OpenVPN Cannot Authenticate -Google Authenticator Code Incorrect – Android Windows 10

When trying to setup and authenticate to an AWS Instance running OpenVPN, a user could not complete a new connection to OpenVPN after entering the initial un/pwd. They receive the error: Permission denied. This is after successfully setting up the OpenVPN client on Windows 10 and scanning an Authenticator code using Google Authenticator App on a Samsung S8 Active Android mobile phone running Android 8.0.0 ‘lollipop’. Ultimately the reason the user could not authenticate was their mobile phone’s time was off by about 3 minutes. Continue below to find additional information on how to troubleshoot this and other authentication issues with OpenVPN.

When troubleshooting OpenVPN login errors it’s a good idea to first try some of the following:

Unlock a Disabled or Locked account on OpenVPN Admin console

To check for the events related to a user lockout, first log into the Admin web console > Status > Log Reports. Here you will find the errors related to bad authentication and eventually an account lockout.

The errors you may find could be the following:

Google Authenticator Code is incorrect.
LOCKOUT: user temporarily locked out due to multiple authentication failures.

To unlock a user account (if using local authentication), Login to the Admin Web Console, Go to “General” under Authentication and change Authentication to “PAM”, Save Settings > Update Running Server > “Local” > Save Settings> Update Running Server.

This procedure should unlock disabled or locked user accounts on OpenVPN.

Reset A User Account on OpenVPN

To reset a user’s OpenVPN account:

Log in to the admin web console, click on User Permissions.

Find the username, place a checkmark in the Delete column, then Apply > Save. Next, re-create the account.
Scroll to the bottom of the list, type the new user name:
Eg. jcoltrin
Save > update server

Go back find the username again in the list and hit Show:

Enter in the Local Password: (S3cr3tP@ssw0rd!)
Save > Update

Check OpenVPN for Valid Concurrent License

In the admin web console, under the Configuration menu, click License. Check to ensure that your concurrent users have not reached or exceeded the limits of your licenses (under At a glance,) or that your licenses have not expired.

Use SSH to check the logs of the OpenVPN server and get the specific errors for an individual’s login problems.

After logging into the server using Putty/SSH, you can change directory to the scripts directory:

cd
/usr/local/openvpn_as/scripts/

and then issue the command ./authcli –user <username> –pass S3cr3tP@ssw0rd

./authcli --user jcoltrin --pass S3cr3tP@ssw0rd

This will produce something similar to the following information:

Result:
API METHOD: authenticate
AUTH_RETURN
  status : COM_FAULT
  reason : An error occurred while connecting: 13: Permission denied. (twisted.internet.error.ConnectError)
  user : jcoltrin

Addtionally you can find more messages related to authentication failures in /var/log. You’ll find these messages in the latest log files:

openvpnas.log

openvpnas.log.1

Use your favorite editor (vi) to search through the logs

vi openvpnas.log

use the command / and then the username to search for that term and hit “n” to go to the next instance of your term, for example:

/jcoltrin > n > n

and then :q to quit.

Here are some typical error messages for my authentication errors:

2019-02-26 14:03:26-0800 [-] WEB OUT: "2019-02-26 14:03:26-0800 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'reason': 'local auth failed: password verification failed: auth/authlocal:42,web/http:1609,web/http:750,web/server:126,web/server:133,xml/authrpc:110,xml/authrpc:164,internet/defer:102,xml/authsess:50,sagent/saccess:86,xml/authrpc:244,xml/authsess:50,xml/authsess:103,auth/authdelegate:308,util/delegate:26,auth/authdelegate:237,util/defer:224,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:245,internet/defer:102,auth/authdelegate:61,auth/authdelegate:240,util/delegate:26,auth/authlocal:42,util/error:61,util/error:44', 'user': 'jcoltrin'}"
2019-02-26 14:19:40-0800 [-] WEB OUT: "2019-02-26 14:19:40-0800 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'no_lockout': True, 'reason': 'challenge', 'user': 'jcoltrin', 'proplist': {'pvt_google_auth_secret_locked': 'true', 'prop_cli.script.win.user.connect': '[redacted]', 'pvt_google_auth_secret': '[redacted]', 'prop_autogenerate': 'true', 'prop_deny': 'false', 'prop_cli.script.win.user.disconnect': '[redacted]', 'prop_superuser': 'false', 'pvt_password_digest': '[redacted]', 'prop_cli.script.linux.user.connect': '[redacted]', 'prop_autologin': 'false', 'conn_group': 'Default', 'type': 'user_connect'}, 'client_reason': 'CRV1:R,E:[redacted]==:Enter Google Authenticator Code'}"
2019-02-26
14:20:08-0800 [-] WEB OUT: '2019-02-26 14:20:08-0800
[UDSProxyQueryProtocol,client] Web login failed
(twisted.cred.error.UnauthorizedLogin)'
2019-02-26 14:21:30-0800 [-] WEB OUT: "2019-02-26 14:21:30-0800 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'client_reason': 'LOCKOUT: user temporarily locked out due to multiple authentication failures', 'reason': 'LOCKOUT: user temporarily locked out due to multiple authentication failures', 'user': 'jcoltrin'}"

