OpenVPN update from Stretch Backports broke PAM authentication

[jimdoe]

I wanted to bump my version of OpenVPN 2.4 installed on Debian Stretch (2.4.0-6+deb9u2) to a more recent version, so updated the openvpn package using the stretch backports repository, which has the 2.4.4 openvpn package.

The update seemed to go fine, with no reported errors.

However, upon testing the actual server connection after the update, I found that the update had broken the Multi Factor Authentication I had had setup using PAM to authenticate using the user password as well as a OTP code generated by google authenticator.

What was strange was that when I went into the log to investigate, I found that it was reporting that /usr/lib/openvpn/openvpn-plugin-auth-pam.so was missing, and so I then discovered that the entire /usr/lib/openvpn directory had disappeared since the update.

Is this expected behaviour that I'm not aware of?

I thought it would be as simple a fix as copying over the /usr/lib/openvpn directory and its contents from a .img backup I had of my debian installation. Whilst this fixed the missing directory problem, the google-authenticator part of the module was no longer working, and authentication was failing every time.

It was not until I commented out

auth required pam_google_authenticator.so forward_pass

from /etc/pam.d/openvpn that I was able to connect using PAM, but it was now only asking for my password. Something about the update to 2.4.4 messed with both the directory that openvpn-plugin-auth-pam.so is in, but also the interaction between PAM and google authenticator.

[Selva Nair]

The openvpn pam plugin in stretch must be in /usr/lib/x86_64-linux-gnu/openvpn/plugins/

[Gert Döring]

Sounds like a packaging bug on the Debian side, but not much we can do on the OpenVPN side about it (except notify the Debian maintainer, in case this is not known and long fixed).