Avatar of RichardPWolf
RichardPWolfFlag for United States of America asked on


Trying to setup an OpenVPN server that will authenticate users against active directory.
I currently have it running using client/server certificates and all is good. When I add the approprate settings for user authentication I can't connect.
I'm using IPFIRE 3.2.48-ipfire-pae. Not sure what flavor linux it's built around. Website is ipfire.org.

Server.conf ->
#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
dev tun
proto udp
port 1194
script-security 3 system
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
tun-mtu 1500
push "route"
push "route"
push "route"
push "route"
push "route"
push "route"
push "route"
push "route"
mtu-disc maybe
keepalive 10 60
status-version 1
status /var/log/ovpnserver.log 30
cipher AES-256-CBC
push "redirect-gateway def1"
push "dhcp-option DOMAIN hoodview.fcu"
push "dhcp-option DNS"
max-clients 100
tls-verify /var/ipfire/ovpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
user nobody
group nobody
verb 5

Client conf.->
#OpenVPN Client conf
dev tun
proto udp
tun-mtu 1500
remote 1194
pkcs12 TPClient1.p12
cipher AES-256-CBC
verb 3
ns-cert-type server
tls-remote rrcs-24-242-180-212.sw.biz.rr.com
route-method exe
route-delay 2
#mtu-disc maybe

Other information from the Web Gui setup->
Base DN; CN=Users,DC=hoodview,DC=fcu
LDAP type: Active Directory
Port: 389
LDAP Server: (IP of Active directory server)
Bind DN username: CN=ipldap,DC=hoodview,DC=fcu
Bind DN password: (correct password)

Log from server->
13:21:08      openvpnserver[24720]:       MULTI: multi_create_instance called
13:21:08      openvpnserver[24720]: Re-using SSL/TLS context
13:21:08      openvpnserver[24720]: LZO compression initialized
13:21:08      openvpnserver[24720]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL: 0 ]
13:21:08      openvpnserver[24720]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL: 0 AF:3/1 ]
13:21:08      openvpnserver[24720]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2 ,tls-server'
13:21:08      openvpnserver[24720]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 15 58,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,ke y-method 2,tls-client'
13:21:08      openvpnserver[24720]: Local Options hash (VER=V4): 'a8f55717'
13:21:08      openvpnserver[24720]: Expected Remote Options hash (VER=V4): '22188c5b'
13:21:08      openvpnserver[24720]: TLS: Initial packet from, sid=9663f7bf e 051062c
13:21:15      openvpnserver[24720]: VERIFY SCRIPT OK: depth=1, /C=US/O=Texas_Partners_FCU/CN=Tex as_Partners_FCU_CA
13:21:15      openvpnserver[24720]: CRL CHECK OK: /C=US/O=Texas_Partners_FCU/CN=Texas_Partners_F CU_CA
13:21:15      openvpnserver[24720]: VERIFY OK: depth=1, /C=US/O=Texas_Partners_FCU/CN=Texas_Part ners_FCU_CA
13:21:16      openvpnserver[24720]: VERIFY SCRIPT OK: depth=0, /C=US/ST=Texas/O=Texas_Partners_F CU/OU=IT-Dept/CN=TPClient1
13:21:16      openvpnserver[24720]: CRL CHECK OK: /C=US/ST=Texas/O=Texas_Partners_FCU/OU=IT-Dept /CN=TPClient1
13:21:16      openvpnserver[24720]: VERIFY OK: depth=0, /C=US/ST=Texas/O=Texas_Partners_FCU/OU=I T-Dept/CN=TPClient1
13:21:16      openvpnserver[24720]: PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGI N_AUTH_USER_PASS_VERIFY status=1
13:21:16      openvpnserver[24720]: PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY fa iled with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
13:21:16      openvpnserver[24720]: TLS Auth Error: Auth Username/Password verification failed f or peer
13:21:16      openvpnserver[24720]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SH A, 1024 bit RSA
13:21:16      openvpnserver[24720]: [TPClient1] Peer Connection Initiated with 52
13:21:18      openvpnserver[24720]: PUSH: Received control message: 'PUSH_REQUEST'
13:21:18      openvpnserver[24720]: Delayed exit in 5 seconds
13:21:18      openvpnserver[24720]: SENT CONTROL [TPClient1]:       'AUTH_FAILED' (status=1)
13:21:23      openvpnserver[24720]: SIGTERM[soft,delayed-exit] received, client-instance exiting

I'm really at my wits end on this.

Thanks in advance.

Avatar of undefined
Last Comment

8/22/2022 - Mon
Irwin W.

Are you sure the Canonical name is correct that points to the OU where your users reside?

Did you also set as seen in the screenshot?


Ok, What I used for the ldap. My screen is a little different than yours;

Is there a test I can perform that would validate a user logon request via the cli? i.e. "root-Prompt> validate user xxxx password yyy" against the ldap server?

