Join Log in
Score:0
InfinitePain avatar Server

Inconsistent OpenVPN Authentication Issue: Works Locally but Fails via SSH

kz flag
InfinitePain

I am experiencing an intriguing issue when running OpenVPN on a Raspberry Pi 4 (running Raspbian 32-bit Lite). The issue appears to be related to the authentication process when OpenVPN is run via SSH, as a systemd service, or inside a Docker container. Here are the specifics:

  1. When I run OpenVPN directly on the Raspberry Pi (with a monitor and keyboard attached), I can successfully establish a VPN connection using the --auth-user-pass flag with a file containing my credentials.

  2. However, when I run the same OpenVPN command via SSH, the VPN connection fails. Specifically, the VPN client sends the authentication but does not receive a response from the server, eventually leading to a timeout.

  3. If I run OpenVPN via SSH and manually input my credentials when prompted, the VPN connection succeeds.

  4. When OpenVPN is set as a systemd service to run at boot, it always fails. However, if I manually start or restart the service after boot, the success depends on where it's done: it succeeds if done directly on the Raspberry Pi, but fails if done via SSH.

  5. Inside a Docker container, the behavior is similar to the systemd service. The VPN connection succeeds when the Docker container is run directly from the Raspberry Pi but fails when the Docker container is run via SSH.

When I intentionally enter incorrect credentials, I can reproduce the same behavior (the server does not respond, leading to a timeout), which leads me to believe that the issue is related to the authentication process.

I've confirmed that the authentication file is accessible and contains the correct credentials in all scenarios.

The SSH account I'm using is the same one I use when working directly on the Raspberry Pi.

In summary, OpenVPN's authentication process behaves inconsistently: it works when run directly on the Raspberry Pi, but fails when run via SSH, as a systemd service, or in a Docker container. I'm seeking to understand why this discrepancy occurs and how I can resolve it. Any insights would be greatly appreciated.

Thank you!

Here's part of the log when the VPN connection times out:

UDP link remote: [AF_INET]someip:someport
WWWW
[UNDEF] Inactivity timeout (--ping-exit), exiting
TCP/UDP: Closing socket
SIGTERM[soft,ping-exit] received, process exiting
117
0 + 6
ssh
br flag
MoWo
That sounds interesting... just to clarify: it's not a networking thing, right? The port gets opened and the VPN client can reach it and initiate the authentication process, right? Or does it timeout trying to reach the server in the first place?
0
Reply
InfinitePain avatar
kz flag
InfinitePain
@MoWo I don't believe it's a networking issue. The VPN client is able to reach the server and initiate the authentication process. However, it times out after sending the authentication and not receiving a response. This is consistent whether I run OpenVPN via SSH, as a systemd service, or in a Docker container. But if I manually enter my credentials via SSH or run the command directly on the Pi, it connects successfully. I've updated the original post with some log output for when the VPN connection times out. Let me know if you need more information.
0
Reply
br flag
MoWo
Okay, could you also post the log output from the Open VPN Server? It would be the first point to start. Maybe also push the verbosity directive in the server.conf file up to verb 6 for more detailed debug output as well...
0
Reply
InfinitePain avatar
kz flag
InfinitePain
I don't host the server, so I can't provide the log output or change the verbosity level.
0
Reply
br flag
MoWo
Oh, okay, I just now understand the setup properly. I was under the impression that the Raspi was running the OpenVPN Server... Okay can you replicate the same results on a different machine with OpenVPN using the same server to connect to? Alternatively, which is not a solution but a possible workaround: Did you try using a different VPN client, like Tunnelblick?
0
Reply
InfinitePain avatar
kz flag
InfinitePain
Yes, I've tried it on a Debian VM on my Windows machine and it behaves the same. I haven't tried other clients as I'm unfamiliar with them, and Tunnelblick seems Mac-centric. However, using GNOME's graphical interface, I can connect without problems. I'm starting to think the problem might be with the VPN provider. Docker works when started directly from the Pi. It's not the solution I'm after but it is what it is.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.