OpenVPN – possible to log failed authentications

authenticationopenvpn

I do not know how the OpenVPN authentication protocol works in detail, which is why I am wondering if there is a possibility to log failed authentications.

E.g. if I try to use a invalid key file.
I tried it on my own with a changed key file and I got an error on the client side, but my OpenVPN server seems to log only the successful authentication attempts.

Is there a way to log these failed authentications or is this now needed for a secure server (if so, why?)

Thanks in advance

Best Answer

Set the appropriate level of log file verbosity for both server and client side

in server.conf and client.conf

verb 6

5 and 6 can help to debug connection problems 9 is extremely verbose

verb 6 and above in your situation should help. Regards

Related Solutions

Openvpn plugin openvpn-auth-ldap does not bind to Active Directory

I'v found it! I forgot f***g option client-cert-not-required in server config.

If somebody is interested, during my research what's happening I wrote external script to check user though LDAP. No openvpn-auth-ldap is needed, but you need to install ldap-utils.

In server config:

script-security 2
auth-user-pass-verify ldap-check-user.sh via-env

ldap-check-user.sh:

#!/bin/bash

bind_dn="cn=<user>,cn=Users,dc=domain,dc=com"
bind_pass="<password>"
host=rserver
port=389

dn=`ldapsearch -x -D "$bind_dn" -w $bind_pass -h $host -p $port -LLL -s sub \
-b "cn=Users,dc=radix-tools" "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$username))" "dn" | cut -d':' -f 2`

if [ $? != 0 ]; then
        echo "Error: user $username not found."
        exit 1
fi

ldapsearch -x -D "$dn" -w $password -h $host -p $port -LLL -s sub \
-b "cn=Users,dc=domain,dc=com" "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$username))" > /dev/null 2>&1

if [ $? != 0 ]; then
        echo "Error: password for $username is incorrect."
        exit 1
fi

exit 0

Openvpn – pfsense peer-to-peer OpenVPN not connecting

Most likely because the client can't communicate with the server on UDP 1194. Why, there are a number of possibilities to check, two most common:

no firewall rule permitting the traffic
1:1 NAT or port forward forwarding that traffic somewhere else

Best Answer

Related Solutions

Openvpn plugin openvpn-auth-ldap does not bind to Active Directory

Openvpn – pfsense peer-to-peer OpenVPN not connecting

Related Topic