being told auth failure, maybe dhcp error, can't connect to vpn

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
metc
Posts: 7
Joined: Sat Nov 11, 2023 10:06 pm

being told auth failure, maybe dhcp error, can't connect to vpn

Post by metc » Fri Nov 17, 2023 9:33 pm

Trying to connect my pfSense router to a SE vpn running on an ec2 instance. I know I'm hitting my target user, because the packets increase, but I'm not logging in, and getting a couple different errors:

OpenVpn's enabled on my server, and I took the CA certificate to make the authority:

Wasn't working if I didn't put in a password, so have a password set for the user. Yes, I'm putting it in correctly.

From OpenVpn client on router (note: I'm masking my ip on purpose):

Code: Select all

Nov 17 14:58:12	openvpn	17334	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 17 14:58:12	openvpn	17334	WARNING: experimental option --capath /var/etc/openvpn/client3/ca
Nov 17 14:58:17	openvpn	17334	TCP/UDP: Preserving recently used remote address: [AF_INET]****:1194
Nov 17 14:58:17	openvpn	17334	UDPv4 link local (bound): [AF_INET]****:0
Nov 17 14:58:17	openvpn	17334	UDPv4 link remote: [AF_INET]****:1194
Nov 17 14:58:17	openvpn	17334	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 17 14:58:17	openvpn	17334	[ip-172-31-23-232.ec2.internal] Peer Connection Initiated with [AF_INET]****:1194
Nov 17 14:58:24	openvpn	17334	AUTH: Received control message: AUTH_FAILED
Nov 17 14:58:24	openvpn	17334	SIGUSR1[soft,auth-failure] received, process restarting
Nov 17 14:58:34	openvpn	17334	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 17 14:58:34	openvpn	17334	TCP/UDP: Preserving recently used remote address: [AF_INET]****:1194
Nov 17 14:58:34	openvpn	17334	UDPv4 link local (bound): [AF_INET]****:0
Nov 17 14:58:34	openvpn	17334	UDPv4 link remote: [AF_INET]****:1194
Nov 17 14:58:34	openvpn	17334	[ip-172-31-23-232.ec2.internal] Peer Connection Initiated with [AF_INET]****:1194
Nov 17 14:58:40	openvpn	17334	AUTH: Received control message: AUTH_FAILED
Nov 17 14:58:40	openvpn	17334	SIGUSR1[soft,auth-failure] received, process restarting
Nov 17 14:58:50	openvpn	17334	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 17 14:58:50	openvpn	17334	TCP/UDP: Preserving recently used remote address: [AF_INET]****:1194
Nov 17 14:58:50	openvpn	17334	UDPv4 link local (bound): [AF_INET]****:0
Nov 17 14:58:50	openvpn	17334	UDPv4 link remote: [AF_INET]****:1194
Nov 17 14:58:50	openvpn	17334	[ip-172-31-23-232.ec2.internal] Peer Connection Initiated with [AF_INET]****:1194
Nov 17 14:58:56	openvpn	17334	AUTH: Received control message: AUTH_FAILED
Nov 17 14:58:56	openvpn	17334	SIGUSR1[soft,auth-failure] received, process restarting
Nov 17 14:59:06	openvpn	17334	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 17 14:59:06	openvpn	17334	TCP/UDP: Preserving recently used remote address: [AF_INET]****:1194
Nov 17 14:59:06	openvpn	17334	UDPv4 link local (bound): [AF_INET]****:0
Nov 17 14:59:06	openvpn	17334	UDPv4 link remote: [AF_INET]****:1194
Nov 17 14:59:06	openvpn	17334	[ip-172-31-23-232.ec2.internal] Peer Connection Initiated with [AF_INET]****:1194
Nov 17 14:59:12	openvpn	17334	AUTH: Received control message: AUTH_FAILED
Nov 17 14:59:12	openvpn	17334	SIGUSR1[soft,auth-failure] received, process restarting
Nov 17 14:59:20	openvpn	17334	SIGTERM[hard,init_instance] received, process exiting
From vpn server log:

