGI N_AUTH_USER_PASS_VERIFY status=1
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY fa iled with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 TLS Auth Error: Auth Username/Password verification failed f or peer
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SH A, 1024 bit RSA
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 [TPClient1] Peer Connection Initiated with 166.161.51.82:575 52
13:21:18      openvpnserver[24720]:       166.161.51.82:57552 PUSH: Received control message: 'PUSH_REQUEST'
13:21:18      openvpnserver[24720]:       166.161.51.82:57552 Delayed exit in 5 seconds
13:21:18      openvpnserver[24720]: 166.161.51.82:57552 SENT CONTROL [TPClient1]:       'AUTH_FAILED' (status=1)
13:21:23      openvpnserver[24720]:       166.161.51.82:57552 SIGTERM[soft,delayed-exit] received, client-instance exiting

I'm really at my wits end on this.

Thanks in advance.
ASKER CERTIFIED SOLUTION
Irwin W.
There are a 1000 ways to skin the technology cat.

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 23 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 23 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros