starred/openvpn-otp
1
0
Fork 0
mirror of https://github.com/evgeny-gridasov/openvpn-otp.git synced 2026-04-25 05:15:57 +03:00
Code Issues 19 Projects Releases 1 Packages Wiki Activity

[GH-ISSUE #42] OTP-AUTH: authentication failed for username 'xxxxxxx', remote 10.0.19.23:47776 #27

New issue
Closed
opened 2026-02-25 22:30:47 +03:00 by kerem · 18 comments
kerem commented 2026-02-25 22:30:47 +03:00
Owner
Copy link

Originally created by @zhaowei2021 on GitHub (Aug 5, 2021).
Original GitHub issue: https://github.com/evgeny-gridasov/openvpn-otp/issues/42

10.0.19.23:47776 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.19.23:47776
10.0.19.23:47776 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.0.19.23:47776 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so
10.0.19.23:47776 TLS Auth Error: Auth Username/Password verification failed for peer
10.0.19.23:47776 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
10.0.19.23:47776 Peer Connection Initiated with [AF_INET]10.0.19.23:47776
10.0.19.23:47776 PUSH: Received control message: 'PUSH_REQUEST'
10.0.19.23:47776 Delayed exit in 5 seconds
10.0.19.23:47776 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
10.0.19.23:47776 Connection reset, restarting [0]
10.0.19.23:47776 SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP connection established with [AF_INET]10.0.19.23:47810
10.0.19.23:47810 TLS: Initial packet from [AF_INET]10.0.19.23:47810, sid=6b61e65e f000465b

Originally created by @zhaowei2021 on GitHub (Aug 5, 2021). Original GitHub issue: https://github.com/evgeny-gridasov/openvpn-otp/issues/42 10.0.19.23:47776 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.19.23:47776 10.0.19.23:47776 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 10.0.19.23:47776 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so 10.0.19.23:47776 TLS Auth Error: Auth Username/Password verification failed for peer 10.0.19.23:47776 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 10.0.19.23:47776 Peer Connection Initiated with [AF_INET]10.0.19.23:47776 10.0.19.23:47776 PUSH: Received control message: 'PUSH_REQUEST' 10.0.19.23:47776 Delayed exit in 5 seconds 10.0.19.23:47776 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) 10.0.19.23:47776 Connection reset, restarting [0] 10.0.19.23:47776 SIGUSR1[soft,connection-reset] received, client-instance restarting TCP connection established with [AF_INET]10.0.19.23:47810 10.0.19.23:47810 TLS: Initial packet from [AF_INET]10.0.19.23:47810, sid=6b61e65e f000465b
kerem closed this issue 2026-02-25 22:30:47 +03:00
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 5, 2021):

Hello and Welcome to openvpn-otp project,

Could you please verify that time is in sync on the server and read the documentation to verify authentication with `oathtool``?

<!-- gh-comment-id:893380363 --> @evgeny-gridasov commented on GitHub (Aug 5, 2021): Hello and Welcome to openvpn-otp project, Could you please verify that time is in sync on the server and read the documentation to verify authentication with `oathtool``?
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@zhaowei2021 commented on GitHub (Aug 6, 2021):

Hello and Welcome to openvpn-otp project,

Could you please verify that time is in sync on the server and read the documentation to verify authentication with `oathtool``?

Yes, I confirm that the server time is correct. I also checked the verification code using oathtool, and the result is correct.

<!-- gh-comment-id:894074209 --> @zhaowei2021 commented on GitHub (Aug 6, 2021): > Hello and Welcome to openvpn-otp project, > > Could you please verify that time is in sync on the server and read the documentation to verify authentication with `oathtool``? Yes, I confirm that the server time is correct. I also checked the verification code using oathtool, and the result is correct.
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 6, 2021):

Could you please post the configuration of the plugin here and also how you configure otp tokens?
Are you using PIN as well?

<!-- gh-comment-id:894178672 --> @evgeny-gridasov commented on GitHub (Aug 6, 2021): Could you please post the configuration of the plugin here and also how you configure otp tokens? Are you using PIN as well?
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@zhaowei2021 commented on GitHub (Aug 6, 2021):

Could you please post the configuration of the plugin here and also how you configure otp tokens?
Are you using PIN as well?
This is my conf include server.conf client.ovpn ldap.conf otp-secrets
conf_info.zip
I configure otp tokens by run:run google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=17 --issuer=foocorp --label=user@hostname --secret=/root/.user.google_authenticator > /root/user.auth

When I use LDAP authentication alone, it works

<!-- gh-comment-id:894198290 --> @zhaowei2021 commented on GitHub (Aug 6, 2021): > Could you please post the configuration of the plugin here and also how you configure otp tokens? > Are you using PIN as well? This is my conf include server.conf client.ovpn ldap.conf otp-secrets [conf_info.zip](https://github.com/evgeny-gridasov/openvpn-otp/files/6945207/conf_info.zip) I configure otp tokens by run:run google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=17 --issuer=foocorp --label=user@hostname --secret=/root/.user.google_authenticator > /root/user.auth When I use LDAP authentication alone, it works
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 6, 2021):

Please change
zhaowei otp totp:sha1:base32::X27AI567UGJMZ5LC7XNB2W5Y7I:xxx *
to
zhaowei otp totp:sha1:base32:X27AI567UGJMZ5LC7XNB2W5Y7I::xxx *
and try again

<!-- gh-comment-id:894241106 --> @evgeny-gridasov commented on GitHub (Aug 6, 2021): Please change zhaowei otp totp:sha1:base32::X27AI567UGJMZ5LC7XNB2W5Y7I:xxx * to zhaowei otp totp:sha1:base32:X27AI567UGJMZ5LC7XNB2W5Y7I::xxx * and try again
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 6, 2021):

The otp file format is:

# user server type:hash:encoding:key:pin:udid client
# where type is totp, totp-60-6 or motp
#       hash should be sha1 in most cases
#       encoding is base32, hex or text
#       key is your key in encoding format
#       pin may be a number or a string (may be empty)
#       udid is used only in motp mode and ignored in totp mode
<!-- gh-comment-id:894241861 --> @evgeny-gridasov commented on GitHub (Aug 6, 2021): The otp file format is: ``` # user server type:hash:encoding:key:pin:udid client # where type is totp, totp-60-6 or motp # hash should be sha1 in most cases # encoding is base32, hex or text # key is your key in encoding format # pin may be a number or a string (may be empty) # udid is used only in motp mode and ignored in totp mode ```
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@zhaowei2021 commented on GitHub (Aug 9, 2021):

zhaowei otp totp:sha1:base32:X27AI567UGJMZ5LC7XNB2W5Y7I::xxx *
Thank you for your advice.
I tried to replace the contents of the secret file, but it's still TLS Auth Error:

TCP connection established with [AF_INET]10.0.16.187:38824
10.0.16.187:38824 TLS: Initial packet from [AF_INET]10.0.16.187:38824, sid=cef5055e f1593c23
10.0.16.187:38824 peer info: IV_VER=3.git::662eae9a:Release
10.0.16.187:38824 peer info: IV_PLAT=android
10.0.16.187:38824 peer info: IV_NCP=2
10.0.16.187:38824 peer info: IV_TCPNL=1
10.0.16.187:38824 peer info: IV_PROTO=2
10.0.16.187:38824 peer info: IV_LZO_STUB=1
10.0.16.187:38824 peer info: IV_COMP_STUB=1
10.0.16.187:38824 peer info: IV_COMP_STUBv2=1
10.0.16.187:38824 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
10.0.16.187:38824 peer info: IV_SSO=openurl
10.0.16.187:38824 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.16.187:38824
10.0.16.187:38824 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.0.16.187:38824 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so
10.0.16.187:38824 TLS Auth Error: Auth Username/Password verification failed for peer
10.0.16.187:38824 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
10.0.16.187:38824 Peer Connection Initiated with [AF_INET]10.0.16.187:38824
10.0.16.187:38824 PUSH: Received control message: 'PUSH_REQUEST'
10.0.16.187:38824 Delayed exit in 5 seconds
10.0.16.187:38824 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
10.0.16.187:38824 Connection reset, restarting [0]
10.0.16.187:38824 SIGUSR1[soft,connection-reset] received, client-instance restarting

<!-- gh-comment-id:894919152 --> @zhaowei2021 commented on GitHub (Aug 9, 2021): > zhaowei otp totp:sha1:base32:X27AI567UGJMZ5LC7XNB2W5Y7I::xxx * Thank you for your advice. I tried to replace the contents of the secret file, but it's still TLS Auth Error: TCP connection established with [AF_INET]10.0.16.187:38824 10.0.16.187:38824 TLS: Initial packet from [AF_INET]10.0.16.187:38824, sid=cef5055e f1593c23 10.0.16.187:38824 peer info: IV_VER=3.git::662eae9a:Release 10.0.16.187:38824 peer info: IV_PLAT=android 10.0.16.187:38824 peer info: IV_NCP=2 10.0.16.187:38824 peer info: IV_TCPNL=1 10.0.16.187:38824 peer info: IV_PROTO=2 10.0.16.187:38824 peer info: IV_LZO_STUB=1 10.0.16.187:38824 peer info: IV_COMP_STUB=1 10.0.16.187:38824 peer info: IV_COMP_STUBv2=1 10.0.16.187:38824 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182 10.0.16.187:38824 peer info: IV_SSO=openurl 10.0.16.187:38824 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.16.187:38824 10.0.16.187:38824 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 10.0.16.187:38824 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so **_10.0.16.187:38824 TLS Auth Error: Auth Username/Password verification failed for peer_** 10.0.16.187:38824 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 10.0.16.187:38824 Peer Connection Initiated with [AF_INET]10.0.16.187:38824 10.0.16.187:38824 PUSH: Received control message: 'PUSH_REQUEST' 10.0.16.187:38824 Delayed exit in 5 seconds 10.0.16.187:38824 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) 10.0.16.187:38824 Connection reset, restarting [0] 10.0.16.187:38824 SIGUSR1[soft,connection-reset] received, client-instance restarting
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 9, 2021):

The only thing left to do is to print whatever the client is sending and whatever the server expects and then verify those results with oathtool. Enable DEBUG log level and see what the output is. In the plugin configuration directives add:

debug=1

like so:

plugin "/usr/lib64/openvpn/plugins/openvpn-otp.so" "debug=1 otp_secrets=/etc/my_otp_secret_file otp_slop=300 totp_t0=2 totp_step=30 totp_digits=8 motp_step=10"
<!-- gh-comment-id:894929137 --> @evgeny-gridasov commented on GitHub (Aug 9, 2021): The only thing left to do is to print whatever the client is sending and whatever the server expects and then verify those results with oathtool. Enable DEBUG log level and see what the output is. In the plugin configuration directives add: ``` debug=1 ``` like so: ``` plugin "/usr/lib64/openvpn/plugins/openvpn-otp.so" "debug=1 otp_secrets=/etc/my_otp_secret_file otp_slop=300 totp_t0=2 totp_step=30 totp_digits=8 motp_step=10" ```
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@zhaowei2021 commented on GitHub (Aug 9, 2021):

The only thing left to do is to print whatever the client is sending and whatever the server expects and then verify those results with oathtool. Enable DEBUG log level and see what the output is. In the plugin configuration directives add:

debug=1

like so:

plugin "/usr/lib64/openvpn/plugins/openvpn-otp.so" "debug=1 otp_secrets=/etc/my_otp_secret_file otp_slop=300 totp_t0=2 totp_step=30 totp_digits=8 motp_step=10"

The following is the log information after debugging is enabled.Thanks.

WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
PLUGIN_INIT: POST /usr/local/lib/openvpn-auth-ldap.so '[/usr/local/lib/openvpn-auth-ldap.so] [/etc/openvpn/auth/ldap.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
OTP-AUTH: otp_secrets=/etc/openvpn/auth/otp-secrets
OTP-AUTH: hotp_counters=/var/spool/openvpn/hotp-counters/
OTP-AUTH: otp_slop=180
OTP-AUTH: totp_t0=0
OTP-AUTH: totp_step=30
OTP-AUTH: totp_digits=6
OTP-AUTH: motp_step=10
OTP-AUTH: hotp_syncwindow=2
OTP-AUTH: password_is_cr=1
OTP-AUTH: debug=1
OTP_AUTH: debug mode has been enabled
PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-otp.so '[/usr/lib64/openvpn/plugins/openvpn-otp.so] [debug=1] [password_is_cr=1] [otp_secrets=/etc/openvpn/auth/otp-secrets]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Diffie-Hellman initialized with 2048 bit key
ROUTE_GATEWAY 10.0.4.1/255.255.255.0 IFACE=ens33 HWADDR=00:0c:29:24:d3:76
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 172.16.251.1 peer 172.16.251.2
/sbin/ip route add 172.16.251.0/24 via 172.16.251.2
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[87380->87380] S=[16384->16384]
Listening for incoming TCP connection on [AF_INET][undef]:1194
TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
TCPv4_SERVER link remote: [AF_UNSPEC]
GID set to openvpn
UID set to openvpn
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=172.16.251.4 size=62, ipv6=0
MULTI: TCP INIT maxclients=1024 maxevents=1028
Initialization Sequence Completed
TCP connection established with [AF_INET]10.0.16.187:43498
10.0.16.187:43498 TLS: Initial packet from [AF_INET]10.0.16.187:43498, sid=83bf7297 9090f55b
10.0.16.187:43498 peer info: IV_VER=3.git::662eae9a:Release
10.0.16.187:43498 peer info: IV_PLAT=android
10.0.16.187:43498 peer info: IV_NCP=2
10.0.16.187:43498 peer info: IV_TCPNL=1
10.0.16.187:43498 peer info: IV_PROTO=2
10.0.16.187:43498 peer info: IV_LZO_STUB=1
10.0.16.187:43498 peer info: IV_COMP_STUB=1
10.0.16.187:43498 peer info: IV_COMP_STUBv2=1
10.0.16.187:43498 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
10.0.16.187:43498 peer info: IV_SSO=openurl
10.0.16.187:43498 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
OTP-AUTH: trying to authenticate username 'zhaowei'
OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.16.187:43498
10.0.16.187:43498 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.0.16.187:43498 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so
10.0.16.187:43498 TLS Auth Error: Auth Username/Password verification failed for peer
10.0.16.187:43498 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
10.0.16.187:43498 Peer Connection Initiated with [AF_INET]10.0.16.187:43498
10.0.16.187:43498 PUSH: Received control message: 'PUSH_REQUEST'
10.0.16.187:43498 Delayed exit in 5 seconds
10.0.16.187:43498 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
10.0.16.187:43498 Connection reset, restarting [0]
10.0.16.187:43498 SIGUSR1[soft,connection-reset] received, client-instance restarting

<!-- gh-comment-id:894956424 --> @zhaowei2021 commented on GitHub (Aug 9, 2021): > The only thing left to do is to print whatever the client is sending and whatever the server expects and then verify those results with oathtool. Enable DEBUG log level and see what the output is. In the plugin configuration directives add: > > ``` > debug=1 > ``` > > like so: > > ``` > plugin "/usr/lib64/openvpn/plugins/openvpn-otp.so" "debug=1 otp_secrets=/etc/my_otp_secret_file otp_slop=300 totp_t0=2 totp_step=30 totp_digits=8 motp_step=10" > ``` The following is the log information after debugging is enabled.Thanks. WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate OpenVPN 2.4.11 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 PLUGIN_INIT: POST /usr/local/lib/openvpn-auth-ldap.so '[/usr/local/lib/openvpn-auth-ldap.so] [/etc/openvpn/auth/ldap.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT OTP-AUTH: otp_secrets=/etc/openvpn/auth/otp-secrets OTP-AUTH: hotp_counters=/var/spool/openvpn/hotp-counters/ OTP-AUTH: otp_slop=180 OTP-AUTH: totp_t0=0 OTP-AUTH: totp_step=30 OTP-AUTH: totp_digits=6 OTP-AUTH: motp_step=10 OTP-AUTH: hotp_syncwindow=2 OTP-AUTH: password_is_cr=1 OTP-AUTH: debug=1 OTP_AUTH: debug mode has been enabled PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-otp.so '[/usr/lib64/openvpn/plugins/openvpn-otp.so] [debug=1] [password_is_cr=1] [otp_secrets=/etc/openvpn/auth/otp-secrets]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY Diffie-Hellman initialized with 2048 bit key ROUTE_GATEWAY 10.0.4.1/255.255.255.0 IFACE=ens33 HWADDR=00:0c:29:24:d3:76 TUN/TAP device tun0 opened TUN/TAP TX queue length set to 100 /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 local 172.16.251.1 peer 172.16.251.2 /sbin/ip route add 172.16.251.0/24 via 172.16.251.2 Could not determine IPv4/IPv6 protocol. Using AF_INET Socket Buffers: R=[87380->87380] S=[16384->16384] Listening for incoming TCP connection on [AF_INET][undef]:1194 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194 TCPv4_SERVER link remote: [AF_UNSPEC] GID set to openvpn UID set to openvpn MULTI: multi_init called, r=256 v=256 IFCONFIG POOL: base=172.16.251.4 size=62, ipv6=0 MULTI: TCP INIT maxclients=1024 maxevents=1028 Initialization Sequence Completed TCP connection established with [AF_INET]10.0.16.187:43498 10.0.16.187:43498 TLS: Initial packet from [AF_INET]10.0.16.187:43498, sid=83bf7297 9090f55b 10.0.16.187:43498 peer info: IV_VER=3.git::662eae9a:Release 10.0.16.187:43498 peer info: IV_PLAT=android 10.0.16.187:43498 peer info: IV_NCP=2 10.0.16.187:43498 peer info: IV_TCPNL=1 10.0.16.187:43498 peer info: IV_PROTO=2 10.0.16.187:43498 peer info: IV_LZO_STUB=1 10.0.16.187:43498 peer info: IV_COMP_STUB=1 10.0.16.187:43498 peer info: IV_COMP_STUBv2=1 10.0.16.187:43498 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182 10.0.16.187:43498 peer info: IV_SSO=openurl 10.0.16.187:43498 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 OTP-AUTH: trying to authenticate username 'zhaowei' OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.16.187:43498 10.0.16.187:43498 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 10.0.16.187:43498 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so 10.0.16.187:43498 TLS Auth Error: Auth Username/Password verification failed for peer 10.0.16.187:43498 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 10.0.16.187:43498 Peer Connection Initiated with [AF_INET]10.0.16.187:43498 10.0.16.187:43498 PUSH: Received control message: 'PUSH_REQUEST' 10.0.16.187:43498 Delayed exit in 5 seconds 10.0.16.187:43498 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) 10.0.16.187:43498 Connection reset, restarting [0] 10.0.16.187:43498 SIGUSR1[soft,connection-reset] received, client-instance restarting
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 9, 2021):

Can you try same configuration with LDAP plugin disbaled and/or password_is_cr=0 ?

<!-- gh-comment-id:895032448 --> @evgeny-gridasov commented on GitHub (Aug 9, 2021): Can you try same configuration with LDAP plugin disbaled and/or password_is_cr=0 ?
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 9, 2021):

Also, I've just reviewed the config again and could not see PasswordIsCr option there:

# Uncomment and set to true to support OpenVPN Challenge/Response
PasswordIsCR	true

Have you followed all steps in Plug-Ins section of README.md ?

