Nethsecurity beta1 openvpn AUTH_FAILED

I’m just starting to try nethsecurity beta1 (new install of beta1 update to 8-23.05.2-ns.0.0.1-beta1-10-g355c764) but I’m having problems with openvpn roadwarrior with local users:
AUTH: Received control message: AUTH_FAILED
but i’m quite sure of user/pass and i’ve had no problems with the alpha2
I hope to have some time tomorrow to do more tests, but in the meantime does anyone had the same problem?
tnx

forgot to say: I think that the port choice didn’t work (stuck on 1194, if I remember well also in alpha).

Thanks for the testing!

Did you update the machine from Alpha 1 or it is a clean installation?
From Alpha1, the Roadwarrior server has been almost completely rewritten so old configuration does not fit.

Eventually, try these commands and report here:

• grep ns_roadwarrior1 /var/log/messages
• uci show users
• uci show openvpn.ns_roadwarrior1

clean install, i’ve made a new install to be sure… same problem with
NethSecurity 8-23.05.2-ns.0.0.1-beta1 and
NethSecurity 8-23.05.2-ns.0.0.1-beta1-17-g8b7f385

root@NethSec:~# grep ns_roadwarrior1 /var/log/messages
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 TLS: Initial packet from [AF_INET]>IP<.4:5216 (via [AF_INET]>IP<%eth1), sid=97a8ac6b 9fc24bd3
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 VERIFY OK: depth=1, CN=NethSec
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 VERIFY OK: depth=0, CN=testov1
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_VER=2.6.3
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_PLAT=linux
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_TCPNL=1
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_MTU=1600
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_NCP=2
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_PROTO=990
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_LZO_STUB=1
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_COMP_STUB=1
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 peer info: IV_COMP_STUBv2=1
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 TLS Auth Error: Auth Username/Password verification failed for peer
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1549’, remote=‘link-mtu 1553’
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 WARNING: ‘auth’ is used inconsistently, local=‘auth [null-digest]’, remote=‘auth SHA256’
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 WARNING: ‘keysize’ is used inconsistently, local=‘keysize 256’, remote=‘keysize 128’
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Feb 5 17:09:57 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 [testov1] Peer Connection Initiated with [AF_INET]>IP<:5216 (via [AF_INET]>IP<%eth1)
Feb 5 17:09:58 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 PUSH: Received control message: ‘PUSH_REQUEST’
Feb 5 17:09:58 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 Delayed exit in 5 seconds
Feb 5 17:09:58 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 SENT CONTROL [testov1]: ‘AUTH_FAILED’ (status=1)
Feb 5 17:10:03 NethSec openvpn(ns_roadwarrior1)[4465]: >IP<:5216 SIGTERM[soft,delayed-exit] received, client-instance exiting

root@NethSec:~# uci show users
users.main=local
users.main.description=‘Local users’
users.ns_bc3b2d2d=user
users.ns_bc3b2d2d.database=‘main’
users.ns_bc3b2d2d.name=‘testov1’
users.ns_bc3b2d2d.password=‘$6$ea3d8a426860be5e$y51uJO7rY1AJX3IrsbcUvECPMDjv1pHAcaug57OX5f9prn3Ifps1jpeU8JToP.TDJF0wQrXckEIK3j9p3K4zw.’
users.ns_bc3b2d2d.openvpn_enabled=‘1’
users.ns_bc3b2d2d.openvpn_2fa='ABAHLX2ONZPMNBZDXLDSQBZSY3CCC5G5