Make sure the phone with Google Authenticator has the correct time and set the phone to sync it’s clock with the network/carrier

As mentioned at the beginning of this article, what the original login issue came down to was the Android phone, on which the Google Authenticator was running, had it’s time off by about 3 minutes. To set and change the correct time on an Android Galaxy S8 Active, first, go to Settings > General Management > Date and Time > Set/Turn on Automatic Date and Time.

I’m not sure why the value for this phone had it’s time set to not have automatic sync with the network/carrier. This may have been due to a recent android update because I found this setting off on a couple phones in the office. Ensure the time on your server is accurate as well by issuing the bash/ssh command:

date 

Your result should look like the following:

openvpnas@openvpnas2:/var/log$ date
Thu Feb 28 14:46:57 PST 2019

If you find the time on your server is not accurate, check out my article on how to set the time on Ubuntu and Synchronize NTP here.

Android Development cont…

So I’ve gotten a little further in development of Android apps. Although I spend a little time each day digging further into Java, I’ve begun using the free App Inventor by MIT for Android. The App Inventor API is a lot like Scratch. UI Objects can be dragged and dropped from the palate onto the viewer. From here, the components used are listed in the component viewer and the properties of each are listed on the right.

My first project is a Daily Kids Report where caregivers can fill out a form and then submit it.

appinventor

 

Once your objects have been placed in the Viewer, the workflow, methods and actions are “coded” with the “Blocks Editor”. Each of blocks that I’ve used are placed into the “My Blocks”. Each block has a set of defined functions and properties that will only fit with other “blocks”.

BlocksEditor

Even a “simple” app can get complicated, but I’ve found this type of programming has accelerated my development goals and is giving me a great introduction into programming structures and logic.

Finally, as the app is developed, it’s compiled and run on the fly in an Android Emulator. Once you’re satisfied with the results, you can easily package the app as an .apk that can be installed on a phone (that allows ‘non-signed’ developer mode installs).

KRv1

I’ve gotten to the point where I’m happy with the basic structure and data points the app collects. My next goal is to change the way the Submit button works and have it populate a second Preview screen. Then in the Preview screen, if satisfied with he results, the user has the option to send an SMS text message or email with the information that was entered in an easy to read format.

Other ideas I have are to add the ability to include a photo or record a short voice message.

Android App Development with Eclipse, the Android SDK, and more Java

So my foray into Android App development has begun and I’m happy that I have eclipse up and running with the Android SDK. I have a virtual NexusOne up and running my first Hello World App. The only real snag I encountered was being unable to build an .apk and run my first few test apps because of the error: SDK does not have any Build Tools installed. I went to C:UsersJasonandroid-sdks and found that the Build Tools directory was empty (despite running the SDK manager and re-installing the Build-Tools component.) This was resolved by re-downloading the SDK, extracting the zipped files to C:Downloadsadt-bundle-windows-x86_64-20130522 and then manually copied the contents of the Build Tools folder from the unzipped location to my c:users directory.

HelloWorld

I’ve also progressed in my Java studies to become better at understanding and looking for what code will compile and which code will produce a compiler error. Also I’m becoming more comfortable with string arrays, getting java to find out how many words are in each list, generate random numbers that are constrained to a random number within the array, and building a string phrase using words within the arrays. For example:

String[] cats = {“Tricksie”, “Gunner”, “Bear”, “Apache”, “Esmeralda”};

int x = cats.length;

int rand1 = (int) (Math.random() * x);

String phrase = cats[rand1] ;

System.out.println(phrase + ” is a name for a cat.”);

– The first output could be: Bear is a name for a cat.

– The second output would probably be a different name and so on.

The logic of while and if methods can get tricky when creating an application that will output results when checking on conditions of your variables. For example,

class Test {

public static void main(String [] args) {

int x = 0;

int y = 0;

while ( x < 5 ) {

x = x + 1;

y = y + x;

System.out.print(x + “” + y +” “);

x = x + 1;

}

}

}

In this instance, the output would be:

11 34 59

If x starts out as a 0, then it passes the condition of being < 5 so it continues. x is added to 1 so it’s value = 0 + 1 = 1. It is told to print out it’s value as 1 and then add another 1 onto itself, and so on until it’s value is greater than 5, at which time the output ceases due to while condition no longer being true.

While, do-while, and for loops always has to pass a conditional test, or an expression that results in a boolean value; either true or false.