Posted: Wed Oct 03, 2018 22:55 Post subject: OpenVPN AUTH_FAILED Help!
I've been trying to get OpenVPN set up on my router and have got totally stuck (I am a noob but have tried my best to resolve before shouting out). I'm sure it must be something trivial but I've checked and rechecked server and client config as per guidance line by line, recreated/re-copied all certs/keys necessary and even reset router but keep getting AUTH_FAILED error at point of peer connection every time.
I'd be grateful for some pointers as I don't really know where to go next or what else I can troubleshoot.
Running OpenVPN 2.4.6 client on Windows 10
DD-WRT on Netgear WNDR4000 - Build 36527 big
Log file:
Wed Oct 03 22:59:14 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Oct 03 22:59:14 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Oct 03 22:59:14 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Wed Oct 03 22:59:14 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Oct 03 22:59:14 2018 Need hold release from management interface, waiting...
Wed Oct 03 22:59:14 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Oct 03 22:59:14 2018 MANAGEMENT: CMD 'state on'
Wed Oct 03 22:59:14 2018 MANAGEMENT: CMD 'log all on'
Wed Oct 03 22:59:14 2018 MANAGEMENT: CMD 'echo all on'
Wed Oct 03 22:59:14 2018 MANAGEMENT: CMD 'bytecount 5'
Wed Oct 03 22:59:14 2018 MANAGEMENT: CMD 'hold off'
Wed Oct 03 22:59:14 2018 MANAGEMENT: CMD 'hold release'
Wed Oct 03 22:59:14 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 03 22:59:14 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 03 22:59:14 2018 MANAGEMENT: >STATE:1538603954,RESOLVE,,,,,,
Wed Oct 03 22:59:14 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]5.67.20.85:1194
Wed Oct 03 22:59:14 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Oct 03 22:59:14 2018 UDP link local: (not bound)
Wed Oct 03 22:59:14 2018 UDP link remote: [AF_INET]5.67.20.85:1194
Wed Oct 03 22:59:14 2018 MANAGEMENT: >STATE:1538603954,WAIT,,,,,,
Wed Oct 03 22:59:14 2018 MANAGEMENT: >STATE:1538603954,AUTH,,,,,,
Wed Oct 03 22:59:14 2018 TLS: Initial packet from [AF_INET]5.67.20.85:1194, sid=74639ce6 4c6fc782
Wed Oct 03 22:59:16 2018 VERIFY OK: depth=1, C=UK, ST=England, L=London, O=OpenVPN, CN=OpenVPN-CA, name=xxx, emailAddress=xxx@gmail.com
Wed Oct 03 22:59:16 2018 VERIFY KU OK
Wed Oct 03 22:59:16 2018 Validating certificate extended key usage
Wed Oct 03 22:59:16 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 03 22:59:16 2018 VERIFY EKU OK
Wed Oct 03 22:59:16 2018 VERIFY OK: depth=0, C=UK, ST=England, L=London, O=OpenVPN, CN=server, name=xxx, emailAddress=xxx@gmail.com
Wed Oct 03 22:59:17 2018 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Oct 03 22:59:17 2018 [server] Peer Connection Initiated with [AF_INET]5.67.20.85:1194
Wed Oct 03 22:59:18 2018 MANAGEMENT: >STATE:1538603958,GET_CONFIG,,,,,,
Wed Oct 03 22:59:18 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 03 22:59:18 2018 AUTH: Received control message: AUTH_FAILED
Wed Oct 03 22:59:18 2018 SIGUSR1[soft,auth-failure] received, process restarting
Wed Oct 03 22:59:18 2018 MANAGEMENT: >STATE:1538603958,RECONNECTING,auth-failure,,,,,
Wed Oct 03 22:59:18 2018 Restart pause, 5 second(s)
Wed Oct 03 22:59:21 2018 SIGTERM[hard,init_instance] received, process exiting
Wed Oct 03 22:59:21 2018 MANAGEMENT: >STATE:1538603961,EXITING,init_instance,,,,,
Client config:
client
dev tun
proto udp
remote [xxxDDNSURL] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
tls-auth ta.key 1
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth sha256
comp-lzo
verb 3
float
tls-version-min 1.2
redirect-gateway def1
Server config:
Using the GUI but can provide any info. Ports, ciphers, hash, LZO compression all match as far as I can tell.
