Solved: Re: 2FA OpenVPN for Linux ERROR: AUTH: Received control message: AUTH_FAILED

plittlefield · ‎09-06-2021

Hello,

I am receiving the following error when trying to use Duo Mobile push or passcode for 2FA with OpenVPN on a Linux server and Linux client.

“AUTH: Received control message: AUTH_FAILED”

I have successfully installed and test push autheticated the device in the Duo Control Panel but cannot make OpenVPN and Duo talk to one another.

If I use the VPN without the Duo plugin it works fine.

Below are all the logs and details of the system etc. that you need to help me…

client log

Mon Sep 6 14:42:24 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Mon Sep 6 14:42:24 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Enter Auth Username: user
Enter Auth Password: ****
Mon Sep 6 14:42:29 2021 Outgoing Control Channel Encryption: Cipher ‘AES-256-CTR’ initialized with 256 bit key
Mon Sep 6 14:42:29 2021 Outgoing Control Channel Encryption: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Mon Sep 6 14:42:29 2021 Incoming Control Channel Encryption: Cipher ‘AES-256-CTR’ initialized with 256 bit key
Mon Sep 6 14:42:29 2021 Incoming Control Channel Encryption: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Mon Sep 6 14:42:29 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxxxxx:1194
Mon Sep 6 14:42:29 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Sep 6 14:42:29 2021 UDP link local: (not bound)
Mon Sep 6 14:42:29 2021 UDP link remote: [AF_INET]xxxxxxxxxxx:1194
Mon Sep 6 14:42:29 2021 TLS: Initial packet from [AF_INET]xxxxxxxxxx:1194, sid=3f71a918 1e6f354b
Mon Sep 6 14:42:29 2021 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Mon Sep 6 14:42:29 2021 VERIFY OK: depth=1, CN=cn_xxxxxxxxxxxxxxxx
Mon Sep 6 14:42:29 2021 VERIFY KU OK
Mon Sep 6 14:42:29 2021 Validating certificate extended key usage
Mon Sep 6 14:42:29 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Sep 6 14:42:29 2021 VERIFY EKU OK
Mon Sep 6 14:42:29 2021 VERIFY X509NAME OK: CN=server_xxxxxxxxxxxxxxxxxx
Mon Sep 6 14:42:29 2021 VERIFY OK: depth=0, CN=server_xxxxxxxxxxxxxxxxxx
Mon Sep 6 14:42:29 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Mon Sep 6 14:42:29 2021 [server_xxxxxxxxxxxxxxxxxx] Peer Connection Initiated with [AF_INET]xxxxxxxxxx:1194
Mon Sep 6 14:42:30 2021 SENT CONTROL [server_xxxxxxxxxxxxxxxxxx]: ‘PUSH_REQUEST’ (status=1)
Mon Sep 6 14:42:30 2021 AUTH: Received control message: AUTH_FAILED
Mon Sep 6 14:42:30 2021 SIGUSR1[soft,auth-failure] received, process restarting

server log

Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 TLS: Initial packet from [AF_INET]xxxxxxxxxxxxx:56704, sid=6a36d443 8a1565fe
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 VERIFY OK: depth=1, CN=cn_xxxxxxxxxxxx
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 VERIFY OK: depth=0, CN=client
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_VER=2.4.7
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_PLAT=linux
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_PROTO=2
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_NCP=2
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_LZ4=1
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_LZ4v2=1
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_LZO=1
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_COMP_STUB=1
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_COMP_STUBv2=1
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 peer info: IV_TCPNL=1
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 TLS: Username/Password authentication deferred for username ‘user’
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Mon Sep 6 14:42:29 2021 xxxxxxxxxxxxx:56704 [client] Peer Connection Initiated with [AF_INET]xxxxxxxxxxxxx:56704
Mon Sep 6 14:42:30 2021 xxxxxxxxxxxxx:56704 PUSH: Received control message: ‘PUSH_REQUEST’
Mon Sep 6 14:42:30 2021 xxxxxxxxxxxxx:56704 Delayed exit in 5 seconds
Mon Sep 6 14:42:30 2021 xxxxxxxxxxxxx:56704 SENT CONTROL [client]: ‘AUTH_FAILED’ (status=1)
Mon Sep 6 14:42:35 2021 xxxxxxxxxxxxx:56704 SIGTERM[soft,delayed-exit] received, client-instance exiting

client system

Linux Mint (Ubuntu) 20.04.2

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10

server system

Ubuntu Server 20.04.2 LTS

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10

openvpn installed from

client config

client
dev tun
proto udp
remote xxxxxxxxxxxxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-128-GCM
verb 3
auth-user-pass
reneg-sec 0
verify-x509-name server_xxxxxxxxxxxx name
remote-cert-tls server
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

server config

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
push “redirect-gateway def1 bypass-dhcp”
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_xxxxxxxxxxxxxxxxxx.crt
key server_xxxxxxxxxxxxxxxxxx.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3
plugin /opt/duo/duo_openvpn.so ‘xxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ■■■■■■■■■■■■■■■■■■■■■■■■■■■■’
reneg-sec 0

connection test from my server to duo server on port 443

$ telnet ■■■■■■■■■■■■■■■■■■■■■■■■■■■■ 443
Trying 52.19.127.204…
Connected to ■■■■■■■■■■■■■■■■■■■■■■■■■■■■.
Escape character is ‘^]’.
^]
telnet> quit
Connection closed.

client start command line

sudo openvpn --config client.ovpn --auth-retry interact

server start command line

/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid

If I use the VPN without the Duo plugin it works fine.

Hope someone can help.

Regards,

Paully

DuoKristina · ‎09-07-2021

It looks like the script prompts you for the client name and then issues the cert to that client name value. So whatever value you give when prompted to create the client, create an end user in Duo with that client name as the username and a 2FA push/call device.

Duo, not DUO.

View solution in original post

DuoKristina · ‎09-07-2021

Is that server output from openvpn.log? Check your syslog for any entries at that same time that might give more information about the Duo auth status.

Duo, not DUO.

plittlefield · ‎09-07-2021

Ah ha!

Found it!

It’s now working!

The syslog pointed to the fact that the user ‘client’ had not be setup and authenticated.

In the admin pages, I had set up user called ‘client_aksjghcqweku’.

In the Linux console, I had tried the Common Name (cn) which the github script set up and it had something like ‘client_aksjghcqweku’

Now, in the command line, I type ‘openvpn --config client.ovpn’ to start the client side.

How can one check the common name that has been used for a client so I can add another user to test again?

DuoKristina · ‎09-07-2021

It looks like the script prompts you for the client name and then issues the cert to that client name value. So whatever value you give when prompted to create the client, create an end user in Duo with that client name as the username and a 2FA push/call device.

Duo, not DUO.

plittlefield · ‎09-08-2021

OK, thanks for your help!

I am impressed that you took the time to look through the github script, nicely done.