Another thing where can I go behind the scenes to verify the settings that are put in the WUI?
What I'm most interested in is to verify that ldap is trying to pull the correct attribute.

Irwin W.

You can try this app to see if it works http://www.ldapbrowser.com/download.htm
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

I already use that. What I'm looking for is a way from the cli of the openvpn server to verify connectivity to the AD server.
Irwin W.

Well, I am not familiar with the appliance you are using. At the same time, it looks as though you have to have required field that you're missing information from.

missing field
If you're using LDAPBrowser, then you should also be able to test your credentials.  If you want to see if credentials work, create a "Profile" for the LDAP server, and then enter the credentials during Step 3 of the creation process.

With my OpenVPN appliance, I have a log file and if my bind account fails for lookups, an error such as the following is generated:

LDAP invalid credentials on ldap:// {'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772', 'desc': 'Invalid credentials'} (facility='admin_bind to [CN=OpenVPN,OU=VPNUsers,DC=myDomain,DC=net,DC=private]')

When I am successful is connecting to my DC for authentication and user doesn't exist, I get this error generated in my logs:

 LDAP exception on ldap:// (facility='search ('OU=VPNUsers,DC=myDomain,DC=net,DC=private', 2, '(sAMAccountName=test)')'): user not found: auth/authldap:128,python2.6/threading:504,python2.6/threading:532,python2.6/threading:484,python/threadpool:210,python/context:59,python/context:37,auth/authldap:93,auth/authldap:128,util/error:60,util/error:43

When I am successful is connecting to my DC for authentication and an account fails with an invalid password, I get this error generated in my logs:

LDAP invalid credentials on ldap:// {'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772', 'desc': 'Invalid credentials'} (facility='user_bind on [CN=Finance POC,OU=VPNUsers,DC=myDomain,DC=net,DC=private] via search ('OU=VPNUsers,DC=myDomain,DC=net,DC=private', 2, '(sAMAccountName=finance)')')

Great let me look into what you've said. On the picture the red * means that the field is optional and I've created a group and tried it. I'm going to go through this with a fresh perspective and redo everything. One piece of information would help. In a standard LDAP configuration, "Where is the configuration file stored within Linux?" I want to verify what is seen on the GUI is what is in the configuration. I'm especially interested in the sAMAccountName attribute.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Irwin W.

The install path is here /usr/local/openvpn_as

Some config files are here /usr/local/openvpn_as/etc

Thanks, I wasn't able to work on it yesterday but will try to check things out today.

OK, finally got a chance to work on it. Here's the latest log from openvpn.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Irwin W.

I do not see any attempts against your Active Directory environment. Also it does not seem to show any type of communication towards Active Directory.

Are you sure that it is configured and functioning properly?

Can you test using LDAP browser and verify the password and username does work?

The credentials I'm using are the ones I use everyday to log into my system. Ran the LDAP browser but not sure where to test the credentials however as I've said it's the same username/password I use everyday. Your first comment on not authenticating against the AD enviroment in my opinion is where my problem lies.

As I'm using TLS should I be using port 389 or 636 for LDAP?
Irwin W.

I use port 389.

I mean if you are not even seeing any attempt to communicate with your AD server such as the errors I included a few posts ago, my inclination is to think that your appliance is not even making an attempt to connect to your AD box for authentication.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

That's kind of what I'm thinking. I'd like to go into the cli and attempt to do a ldap query from it but I don't know if I can. There was a post on another board that basically had me do a DNS query and that works fine. The other thing "could" there be a setting on the web proxy page (further up on the screen) that's keeping me from connecting correctly?

Also using LDP (another ldap query tool) I can bind with the AD servers just fine using the domain account that I created specifically for this box.

I'm back from vacation and I'll be starting to work on this again after the 1st.

If I can't get this resolved what are your thoughts on using the standard OpenVPN on OpenSUSE?
Irwin W.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Great, Thanks.

I'm not quite ready to give up on this installation but if I can't get the authentication working I don't see what else I can do.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

Appears my configuration is correct but nobody on any forum I've visited can help me solve this. I believe it's an issue within the Linux core of this release. As to other OpenVPN solutions.....generally to expensive to impliment. So we'll be looking for another solution. To Bad as I really like how IPFIRE has done there overall package.

Thanks for your help.
Irwin W.

BTW, you should checkout pfSense.  They also have an implementation of OpnVPN that works.

Sorry for the delay. Yes, I have been trying to get that working. So far it hasn't worked for me.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Irwin W.

Interesting.  I use it and it works well. What issue are you having?

Mostly hardware. Haven't found a spare box around here that works. At this point it has been moved to the back burner as we're looking at some consolidation of services.
Irwin W.

OK.  Trying this our when you have some time.  It would walk you through it but I think this has all the instructions you will need :)

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

Thanks, Will do.

Just tried link. Won't open.