Clearly your issue is during authentication given the error you're getting.
If you just created your keys and your router is using a time other than GMT, this can happen because the keys have a very specific period of validation (right down to the second). That validation is often specified in GMT. If you're router is set to say GMT -8, your keys won't be come valid for 8 hours after they're created.
However, if that's not your issue, the first thing I'd recommend is removing unneeded parameters until you get a successful connection. Once it starts working, you can add them back and troubleshoot along the way.
For example, I'd start my troubleshooting by removing the following parameters from your config files:
tls-auth
tls-cipher
tls-version-min
... and see what happens.
Funnily I did change time server when first setting up (moved to google.time set to London/europe) and now the laptop creating the certs is on a different timeserver (us.mil set to gmt). Also, if anything, I've been adding complexity to try and search for the right config combo not stripping back.....
I'll have a crack standardising timeserver and regenerating keys first, and then pare back config later tonight and post how I get on.
Been playing around for a few evenings to see what I can come up with and I'm stuck again. I've checked timeservers, pared back configuration to bare minimum but still cannot get a connection with any combination of settings - always get to AUTH_FAILED when the certs have been verified as per previous log file. I've checked both in and outbound firewall logs and can see the inbound UDP traffic which is accepted, but no UDP 1194 outbound traffic so my assumption is that the client connects to the server, does the initial cert verification then the server tries to respond but can't reach the client, hence the AUTH_FAILED error?
I have the VPN server on the DD-WRT router, and this is sitting behind a Sky Q router which is configured as DMZ and points all internet traffic direct to / from the DD-WRT router. At this stage I believe that I might be missing another DD-WRT firewall rule to NAT the outbound VPN traffic out of the gateway and back to the client. Just a hypothesis but I've done some research and can't find the commands I need to be able to test (this is beyond my limited knowledge).
Whilst I appreciate that there's a lot of opinion that running a VPN behind another router is a bad idea, I've no choice as I'm locked in by my Sky ISP. Lots of folk have managed to get this to work so I know it can be done.... On the other hand though this could just be a red herring.
Any ideas would be most appreciated!! If any further info is required / my ramblings aren't clear please do let me know.
I don't really get your config:
Not sure why you also have an OpenVPN client on your Windows box and why you post THAT log. Is OpenVPN (as client) running on your router at all?
Just in case: You don't need OpenVPN on your Windows box, when OpenVPN is working properly on your router.
What I know for sure is: The right time is mandatory for OpenVPN to work on DD-WRT. r36527 should do it if you set an IP in Basic setup (e.g. 193.136.164.4). _________________ 3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Do all your VPN provider's servers use the same ca.crt and tls-auth.key files?
A few providers have these files different for different servers. You get an authentication error when you use incompatible files. _________________ PROFESSIONAL STUDENT my.Mistakes ∝ my.Learning ... provided I have the patience & persistence to learn
Thanks for the responses. The reason I want to set up the VPN in the first place is to be able to connect to my home network remotely and then route all traffic over that network. So I have created all keys myself using easy-rsa and have configured the OpenVPN server on the DD-WRT router. I'm pretty sure the certs match but beyond that am unsure what the AUTH_FAILED error means as the guidance on the OpenVPN site / my router logs don't offer much more of an explanation.
Posted: Mon Oct 08, 2018 0:16 Post subject: AUTH_FAILED on Netgear R6700
Ellah! wrote:
Hi,
Been playing around for a few evenings to see what I can come up with and I'm stuck again. I've checked timeservers, pared back configuration to bare minimum but still cannot get a connection with any combination of settings - always get to AUTH_FAILED when the certs have been verified as per previous log file. I've checked both in and outbound firewall logs and can see the inbound UDP traffic which is accepted, but no UDP 1194 outbound traffic so my assumption is that the client connects to the server, does the initial cert verification then the server tries to respond but can't reach the client, hence the AUTH_FAILED error?
