Failed to authenticate w/ Google Authenticator when configuring OpenVPN on OpenWRT - linux

I'm quite new to OpenWRT and I'm facing some problems here.
I set up the OpenVPN server on a Ubuntu using OpenVPN Access Server web GUI, and correspondingly I got the client profile client.ovpn. Also I enabled "Google Authenticator Multi-Factor Authentication". When I configured as a client using client.ovpn, it worked perfectly on my phone, my other PC, but it just failed when I tried to start a client on OpenWRT on my router.
According to https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/, I used openvpn --config client.ovpn --auth-user-pass --auth-retry interact to start a connection, and I was prompted for a username and a password, which makes sense, but then I was never prompted for the authenticator code. Actually when I looked at the response, it did ask me for a code, but I never had a place to enter it. Instead, it asked to enter the username again, thus dropping into a loop. See below: (the forth line from the bottom)
root#OpenWrt:/etc/openvpn# openvpn --config client_gui.ovpn --auth-retry interac
t
Mon Mar 9 19:01:18 2020 Unrecognized option or missing or extra parameter(s) in client_gui.ovpn:124: static-challenge (2.4.7)
Mon Mar 9 19:01:18 2020 OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Mar 9 19:01:18 2020 library versions: mbed TLS 2.16.3, LZO 2.10
Enter Auth Username:london
Enter Auth Password:
Mon Mar 9 19:01:24 2020 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Mon Mar 9 19:01:24 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 9 19:01:24 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 9 19:01:24 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 9 19:01:24 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:24 2020 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Mar 9 19:01:24 2020 UDP link local: (not bound)
Mon Mar 9 19:01:24 2020 UDP link remote: [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:24 2020 TLS: Initial packet from [AF_INET]192.168.8.222:1194, sid=fb509f08 f4ae8b1f
Mon Mar 9 19:01:24 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 9 19:01:24 2020 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Mar 9 19:01:24 2020 VERIFY OK: nsCertType=SERVER
Mon Mar 9 19:01:24 2020 VERIFY OK: depth=0, CN=OpenVPN Server
Mon Mar 9 19:01:24 2020 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key
Mon Mar 9 19:01:24 2020 [OpenVPN Server] Peer Connection Initiated with [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:25 2020 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Mon Mar 9 19:01:25 2020 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_09HT0rZcjdFd6GnA:bG9uZG9u:Enter Authenticator Code
Mon Mar 9 19:01:25 2020 SIGUSR1[soft,auth-failure] received, process restarting
Mon Mar 9 19:01:25 2020 Restart pause, 5 second(s)
Enter Auth Username:
How can I solve this problem? Is there anything to be modified in client.ovpn? Thank you!


In 18.04, Create a file userpass in same directory as client.ovpn.
Userpass should contains 2 lines
username in first line
password in second line
and save the file, open new terminal, Execute the script.
openvpn --config client.ovpn --auth-user-pass userpass --auth-retry interact
In 16.04
Execute the following code
sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update
apt-get dist-upgrade
Create a file userpass in same directory as client.ovpn.
Userpass should contains 2 lines
username in first line
password in second line
and save the file, open new terminal, Execute the script.
openvpn --config client.ovpn --auth-user-pass userpass --auth-retry interact

Related

Remote port forwarding disconnected when run from cron

I have installed FreeBSD and need to run regularly reverse shell to establish and keep alive SSH connection to the client (no public IP). When running the ssh -R script from the terminal, it works as expected, but when I run it as a cron command, the connection is established and disconnected right after that.
Here is auth.log from the server:
Jan 26 08:50:00 sshd[9696]: Accepted publickey for XXXX from XXX.XXX.XXX.XXX port XXXXX ssh2: RSA SHA256: xxxxxxxxx
Jan 26 08:50:00 sshd[9696]: pam_unix(sshd:session): session opened for user XXXX by (uid=0)
Jan 26 08:50:00 systemd: pam_unix(systemd-user:session): session opened for user XXXX by (uid=0)
Jan 26 08:50:01 systemd-logind[458]: New session 107 of user XXXX.
Jan 26 08:50:01 sshd[9794]: Received disconnect from XXX.XXX.XXX.XXX port XXXXX:11: disconnected by user
Jan 26 08:50:01 sshd[9794]: Disconnected from user XXXX XXX.XXX.XXX.XXX port XXXXX
Jan 26 08:50:01 sshd[9696]: pam_unix(sshd:session): session closed for user XXXX
Jan 26 08:50:01 systemd-logind[458]: Session 107 logged out. Waiting for processes to exit.
Jan 26 08:50:01 systemd-logind[458]: Removed session 107.
Do you have an idea, what causes this behavior and how to fix it?

