Solved: OpenVPN reconnect AUTH_FAILED

downundermate

I have a problem with OpenVPN client to reconnect after link is down.
The log shows:

Mar 18 00:09:29 pfsense openvpn[61368]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 18 00:09:29 pfsense openvpn[61368]: TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1198
Mar 18 00:09:29 pfsense openvpn[61368]: UDPv4 link local (bound): [AF_INET]192.168.55.116:0
Mar 18 00:09:29 pfsense openvpn[61368]: UDPv4 link remote: [AF_INET]X.X.X.X:1198
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Mar 18 00:09:29 pfsense openvpn[61368]: [b68c683a513c67dd1f209ce6ea079710] Peer Connection Initiated with [AF_INET]X.X.X.X:1198
Mar 18 00:09:35 pfsense openvpn[61368]: AUTH: Received control message: AUTH_FAILED
Mar 18 00:09:35 pfsense openvpn[61368]: SIGUSR1[soft,auth-failure] received, process restarting

And continues indefinitely.

But the moment I click "reconnect" button in GUI connection restores:

Mar 18 00:09:40 pfsense openvpn[61368]: /usr/local/sbin/ovpn-linkdown ovpnc1 0 0 10.9.10.6 10.9.10.5 init
Mar 18 00:09:40 pfsense openvpn[61368]: SIGTERM[hard,init_instance] received, process exiting
Mar 18 00:09:41 pfsense openvpn[89959]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
Mar 18 00:09:41 pfsense openvpn[89959]: OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
Mar 18 00:09:41 pfsense openvpn[89959]: library versions: OpenSSL 1.0.2m-freebsd  2 Nov 2017, LZO 2.10
Mar 18 00:09:41 pfsense openvpn[90120]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 18 00:09:46 pfsense openvpn[90120]: TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1198
Mar 18 00:09:46 pfsense openvpn[90120]: UDPv4 link local (bound): [AF_INET]192.168.55.116:0
Mar 18 00:09:46 pfsense openvpn[90120]: UDPv4 link remote: [AF_INET]X.X.X.X:1198
Mar 18 00:09:46 pfsense openvpn[90120]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 18 00:09:46 pfsense openvpn[90120]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Mar 18 00:09:46 pfsense openvpn[90120]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Mar 18 00:09:46 pfsense openvpn[90120]: [e7af2ff71a364e941848f77d499f13c0] Peer Connection Initiated with [AF_INET]X.X.X.X:1198
Mar 18 00:09:47 pfsense openvpn[90120]: TUN/TAP device ovpnc1 exists previously, keep at program end
Mar 18 00:09:47 pfsense openvpn[90120]: TUN/TAP device /dev/tun1 opened
Mar 18 00:09:47 pfsense openvpn[90120]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 18 00:09:47 pfsense openvpn[90120]: /sbin/ifconfig ovpnc1 10.45.10.6 10.45.10.5 mtu 1500 netmask 255.255.255.255 up
Mar 18 00:09:47 pfsense openvpn[90120]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.45.10.6 10.45.10.5 init
Mar 18 00:09:47 pfsense openvpn[90120]: Initialization Sequence Completed

What I can do to make it reconnect automatically?
Thank you.

downundermate

Nobody has the same problem?

bcruze

what service are you connecting too?

have you opened the opvn configuration file and matched it with your configuration?

downundermate

I found a solution. It looks like a bug in OpenVPN.
You need to add:

pull-filter ignore "auth-token"

After that client reconnects smoothly.
More reading:
https://www.privateinternetaccess.com/forum/discussion/24089/inactivity-timeout-ping-restart#latest
https://www.snbforums.com/threads/how-to-setup-a-vpn-client-including-policy-rules-for-pia-and-other-vpn-providers-380-68-09-12.30851/page-24

bcruze

correct i use the same command.  also if you follow the opvn file you can get rid of these messages as well:
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

downundermate

@bcruze:

correct i use the same command.  also if you follow the opvn file you can get rid of these messages as well:
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

"Get rid of" log entries or actually solving it?
To remove warnings from log file I can use:

disable-occ

bcruze

try adding:

resolv-retry infinite
persist-key
persist-tun
cipher aes-128-cbc
auth sha128
tls-client
remote-cert-tls server
reneg-sec 0

i had to take several out as it would not allow the connection to start.  so play with it and see what works best for yours.    this is the strong encryption for PIA

client
dev tun
proto udp
remote us-newyorkcity.privateinternetaccess.com 1197
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.4096.pem
ca ca.rsa.4096.crt
disable-occ

downundermate

Yes, it's all standard except for the "disable-occ".
But my problem was with missing

pull-filter ignore "auth-token"

Motleycru

NordVPN issue solved
Yesterday (6-28-2023), my Glinet AXT1800 stopped connecting with the same "Auth Failed" issue in the log file. I found the solution to be:

1. Disable the OpenVPN at the dashboard (to gain internet access)
2. Go to NordVPN website and log in
3. Under accounts - Services - click NordVPN
4. Click - Set up NordVPN manually - at the bottom right of the page.
5. You will receive a verification code in your email that you use for NordVPN services. Type the code in the popup window the preceded the email check.
6. Copy the credentials using the “Copy” buttons on the right for your new encrypted user name and password in the OpenVPN Client settings.

You will now be able to connect again

Gertjan

@Motleycru said in Solved: OpenVPN reconnect AUTH_FAILED:

for your new encrypted user name and password

Wait ....
'They' changed the user login and password on their side, not notifing you ?
Serious ?

Motleycru

@Gertjan for the router login, they changed it and did not notify me.

eICHiZ

@Motleycru GREAT!! Many thanks for the hint, and this solved it for me as well. Not knowing that they changed the way to authenticate for OpenVPN

hadlem

@Motleycru
Thanks. This approach worked instantly for me.

Norm

@Motleycru Bravo, well done, I had no idea Nord had done this. Your steps worked perfectly for me straight away. (I had already upgraded my router firmware and vpn-openssl packages!)

venkidas

@Motleycru oh my oh my ...man ....thank you so so so much....so unbeliable....i wasted about 6 hours tying to debug this shit. i was so frustuated and wanted to wack someone from norde, GL-Inet or dd-wrt ...what a mess .... a simple code comment on some screen would have saved 1000's of hours of peoples time. some one deserves to wacked serously. but thank you so so much. i can get some sleep now