I have the VPN server on the DD-WRT router, and this is sitting behind a Sky Q router which is configured as DMZ and points all internet traffic direct to / from the DD-WRT router. At this stage I believe that I might be missing another DD-WRT firewall rule to NAT the outbound VPN traffic out of the gateway and back to the client. Just a hypothesis but I've done some research and can't find the commands I need to be able to test (this is beyond my limited knowledge).
Whilst I appreciate that there's a lot of opinion that running a VPN behind another router is a bad idea, I've no choice as I'm locked in by my Sky ISP. Lots of folk have managed to get this to work so I know it can be done.... On the other hand though this could just be a red herring.
Any ideas would be most appreciated!! If any further info is required / my ramblings aren't clear please do let me know.
Thanks again.
Trying to run OpenVPN client on dd-wrt installed on Netgear R6700 and getting AUTH_FAILED error. Worked with VPN provider on this without a solution and am wondering if there is any info here on what may cause that. Here are details:
Although you're using the router as a client, not a server as in my case, looks like possibly a similar problem. First off have you checked your firewall in/outbound logs and can you see UDP port 1195 traffic being accepted and not blocked?
Also is your DD-WRT router also the internet gateway or is this, like mine, behind another gateway router?
The only other lines of investigation I am currently working through are the DD-WRT admin\syslogs. There are two things I'm reviewing:
1. When the OpenVPN server starts following router reboot I get the following warning:
daemon.warn openvpn[2459]: WARNING: Failed running command (--route-up): external program exited with error status: 2
2. When I try to connect an OpenVPN client (Windows 10 laptop on external 4G mobile tethered connection) to the DD-WRT OpenVPN server I get the following warning:
daemon.warn openvpn[2459]: client1/xxx.xxx.xxx.xxx WARNING: Failed running command (--client-connect): external program exited with error status: 2
Maybe you could check your firewall and syslog log files to see what is happening and if you see similar errors / warnings?
The troubling thing for my set up is that I thought my outbound firewall might be blocking the server communicating with the client as I needed an extra firewall command, but I'm not so sure that's the case now as the client does show that some inbound traffic is received at the initial TLS handshake (otherwise that would fail as well), so I now believe that the OpenVPN server itself might be the problem not running all the services I need on my router / DD-WRT firmware - hence the syslog checks.
Ultimately though I am new to this so am learning as I go and may not be interpreting the logs correctly......
Anyone else have any thoughts or pointers, we would much appreciate it!!
Although you're using the router as a client, not a server as in my case, looks like possibly a similar problem. First off have you checked your firewall in/outbound logs and can you see UDP port 1195 traffic being accepted and not blocked?
Also is your DD-WRT router also the internet gateway or is this, like mine, behind another gateway router?
My dd-wrt router is behind another and I'm just using the client - no server. If anyone reading this has dd-wrt running a vpn on the netgear R6700 please let me know which version. I'm going to revert to the netgear firmware for now . .
Thanks for the feedback and getting involved. Originally your and theorie's set up posts were my starting point when researching / configuring the OpenVPN server. However I have been getting the AUTH_FAILED error since the beginning so started thinking that I was missing something and decided to harden the VPN further.... using this site: https://www.outoftolerance.com/2016/09/25/hardened-openvpn-with-dd-wrt/ as a point of reference.
Notorious gave some good advice when I first posted for help and I did pare back my config (including removing the TLS_auth ta.key) after confirming timeserver settings - to no avail.
The good news is that your firewall command has worked in that the syslog now shows the [user.info syslog: ttraff : traffic counter daemon successfully started] instead of [WARNING: Failed running command (--route-up): external program exited with error status: 2] so that's definite progress!
Unfortunately removing the TLS_auth config hasn't worked and I'm still getting AUTH_FAILED error as before.
I've also removed the TLS_Cipher to take things one step further, but still the same AUTH_FAILED error.
I really appreciate the help - any ideas what next to check please? Happy to share any info as required.