Solved - see posts above. Thanks

NodeJS SSH2 module data returned in inconsistent format

I am using the ssh2 node module to connect via ssh to a server. After which I run a command to list print ques and put them into an array, the command is lpstat -o.
When I use putty and ssh into a server and run this command, I get data returned like this:
LABEL008-2287 printeng 1024 Tue 08 Oct 2019 08:30:20 AM CDT
LABEL008-2288 printeng 1024 Tue 08 Oct 2019 08:30:20 AM CDT
LABEL002-2292 printeng 1024 Tue 08 Oct 2019 10:05:11 AM CDT
LABEL002-2293 printeng 1024 Tue 08 Oct 2019 10:05:11 AM CDT
However, when I use nodejs and run the command the data comes at times comes inconsistently (cut off) like this:
LABEL008-2287 printeng 1024 Tue Oct 8 08:30:20 2019
LABEL008-2288 printeng 1024 Tue Oct 8 08:30:20 2019
LABEL002-2294 printeng 1024 Tue Oct 8 10:05:12 2019
LABEL002-2298 printeng 1024 Tue Oct 8 10:05:12
2019
LABEL008-2299 printeng 1024 Tue Oct 8 10:05:15 2019
LABEL008-2300 printeng 1024 Tue Oct 8 10:05:17 2019
This is troublesome as I am needing to split the data by new line '\n\' and put it into an array which I am achieving like so:
}).on('data', function(data) {
const myArray = data.toString().split('\n');
I am not sure if this is an issue or limitation with the node module itself or if I am missing an option or configuration with how the data stream should be handled.

Servers with same timezone but different time

I have 3 servers, 2 on AWS and one on Digital Ocean, and the timezone for all is set to CDT. But when I check the current time on all 3 by using the date command via command line, none of them matches.
Server1: Wed Jun 12 23:36:01 CDT 2019
Server2: Wed Jun 12 23:45:51 CDT 2019
Server3: Wed Jun 12 23:38:39 CDT 2019
Could anyone please suggest what needs to be done here? Thanks.

Since you have not explicitly said that you have ntp running on them, you'll need to install that. Once that is installed and set up properly, you should show the same exact time on all of them.

Long MAC addres in Cisco DHCP binding

i have problem whith Cisco DHCP. On switch C6506 in "sh ip dhcp binding" table are the long MAC addres. What is the problem? The one MAC (00.16e6.448a.e4) have more IP addres.
158.195.40.46 id ffe6.448a.e400.0100.011d.69e6.3900.16e6.448a.e4 Mar 12 2016 03:35 PM
158.195.46.201 id ffe6.448a.e400.0100.011d.d88f.c400.16e6.448a.e4 Mar 12 2016 12:10 PM
158.195.46.202 id 0100.16e6.448a.e4 Mar 12 2016 02:09 PM
158.195.46.203 id ffe6.448a.e400.0100.011d.d8b0.1b00.16e6.448a.e4 Mar 12 2016 02:28 PM
158.195.46.204 id ffe6.448a.e400.0100.011d.d8b2.0500.16e6.448a.e4 Mar 14 2016 09:53 PM

Answer is here: https://supportforums.cisco.com/discussion/12708241/weird-mac-address-dhcp-binding
"Okay. Please check the file /etc/dhcp/dhclient.conf on the Fedora machine and add the following line to the file:
send dhcp-client-identifier = hardware;
If there are any other instances of this command in that file, please remove them - make sure this is the only one."

