Solved: OpenVPN reconnect AUTH_FAILED

downundermate · Mar 17, 2018, 1:19 PM

I have a problem with OpenVPN client to reconnect after link is down.
The log shows:


Mar 18 00:09:29 pfsense openvpn[61368]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 18 00:09:29 pfsense openvpn[61368]: TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1198
Mar 18 00:09:29 pfsense openvpn[61368]: UDPv4 link local (bound): [AF_INET]192.168.55.116:0
Mar 18 00:09:29 pfsense openvpn[61368]: UDPv4 link remote: [AF_INET]X.X.X.X:1198
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Mar 18 00:09:29 pfsense openvpn[61368]: [b68c683a513c67dd1f209ce6ea079710] Peer Connection Initiated with [AF_INET]X.X.X.X:1198
Mar 18 00:09:35 pfsense openvpn[61368]: AUTH: Received control message: AUTH_FAILED
Mar 18 00:09:35 pfsense openvpn[61368]: SIGUSR1[soft,auth-failure] received, process restarting

And continues indefinitely.

But the moment I click "reconnect" button in GUI connection restores:


Mar 18 00:09:40 pfsense openvpn[61368]: /usr/local/sbin/ovpn-linkdown ovpnc1 0 0 10.9.10.6 10.9.10.5 init
Mar 18 00:09:40 pfsense openvpn[61368]: SIGTERM[hard,init_instance] received, process exiting
Mar 18 00:09:41 pfsense openvpn[89959]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
Mar 18 00:09:41 pfsense openvpn[89959]: OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
Mar 18 00:09:41 pfsense openvpn[89959]: library versions: OpenSSL 1.0.2m-freebsd  2 Nov 2017, LZO 2.10
Mar 18 00:09:41 pfsense openvpn[90120]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 18 00:09:46 pfsense openvpn[90120]: TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1198
Mar 18 00:09:46 pfsense openvpn[90120]: UDPv4 link local (bound): [AF_INET]192.168.55.116:0
Mar 18 00:09:46 pfsense openvpn[90120]: UDPv4 link remote: [AF_INET]X.X.X.X:1198
Mar 18 00:09:46 pfsense openvpn[90120]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 18 00:09:46 pfsense openvpn[90120]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Mar 18 00:09:46 pfsense openvpn[90120]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Mar 18 00:09:46 pfsense openvpn[90120]: [e7af2ff71a364e941848f77d499f13c0] Peer Connection Initiated with [AF_INET]X.X.X.X:1198
Mar 18 00:09:47 pfsense openvpn[90120]: TUN/TAP device ovpnc1 exists previously, keep at program end
Mar 18 00:09:47 pfsense openvpn[90120]: TUN/TAP device /dev/tun1 opened
Mar 18 00:09:47 pfsense openvpn[90120]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 18 00:09:47 pfsense openvpn[90120]: /sbin/ifconfig ovpnc1 10.45.10.6 10.45.10.5 mtu 1500 netmask 255.255.255.255 up
Mar 18 00:09:47 pfsense openvpn[90120]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.45.10.6 10.45.10.5 init
Mar 18 00:09:47 pfsense openvpn[90120]: Initialization Sequence Completed

What I can do to make it reconnect automatically?
Thank you.

downundermate · Mar 18, 2018, 11:27 PM

Nobody has the same problem?

bcruze · Mar 19, 2018, 11:15 AM

what service are you connecting too?

have you opened the opvn configuration file and matched it with your configuration?

downundermate · Mar 19, 2018, 11:31 AM

I found a solution. It looks like a bug in OpenVPN.
You need to add:

pull-filter ignore "auth-token"

After that client reconnects smoothly.
More reading:
https://www.privateinternetaccess.com/forum/discussion/24089/inactivity-timeout-ping-restart#latest
https://www.snbforums.com/threads/how-to-setup-a-vpn-client-including-policy-rules-for-pia-and-other-vpn-providers-380-68-09-12.30851/page-24

bcruze · Mar 19, 2018, 11:34 AM

correct i use the same command. also if you follow the opvn file you can get rid of these messages as well:
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

downundermate · Mar 19, 2018, 12:03 PM

@bcruze:

correct i use the same command. also if you follow the opvn file you can get rid of these messages as well:
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Mar 18 00:09:29 pfsense openvpn[61368]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

"Get rid of" log entries or actually solving it?
To remove warnings from log file I can use:

disable-occ

bcruze · Mar 19, 2018, 6:28 PM

try adding:

resolv-retry infinite
persist-key
persist-tun
cipher aes-128-cbc
auth sha128
tls-client
remote-cert-tls server
reneg-sec 0

i had to take several out as it would not allow the connection to start. so play with it and see what works best for yours. this is the strong encryption for PIA

client
dev tun
proto udp
remote us-newyorkcity.privateinternetaccess.com 1197
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.4096.pem
ca ca.rsa.4096.crt
disable-occ

downundermate · Mar 19, 2018, 10:51 PM

Yes, it's all standard except for the "disable-occ".
But my problem was with missing

pull-filter ignore "auth-token"

Motleycru · Jun 29, 2023, 9:14 AM

NordVPN issue solved
Yesterday (6-28-2023), my Glinet AXT1800 stopped connecting with the same "Auth Failed" issue in the log file. I found the solution to be:

Disable the OpenVPN at the dashboard (to gain internet access)
Go to NordVPN website and log in
Under accounts - Services - click NordVPN
Click - Set up NordVPN manually - at the bottom right of the page.
You will receive a verification code in your email that you use for NordVPN services. Type the code in the popup window the preceded the email check.
Copy the credentials using the “Copy” buttons on the right for your new encrypted user name and password in the OpenVPN Client settings.

You will now be able to connect again

Gertjan · Jun 29, 2023, 2:20 PM

@Motleycru said in Solved: OpenVPN reconnect AUTH_FAILED:

for your new encrypted user name and password

Wait ....
'They' changed the user login and password on their side, not notifing you ?
Serious ?

Motleycru · Jun 29, 2023, 5:03 PM

@Gertjan for the router login, they changed it and did not notify me.

eICHiZ · Jul 4, 2023, 11:56 AM

@Motleycru GREAT!! Many thanks for the hint, and this solved it for me as well. Not knowing that they changed the way to authenticate for OpenVPN

hadlem · Jul 4, 2023, 8:45 PM

@Motleycru
Thanks. This approach worked instantly for me.

Norm · Jul 21, 2023, 11:24 PM

@Motleycru Bravo, well done, I had no idea Nord had done this. Your steps worked perfectly for me straight away. (I had already upgraded my router firmware and vpn-openssl packages!)

venkidas · Oct 14, 2023, 2:39 PM

@Motleycru oh my oh my ...man ....thank you so so so much....so unbeliable....i wasted about 6 hours tying to debug this shit. i was so frustuated and wanted to wack someone from norde, GL-Inet or dd-wrt ...what a mess .... a simple code comment on some screen would have saved 1000's of hours of peoples time. some one deserves to wacked serously. but thank you so so much. i can get some sleep now