Code: Select all

2023-11-17 20:59:58.834 OpenVPN Session 7 (****:51767 -> 172.31.23.232:1194) Channel 0: Option Strings Received: "V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client"
2023-11-17 20:59:58.834 OpenVPN Session 7 (****:51767 -> 172.31.23.232:1194) Channel 0: Client certificate is not provided, will use password authentication.
2023-11-17 20:59:58.834 OpenVPN Session 7 (****:51767 -> 172.31.23.232:1194) Channel 0: Option Strings to Send: "V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server"
2023-11-17 21:00:00.063 On the TCP Listener (Port 0), a Client (IP address ****, Host name "****", Port number 51767) has connected.
2023-11-17 21:00:00.063 For the client (IP address: ****, host name: "****", port number: 51767), connection "CID-9" has been created.
2023-11-17 21:00:00.063 SSL communication for connection "CID-9" has been started. The encryption algorithm name is "(null)".
2023-11-17 21:00:00.063 [HUB "DEFAULT"] The connection "CID-9" (IP address: ****, Host name: ****, Port number: 51767, Client name: "OpenVPN Client", Version: 4.43, Build: 9799) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "remote".
2023-11-17 21:00:00.063 [HUB "DEFAULT"] Connection "CID-9": Successfully authenticated as user "remote".
2023-11-17 21:00:00.063 [HUB "DEFAULT"] Connection "CID-9": The new session "SID-REMOTE-[OPENVPN_L3]-7" has been created. (IP address: ****, Port number: 51767, Physical underlying protocol: "Legacy VPN - OPENVPN_L3")
2023-11-17 21:00:00.063 [HUB "DEFAULT"] Session "SID-REMOTE-[OPENVPN_L3]-7": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2023-11-17 21:00:00.063 [HUB "DEFAULT"] Session "SID-REMOTE-[OPENVPN_L3]-7": VPN Client details: (Client product name: "OpenVPN Client", Client version: 443, Client build number: 9799, Server product name: "SoftEther VPN Server (64 bit)", Server version: 443, Server build number: 9799, Client OS name: "OpenVPN Client", Client OS version: "-", Client product ID: "-", Client host name: "", Client IP address: "****", Client port number: 51767, Server host name: "172.31.23.232", Server IP address: "172.31.23.232", Server port number: 1194, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "DEFAULT", Client unique ID: "43BA60E4B15A865A62DD2A5991C6C7F1")
2023-11-17 21:00:05.067 OpenVPN Session 7 (****:51767 -> 172.31.23.232:1194) Channel 0: Acquiring an IP address from the DHCP server failed. To accept a PPP session, you need to have a DHCP server. Make sure that a DHCP server is working normally in the Ethernet segment which the Virtual Hub belongs to. If you do not have a DHCP server, you can use the Virtual DHCP function of the SecureNAT on the Virtual Hub instead.
2023-11-17 21:00:05.067 OpenVPN Session 7 (****:51767 -> 172.31.23.232:1194) Channel 0: Failed to connect a channel.
2023-11-17 21:00:05.321 [HUB "DEFAULT"] Session "SID-REMOTE-[OPENVPN_L3]-7": The session has been terminated. The statistical information is as follows: Total outgoing data size: 0 bytes, Total incoming data size: 1276 bytes.
2023-11-17 21:00:05.341 Connection "CID-9" terminated by the cause "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected." (code 11).
2023-11-17 21:00:05.341 Connection "CID-9" has been terminated.
2023-11-17 21:00:05.341 The connection with the client (IP address ****, Port number 51767) has been disconnected.
After seeing that, I went and confirmed that I do have NAT and Virtual DHCP available on that hub:

Code: Select all

vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.43 Build 9799   (English)
Compiled 2023/08/31 10:50:49 by buildsan at crosswin with OpenSSL 3.0.9
Copyright (c) 2012-2023 SoftEther VPN Project. All Rights Reserved.

Connection has been established with VPN Server "127.0.0.1" (port 5555).

You have administrator privileges for the entire VPN Server.

VPN Server>hub default
Hub command - Select Virtual Hub to Manage
The Virtual Hub "DEFAULT" has been selected.
The command completed successfully.

VPN Server/DEFAULT>natget
NatGet command - Get Virtual NAT Function Setting of SecureNAT Function
Item                           |Value
-------------------------------+-----
Use Virtual NAT Function       |Yes
MTU Value                      |1500
TCP Session Timeout (Seconds)  |1800
UDP Session Timeout (Seconds)  |60
Save NAT and DHCP Operation Log|Yes
The command completed successfully.

VPN Server/DEFAULT>dhcpget
DhcpGet command - Get Virtual DHCP Server Function Setting of SecureNAT Function
Item                           |Value
-------------------------------+--------------
Use Virtual DHCP Function      |Yes
Start Distribution Address Band|192.168.30.10
End Distribution Address Band  |192.168.30.200
Subnet Mask                    |255.255.255.0
Lease Limit (Seconds)          |7200
Default Gateway Address        |None
DNS Server Address 1           |8.8.8.8
DNS Server Address 2           |8.8.4.4
Domain Name                    |
Save NAT and DHCP Operation Log|Yes
Static Routing Table to Push   |
The command completed successfully.

VPN Server/DEFAULT>
I'm not sure what else to try, since it looks like I am successfully authenticating to my user on the server, and I do have the dhcp enabled, so I should be getting my ip address. Any thoughts?

solo
Posts: 1520
Joined: Sun Feb 14, 2021 10:31 am

Re: being told auth failure, maybe dhcp error, can't connect to vpn

Post by solo » Fri Nov 17, 2023 11:30 pm

metc wrote:
Fri Nov 17, 2023 9:33 pm
I do have NAT and Virtual DHCP available on that hub
Yes they are available, but active? "StatusGet" will answer it.

metc
Posts: 7
Joined: Sat Nov 11, 2023 10:06 pm

Re: being told auth failure, maybe dhcp error, can't connect to vpn

Post by metc » Sat Nov 18, 2023 12:52 am

Ok, looks like the connection's a success! Yay!

My public ip didn't change as I expected. How do I get my public ip to change? Sorry if this is obvious. I'm pretty new to setting this stuff up.

Edit: looks like there may just be more config I need to do from my router for that...

Mrhron
Posts: 1
Joined: Fri Dec 22, 2023 5:06 am

Re: being told auth failure, maybe dhcp error, can't connect to vpn

Post by Mrhron » Fri Dec 22, 2023 6:44 am

Hello!
I have exactly the same problem, and the problem occurs only when connecting via openvpn, when using L2TP or the softether client there is no such problem.
Server version Ver 4.43, Build 9799, beta for Windows.
I'm guessing the problem is on the server side. I'll try to roll back to one of the previous versions.

Post Reply