root@NethSec:~# uci show openvpn.ns_roadwarrior1
openvpn.ns_roadwarrior1=openvpn
openvpn.ns_roadwarrior1.proto=‘udp’
openvpn.ns_roadwarrior1.port=‘1194’
openvpn.ns_roadwarrior1.dev=‘tunrw1’
openvpn.ns_roadwarrior1.dev_type=‘tun’
openvpn.ns_roadwarrior1.topology=‘subnet’
openvpn.ns_roadwarrior1.float=‘1’
openvpn.ns_roadwarrior1.passtos=‘1’
openvpn.ns_roadwarrior1.multihome=‘1’
openvpn.ns_roadwarrior1.verb=‘3’
openvpn.ns_roadwarrior1.enabled=‘1’
openvpn.ns_roadwarrior1.keepalive=‘20 120’
openvpn.ns_roadwarrior1.server=‘10.205.109.0 255.255.255.0’
openvpn.ns_roadwarrior1.client_connect=‘“/usr/libexec/ns-openvpn/openvpn-connect ns_roadwarrior1”’
openvpn.ns_roadwarrior1.client_disconnect=‘“/usr/libexec/ns-openvpn/openvpn-disconnect ns_roadwarrior1”’
openvpn.ns_roadwarrior1.dh=‘/etc/openvpn/ns_roadwarrior1/pki/dh.pem’
openvpn.ns_roadwarrior1.ca=‘/etc/openvpn/ns_roadwarrior1/pki/ca.crt’
openvpn.ns_roadwarrior1.cert=‘/etc/openvpn/ns_roadwarrior1/pki/issued/server.crt’
openvpn.ns_roadwarrior1.crl_verify=‘/etc/openvpn/ns_roadwarrior1/pki/crl.pem’
openvpn.ns_roadwarrior1.key=‘/etc/openvpn/ns_roadwarrior1/pki/private/server.key’
openvpn.ns_roadwarrior1.management=‘/var/run/openvpn_ns_roadwarrior1.socket unix’
openvpn.ns_roadwarrior1.client_to_client=‘0’
openvpn.ns_roadwarrior1.auth=‘SHA256’
openvpn.ns_roadwarrior1.cipher=‘AES-256-GCM’
openvpn.ns_roadwarrior1.tls_version_min=‘1.2’
openvpn.ns_roadwarrior1.ns_auth_mode=‘username_password_certificate’
openvpn.ns_roadwarrior1.ns_tag=‘automated’
openvpn.ns_roadwarrior1.ns_user_db=‘main’
openvpn.ns_roadwarrior1.ns_public_ip=‘>IP<’
openvpn.ns_roadwarrior1.ns_description=‘ovtest’
openvpn.ns_roadwarrior1.auth_user_pass_verify=‘/usr/libexec/ns-openvpn/openvpn-local-auth via-env’
openvpn.ns_roadwarrior1.script_security=‘3’

This doesn’t sound nice

WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status:

I imagined, I’ve noted that some configs on the reverse proxy have also changed which gave me some problems but in only one rather particular case

tnx

Bug confirmed: Trello

I’m looking into it, but for now I have no idea what is the cause of the bug

It should have been fixed, there was another related issue: Trello

Can you check it when you have time?

This is the image: 8-23.05.2-ns.0.0.1-beta1-22-gb55d6de

Edit: you can also apply the fixes from the Updates page without flashing the whole system. But in this case you need to setup again the user password.

tested with:
fixes from update
8-23.05.2-ns.0.0.1-beta1-22-gb55d6de
8-23.05.2-ns.0.0.1-beta1-23-g14ecd89

all working after new setup of user password, ofcourse no probs with new user
solved also the loss of config when changing the pass

there is still the problem when changing the server port (less urgent right now, at least for my testbed)

thank you

I will look into it soon, thanks for test tests and for reporting this issue again (I missed it the first time I read it )

Bug card: Trello

Just update the packages, ns-api-0.0.31 should fix the issue.

Otherwise use the image 8-23.05.2-ns.0.0.1-beta1-26-g84708c5.

yes it’s all working (chaged port, firewall rule updated, new config ok)

probably not so important but it is possible to set TCP/443, so unless you are going to implement something like sslh I guess it should be denied or written in docs or maybe nobody will ever put openvpn on 443

thank you

I’d rather to not block such configurations: maybe sometime you may really need to setup OpenVPN on port 443 to bypass some strange rule on restricted networks

yep you are right… actually I remember using it a few times in the past
thx