Pass private key password to openvpn command directly in Ubuntu 10.10 [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I tried the method with different parameter
I have password.
Here below password is mypassword
1)
root$ echo mypassword || openvpn client.conf.ovpn
the result was display:
mypassword
2)
root$ openvpn client.warriors.conf.ovpn || echo mypassword
the result was display:
Thu Jun 28 00:00:00 2012 us=757575 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
(still need to enter password manualy )
I don't want to have to enter the password manually. How can I achieve this?
3)
DUDE
After running the script it exit out with following:
Fri Jun 29 11:56:59 2012 us=707916 cf_max = 0
Fri Jun 29 11:56:59 2012 us=707925 cf_per = 0
Fri Jun 29 11:56:59 2012 us=707934 max_clients = 1024
Fri Jun 29 11:56:59 2012 us=707944 max_routes_per_client = 256
Fri Jun 29 11:56:59 2012 us=707953 auth_user_pass_verify_script = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=707963 auth_user_pass_verify_script_via_file = DISABLED
Fri Jun 29 11:56:59 2012 us=707973 ssl_flags = 0
Fri Jun 29 11:56:59 2012 us=707982 port_share_host = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=707992 port_share_port = 0
Fri Jun 29 11:56:59 2012 us=708001 client = ENABLED
Fri Jun 29 11:56:59 2012 us=708010 pull = ENABLED
Fri Jun 29 11:56:59 2012 us=708020 auth_user_pass_file = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=708032 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Fri Jun 29 11:56:59 2012 us=708131 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
Fri Jun 29 11:56:59 2012 us=726649 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun 29 11:56:59 2012 us=726805 WARNING: file 'client-team-20110222.key' is group or others accessible
Fri Jun 29 11:56:59 2012 us=727136 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Fri Jun 29 11:56:59 2012 us=875611 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jun 29 11:56:59 2012 us=876742 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Fri Jun 29 11:56:59 2012 us=876777 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Jun 29 11:56:59 2012 us=876788 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Jun 29 11:56:59 2012 us=876810 Local Options hash (VER=V4): 'd902a8f8'
Fri Jun 29 11:56:59 2012 us=876825 Expected Remote Options hash (VER=V4): '7e078940'
Fri Jun 29 11:56:59 2012 us=877124 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Fri Jun 29 11:56:59 2012 us=877145 Attempting to establish TCP connection with [AF_INET]89.105.130.193:444 [nonblock]
Fri Jun 29 11:57:00 2012 us=877280 TCP connection established with [AF_INET]89.105.130.193:444
Fri Jun 29 11:57:00 2012 us=877337 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri Jun 29 11:57:00 2012 us=877353 TCPv4_CLIENT link local: [undef]
Fri Jun 29 11:57:00 2012 us=877364 TCPv4_CLIENT link remote: [AF_INET]89.105.130.193:444
Fri Jun 29 11:57:00 2012 us=877568 TLS: Initial packet from [AF_INET]89.105.130.193:444, sid=c5d843bc e9f3e6ab
Fri Jun 29 11:57:04 2012 us=105788 VERIFY OK: depth=1, /C=IE/ST=NA/L=DUB/O=ABC.OpenVPN/OU=server-terminus/CN=terminus/emailAddress=ops#abc.com
Fri Jun 29 11:57:04 2012 us=106189 VERIFY OK: nsCertType=SERVER
Fri Jun 29 11:57:04 2012 us=106202 VERIFY OK: depth=0, /C=IE/ST=NA/O=abc.OpenVPN/OU=server-terminus/CN=terminus/emailAddress=ops#abc.com
root#bond$
exit in this way is it normal.

In my openvpn.conf:
...
askpass /etc/openvpn/jdoe.pass <<< new line here
ca /etc/openvpn/jdoe_ca.crt
cert /etc/openvpn/jdoe.crt
key /etc/openvpn/jdoe.key
...
The file /etc/openvpn/jdoe.pass just contains the password.
You can chmod this file to 600.
This method save my life... ;-)
Ubuntu 12.04.4 LTS
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 13 2014

How about storing it into a file and using --askpass /your/file? --askpass option was added in OpenVPN version 2.0-beta20, Maverick has version 2.1.0-3ubuntu1.

Try a shell script such as:
#!/usr/bin/expect -f
spawn openvpn client.warriors.conf.open
match_max 100000
expect "*?assword:*"
send -- "mypassword"
send -- "\r"
expect eof
You'll need to chmod +x this, you can also set it as an environment variable so you don't have to type out the directory.
Looks like they got this script to work: https://unix.stackexchange.com/questions/9055/establish-openvpn-tunnel-in-bash-script

I think you just swipe | and || operator.
| plug standard output o the previous command to standard input of the next command.
|| launch second command only if first command fail (exit code != 0).
this command should work.
root$ echo mypassword | openvpn client.conf.ovpn

Resources