sorry I missed the e-mail saying you had responded. I specified that my ssh public key was ben@bene-laptop but it isn't anymore, I changed my username to bengland (to match kerberos ID for Red Hat). So Should I just start from the beginning and regenerate the cert secret etc.? Everything else seems to work ok.
Also, should I be running openvpn as root or from my user account? If it's from my user account that's the only way it would know to use ~bengland/.ssh/id-rsa* right?
[root@bene-laptop openvpn]# openvpn --config sepia.conf --verb 5
Fri Aug 31 08:16:36 2018 us=421545 Current Parameter Settings:
Fri Aug 31 08:16:36 2018 us=421577 config = 'sepia.conf'
Fri Aug 31 08:16:36 2018 us=421587 mode = 0
Fri Aug 31 08:16:36 2018 us=421594 persist_config = DISABLED
Fri Aug 31 08:16:36 2018 us=421600 persist_mode = 1
Fri Aug 31 08:16:36 2018 us=421607 show_ciphers = DISABLED
Fri Aug 31 08:16:36 2018 us=421614 show_digests = DISABLED
Fri Aug 31 08:16:36 2018 us=421620 show_engines = DISABLED
Fri Aug 31 08:16:36 2018 us=421627 genkey = DISABLED
Fri Aug 31 08:16:36 2018 us=421632 key_pass_file = '[UNDEF]'
Fri Aug 31 08:16:36 2018 us=421638 NOTE: --mute triggered...
Fri Aug 31 08:16:36 2018 us=421651 272 variation(s) on previous 10 message(s) suppressed by --mute
Fri Aug 31 08:16:36 2018 us=421658 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Fri Aug 31 08:16:36 2018 us=421668 library versions: OpenSSL 1.1.0h-fips 27 Mar 2018, LZO 2.08
Fri Aug 31 08:16:36 2018 us=422175 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 31 08:16:36 2018 us=422190 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 31 08:16:36 2018 us=422196 LZO compression initializing
Fri Aug 31 08:16:36 2018 us=422244 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Fri Aug 31 08:16:36 2018 us=477878 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Aug 31 08:16:36 2018 us=477984 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Aug 31 08:16:36 2018 us=478010 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Aug 31 08:16:36 2018 us=478045 TCP/UDP: Preserving recently used remote address: [AF_INET]8.43.84.129:1194
Fri Aug 31 08:16:36 2018 us=478153 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Aug 31 08:16:36 2018 us=478177 UDP link local: (not bound)
Fri Aug 31 08:16:36 2018 us=478202 UDP link remote: [AF_INET]8.43.84.129:1194
WRFri Aug 31 08:16:36 2018 us=524270 TLS: Initial packet from [AF_INET]8.43.84.129:1194, sid=0e1e6dee c8c838a6
WFri Aug 31 08:16:36 2018 us=524433 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
WRRFri Aug 31 08:16:36 2018 us=567264 VERIFY OK: depth=1, O=Redhat, CN=openvpnca-sepia
Fri Aug 31 08:16:36 2018 us=568038 VERIFY KU OK
Fri Aug 31 08:16:36 2018 us=568084 Validating certificate extended key usage
Fri Aug 31 08:16:36 2018 us=568124 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 31 08:16:36 2018 us=568151 VERIFY EKU OK
Fri Aug 31 08:16:36 2018 us=568174 VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia
WRWRWRWFri Aug 31 08:16:37 2018 us=678602 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA
Fri Aug 31 08:16:37 2018 us=678644 [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
Fri Aug 31 08:16:38 2018 us=850051 SENT CONTROL [openvpn-sepia]: 'PUSH_REQUEST' (status=1)
WRRFri Aug 31 08:16:38 2018 us=882911 AUTH: Received control message: AUTH_FAILED
Fri Aug 31 08:16:38 2018 us=883056 TCP/UDP: Closing socket
Fri Aug 31 08:16:38 2018 us=883106 SIGTERM[soft,auth-failure] received, process exiting
[root@bene-laptop openvpn]# cat /etc/openvpn/sepia.conf
script-security 1
client
remote vpn.sepia.ceph.com 1194
dev tun
remote-random
resolv-retry infinite
nobind
#user nobody
#group nogroup
persist-tun
persist-key
comp-lzo
verb 2
mute 10
remote-cert-tls server
tls-auth sepia/tlsauth 1
ca sepia/ca.crt
auth-user-pass sepia/secret