Updated 2026: Ubuntu 15.10 (Wily Werewolf) reached end-of-life in July 2016. This specific bug was fixed in subsequent Ubuntu releases. If you’re running a modern Ubuntu and hitting PAM authentication failures with OpenVPN, check whether your systemd unit file has CapabilityBoundingSet configured; the same principle applies: PAM’s audit module requires CAP_AUDIT_WRITE.

After upgrading a server to Ubuntu 15.10, my OpenVPN tunnel stopped working. The server uses the PAM plugin for authentication, combined with two-step verification, so PAM working correctly is non-negotiable.

Since I keep all configuration files under etckeeper, the first step was a git log under /etc on both server and client. Nothing had changed on either side.

The logs pointed straight at the PAM plugin:

12:47:46 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 TLS: Initial packet from [AF_INET]x.x.8.234:64484
12:47:48 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
00:47:48 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
12:47:48 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 TLS Auth Error: Auth Username/Password verification failed for peer
12:47:50 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)

(I was providing the correct credentials (that’s not the issue.)

Root cause Link to heading

This is Bug #1511524 in Ubuntu’s OpenVPN package: the systemd unit file for OpenVPN ships with a CapabilityBoundingSet that doesn’t include CAP_AUDIT_WRITE. PAM’s audit module needs that capability to write to the kernel audit log, and without it, PAM authentication silently fails.

Fix Link to heading

You have three options:

  1. Stop the systemd service and launch OpenVPN directly (quick but not persistent).

  2. Add CAP_AUDIT_WRITE to the capability bounding set. Edit /lib/systemd/system/openvpn@.service and update the CapabilityBoundingSet line to include it:

    CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
    
  3. Wait for a fixed package: Ubuntu shipped a corrected unit file in a subsequent update.

After applying option 2, reload systemd and restart OpenVPN:

systemctl daemon-reload
systemctl restart openvpn

A successful PAM authentication now looks like this in the logs:

13:03:49 ovpn-3-rtr.bgo ovpn-server[5186]: x.x.10.176:61423 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
13:03:49 ovpn-3-rtr.bgo ovpn-server[5186]: x.x.10.176:61423 TLS: Username/Password authentication succeeded for username 'x'