<!-- gh-comment-id:895034069 --> @evgeny-gridasov commented on GitHub (Aug 9, 2021): Also, I've just reviewed the config again and could not see PasswordIsCr option there: ``` # Uncomment and set to true to support OpenVPN Challenge/Response PasswordIsCR true ``` Have you followed all steps in Plug-Ins section of README.md ?
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@zhaowei2021 commented on GitHub (Aug 9, 2021):

您可以使用 LDAP 插件禁用和/或 password_is_cr=0 尝试相同的配置吗?

If I disable the LDAP plug-in, how do I enter the password when the client connects? Is it Google verification code?

<!-- gh-comment-id:895044098 --> @zhaowei2021 commented on GitHub (Aug 9, 2021): > 您可以使用 LDAP 插件禁用和/或 password_is_cr=0 尝试相同的配置吗? If I disable the LDAP plug-in, how do I enter the password when the client connects? Is it Google verification code?
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 9, 2021):

Yes, just the code from the token.

<!-- gh-comment-id:895044628 --> @evgeny-gridasov commented on GitHub (Aug 9, 2021): Yes, just the code from the token.
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@zhaowei2021 commented on GitHub (Aug 9, 2021):

Yes, just the code from the token.

When I disable the LDAP plug-in and set the password_ is_ cr=0, connection still fails. The error message seems to be TLS auth error.
My configuration information is as follows:
#plugin /usr/local/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
plugin "/usr/lib64/openvpn/plugins/openvpn-otp.so" "debug=1 otp_slop=300 totp_t0=2 totp_step=30 totp_digits=6 motp_step=10 password_is_cr=0 otp_secrets=/etc/openvpn/auth/otp-secrets"

The error message is as follows:
TCP connection established with [AF_INET]10.0.16.187:46192
10.0.16.187:46192 TLS: Initial packet from [AF_INET]10.0.16.187:46192, sid=8ebd11e0 130ba97f
10.0.16.187:46192 peer info: IV_VER=3.git::662eae9a:Release
10.0.16.187:46192 peer info: IV_PLAT=android
10.0.16.187:46192 peer info: IV_NCP=2
10.0.16.187:46192 peer info: IV_TCPNL=1
10.0.16.187:46192 peer info: IV_PROTO=2
10.0.16.187:46192 peer info: IV_LZO_STUB=1
10.0.16.187:46192 peer info: IV_COMP_STUB=1
10.0.16.187:46192 peer info: IV_COMP_STUBv2=1
10.0.16.187:46192 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
10.0.16.187:46192 peer info: IV_SSO=openurl
OTP-AUTH: trying to authenticate username 'zhaowei'
OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.16.187:46192
10.0.16.187:46192 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.0.16.187:46192 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so
10.0.16.187:46192 TLS Auth Error: Auth Username/Password verification failed for peer
10.0.16.187:46192 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
10.0.16.187:46192 Peer Connection Initiated with [AF_INET]10.0.16.187:46192
10.0.16.187:46192 PUSH: Received control message: 'PUSH_REQUEST'
10.0.16.187:46192 Delayed exit in 5 seconds
10.0.16.187:46192 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
10.0.16.187:46192 Connection reset, restarting [0]
10.0.16.187:46192 SIGUSR1[soft,connection-reset] received, client-instance restarting

