Updated 2026: Ubuntu 15.10 (Wily Werewolf) reached end-of-life in July 2016. This specific bug was fixed in subsequent Ubuntu releases. If you’re running a modern Ubuntu and hitting PAM authentication failures with OpenVPN, check whether your systemd unit file has
CapabilityBoundingSetconfigured; the same principle applies: PAM’s audit module requiresCAP_AUDIT_WRITE.
After upgrading a server to Ubuntu 15.10, my OpenVPN tunnel stopped working. The server uses the PAM plugin for authentication, combined with two-step verification, so PAM working correctly is non-negotiable.
Since I keep all configuration files under etckeeper, the first step was a git log under /etc on both server and client. Nothing had changed on either side.
The logs pointed straight at the PAM plugin:
12:47:46 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 TLS: Initial packet from [AF_INET]x.x.8.234:64484
12:47:48 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
00:47:48 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
12:47:48 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 TLS Auth Error: Auth Username/Password verification failed for peer
12:47:50 ovpn-3-rtr.bgo ovpn-server[982]: x.x.8.234:64484 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
(I was providing the correct credentials (that’s not the issue.)
Root cause Link to heading
This is Bug #1511524 in Ubuntu’s OpenVPN package: the systemd unit file for OpenVPN ships with a CapabilityBoundingSet that doesn’t include CAP_AUDIT_WRITE. PAM’s audit module needs that capability to write to the kernel audit log, and without it, PAM authentication silently fails.
Fix Link to heading
You have three options:
Stop the systemd service and launch OpenVPN directly (quick but not persistent).
Add
CAP_AUDIT_WRITEto the capability bounding set. Edit/lib/systemd/system/openvpn@.serviceand update theCapabilityBoundingSetline to include it:CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITEWait for a fixed package: Ubuntu shipped a corrected unit file in a subsequent update.
After applying option 2, reload systemd and restart OpenVPN:
systemctl daemon-reload
systemctl restart openvpn
A successful PAM authentication now looks like this in the logs:
13:03:49 ovpn-3-rtr.bgo ovpn-server[5186]: x.x.10.176:61423 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
13:03:49 ovpn-3-rtr.bgo ovpn-server[5186]: x.x.10.176:61423 TLS: Username/Password authentication succeeded for username 'x'