Project

General

Profile

Bug #10409

OpenVPN client without userpass hangs system startup

Added by Viktor Gurov 7 months ago. Updated 28 days ago.

Status:
Resolved
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
04/02/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

If you create OpenVPN client connection with user authentication,
but don’t enter the password
System hangs on startup with prompt:

Syncing OpenVPN settings...Enter Auth Password:

Associated revisions

Revision 298ecdb5 (diff)
Added by Viktor Gurov about 1 month ago

OpenVPN client userpass is mandatory. Issue #10409

History

#1 Updated by Viktor Gurov 7 months ago

OpenVPN client userpass is mandatory

Fix:
https://github.com/pfsense/pfsense/pull/4257

#2 Updated by Jim Pingle 7 months ago

  • Status changed from New to Pull Request Review
  • Affected Version changed from 2.4.5 to All

Copying note here from Github:

I seem to recall there was a specific reason we allowed the password to be empty. There was an auth use case which required it at some point, but I can't find notes about it anywhere now. I do see 7304c0234042868d91ab484d839a8c69087871be ( #3633 ) but that case is blank user but filled in password.

That same issue with being blocked waiting for auth can happen if the username is blank as well as the password, if the server requires user auth, so it's not something we can always prevent. We do add auth-retry nointeract which is supposed to prevent this. But the user can override that by checking "Do not retry connection when authentication fails".

#3 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.5.0
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#4 Updated by Max Leighton 28 days ago

  • Status changed from Feedback to Resolved

Tested in
2.5.0-DEVELOPMENT (amd64)
built on Sun Sep 20 06:59:15 EDT 2020
FreeBSD 12.2-PRERELEASE

As expected, the password requirement still exists at boot, but there is now an informational warning urging users who will not enter a username or password here to use the Do not retry connection when authentication fails option.

Marking the ticket resolved.

Also available in: Atom PDF