<!-- gh-comment-id:895047820 --> @zhaowei2021 commented on GitHub (Aug 9, 2021): > Yes, just the code from the token. When I disable the LDAP plug-in and set the password_ is_ cr=0, connection still fails. The error message seems to be TLS auth error. My configuration information is as follows: #plugin /usr/local/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf" plugin "/usr/lib64/openvpn/plugins/openvpn-otp.so" "debug=1 otp_slop=300 totp_t0=2 totp_step=30 totp_digits=6 motp_step=10 password_is_cr=0 otp_secrets=/etc/openvpn/auth/otp-secrets" The error message is as follows: TCP connection established with [AF_INET]10.0.16.187:46192 10.0.16.187:46192 TLS: Initial packet from [AF_INET]10.0.16.187:46192, sid=8ebd11e0 130ba97f 10.0.16.187:46192 peer info: IV_VER=3.git::662eae9a:Release 10.0.16.187:46192 peer info: IV_PLAT=android 10.0.16.187:46192 peer info: IV_NCP=2 10.0.16.187:46192 peer info: IV_TCPNL=1 10.0.16.187:46192 peer info: IV_PROTO=2 10.0.16.187:46192 peer info: IV_LZO_STUB=1 10.0.16.187:46192 peer info: IV_COMP_STUB=1 10.0.16.187:46192 peer info: IV_COMP_STUBv2=1 10.0.16.187:46192 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182 10.0.16.187:46192 peer info: IV_SSO=openurl OTP-AUTH: trying to authenticate username 'zhaowei' OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.16.187:46192 10.0.16.187:46192 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 10.0.16.187:46192 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so 10.0.16.187:46192 TLS Auth Error: Auth Username/Password verification failed for peer 10.0.16.187:46192 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 10.0.16.187:46192 Peer Connection Initiated with [AF_INET]10.0.16.187:46192 10.0.16.187:46192 PUSH: Received control message: 'PUSH_REQUEST' 10.0.16.187:46192 Delayed exit in 5 seconds 10.0.16.187:46192 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) 10.0.16.187:46192 Connection reset, restarting [0] 10.0.16.187:46192 SIGUSR1[soft,connection-reset] received, client-instance restarting
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@zhaowei2021 commented on GitHub (Aug 9, 2021):

Are there any requirements for the version of OpenVPN? My server version is 2.4.11

<!-- gh-comment-id:895048587 --> @zhaowei2021 commented on GitHub (Aug 9, 2021): Are there any requirements for the version of OpenVPN? My server version is 2.4.11
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 9, 2021):

2.4.11 should work fine. Let me try to build it against it and try your configuration files. I'll update later.

<!-- gh-comment-id:895062649 --> @evgeny-gridasov commented on GitHub (Aug 9, 2021): 2.4.11 should work fine. Let me try to build it against it and try your configuration files. I'll update later.
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Aug 9, 2021):

Looks like it can't find the username in the secrets file. Is the file in that zip file definitely at /etc/openvpn/auth/otp-secrets location? Check that /etc/openvpn/auth/otp-secrets file is accessible by OpenVPN. I'll try to run your config later and will see what happens.

<!-- gh-comment-id:895074601 --> @evgeny-gridasov commented on GitHub (Aug 9, 2021): Looks like it can't find the username in the secrets file. Is the file in that zip file definitely at /etc/openvpn/auth/otp-secrets location? Check that /etc/openvpn/auth/otp-secrets file is accessible by OpenVPN. I'll try to run your config later and will see what happens.
kerem commented 2026-02-25 22:30:47 +03:00
Author
Owner
Copy link

@zhaowei2021 commented on GitHub (Aug 9, 2021):

Looks like it can't find the username in the secrets file. Is the file in that zip file definitely at /etc/openvpn/auth/otp-secrets location? Check that /etc/openvpn/auth/otp-secrets file is accessible by OpenVPN. I'll try to run your config later and will see what happens.

I tried PAM_ LDAP and Google authentication,it's working now.
Thanky you very much!

<!-- gh-comment-id:895078163 --> @zhaowei2021 commented on GitHub (Aug 9, 2021): > Looks like it can't find the username in the secrets file. Is the file in that zip file definitely at /etc/openvpn/auth/otp-secrets location? Check that /etc/openvpn/auth/otp-secrets file is accessible by OpenVPN. I'll try to run your config later and will see what happens. I tried PAM_ LDAP and Google authentication,it's working now. Thanky you very much!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/openvpn-otp#27
No description provided.