https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162022-07-05T07:35:52ZpfSense bugtrackerpfSense - Bug #13327: Valid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verifyhttps://redmine.pfsense.org/issues/13327?journal_id=620822022-07-05T07:35:52ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Rejected</i></li></ul><p>There isn't enough information to go on here. This is working for us in the lab and for most if not all users of the current release.</p>
<p>The linked forum thread references 2.4.5 which is very outdated. We can only accept reports against the most recent release.</p>
<p>If you can find a way to replicate it on a clean installation of a current release, or ideally on the latest development snapshot, please provide the entire procedure to reproduce the problem.</p> pfSense - Bug #13327: Valid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verifyhttps://redmine.pfsense.org/issues/13327?journal_id=620952022-07-05T09:36:54ZBrian Martin
<ul><li><strong>File</strong> <a href="/attachments/4335">ovpn.cfg.sanitized</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/4335/ovpn.cfg.sanitized">ovpn.cfg.sanitized</a> added</li></ul><p>I neglected to mention in the bug report and the forum thread that I'm on release 2.6.0, the current stable release. Further, the affected file, ovpn_auth_verify, has not been subsequently changed from the master according to GitHub, so I'm at the very latest version of that file at least.</p>
<p>Regarding replicating the problem, I think the key is the hardware I'm running it on, and the fact I'm using TLS.</p>
<p>Here are excerpts from the pfSense dashboard that may help on the hardware side:<br /><pre>
CPU Type
Intel(R) Atom(TM) CPU C2758 @ 2.40GHz
8 CPUs: 1 package(s) x 8 core(s)
AES-NI CPU Crypto: Yes (inactive)
QAT Crypto: Yes (inactive)
Memory: 4G
Current load average: 0.14, 0.19, 0.16
</pre></p>
<p>So, an old system but perfectly adequate for my needs except for this one issue.</p>
<p>I'm using TLS-verify, which causes ovpn_verify_auth to take a different path and call /etc/inc/openvpn.tls-verify.php. I don't know enough PHP to understand the script well, but I see it calls openssl in several places, and openssl often prints dots as a progress indicator. This may be the source of the stray dots that you saw in the log attached previously.</p>
<p>I don't have a lab system to test on, and I'm somewhat hesitant to move off of STABLE on my production system, but I have good backups and can do that if you think that is necessary.</p>
<p>I'll attach a copy of my OpenVPN configuration (hopefully adequately sanitized -- please alert me if I've published anything sensitive) so you can see all my settings.</p>
<p>The problem occurs every time without my patch, and never occurs with the patch. Some others are seeing it too, although not very many.</p>
<p>I've previously offered to test patch candidates. How else can I help you reproduce the problem? I'm ready to assist in any way I can.</p> pfSense - Bug #13327: Valid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verifyhttps://redmine.pfsense.org/issues/13327?journal_id=621072022-07-06T13:01:13ZMassimo Vannucci
<ul></ul><p>I'm experiencing the exact same problem reported by Brian Martin.<br />Unfortunately I don't have enough knowledge of PHP to understand why it returns a "....OK" for us, so it is difficult for me to tell you how to reprodure the steps.</p>
<p>pfSense version<br /><pre><code class="shell syntaxhl">2.6.0-RELEASE <span class="o">(</span>amd64<span class="o">)</span>
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE
</code></pre></p>
<p>Hardware<br /><pre><code class="shell syntaxhl">Intel<span class="o">(</span>R<span class="o">)</span> Celeron<span class="o">(</span>R<span class="o">)</span> CPU J3160 @ 1.60GHz
4 CPUs: 1 package<span class="o">(</span>s<span class="o">)</span> x 4 core<span class="o">(</span>s<span class="o">)</span>
AES-NI CPU Crypto: Yes <span class="o">(</span>active<span class="o">)</span>
QAT Crypto: No
4GB of RAM
</code></pre></p>
<p>Let me know if there are other tests I can run to help everybody to fix this issue.</p> pfSense - Bug #13327: Valid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verifyhttps://redmine.pfsense.org/issues/13327?journal_id=677612023-06-04T18:20:03ZMarcos M
<ul></ul><p><a class="user active" href="https://redmine.pfsense.org/users/46971">Brian Martin</a> Do you still experience the issue on pfSense+ 23.05?</p> pfSense - Bug #13327: Valid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verifyhttps://redmine.pfsense.org/issues/13327?journal_id=677622023-06-04T22:50:44ZBrian Martin
<ul></ul><p>I'm glad to hear this issue hasn't been forgotten.</p>
<p>I'll need some help to answer that. I'm using the community edition, and the dashboard reports I'm on the latest edition, identified as "2.6.0-RELEASE". I don't know how to correlate that to "pfSense+ 23.05".</p>
<p>To work around the issue I patched <strong>/usr/local/sbin/ovpn_auth_verify</strong> to insert the following after gathering RESULT but before comparing it to "OK":</p>
<blockquote>
<p><code>RESULT=$(echo $RESULT | tr -d ".")</code></p>
</blockquote>
<p>That patch is still there, but if I comment it out the failure still occurs.</p>
<p>If 2.6.0-RELEASE correlates to pfSense+ 23.05, please provide a checksum of the unaltered /usr/local/sbin/open_auth_verify, so I can verify that I am testing the correct version of the code. Otherwise, please advise me as to how to come up to the equivalent version, and I'll be happy to retest.</p> pfSense - Bug #13327: Valid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verifyhttps://redmine.pfsense.org/issues/13327?journal_id=677632023-06-04T22:59:19ZMarcos M
<ul></ul><p>Migrate to pfSense+ by following the guide here:<br /><a class="external" href="https://docs.netgate.com/pfsense/en/latest/install/migrate-to-plus.html">https://docs.netgate.com/pfsense/en/latest/install/migrate-to-plus.html</a></p>
<p>Alternatively, update to pfSense CE 2.7 (System > Update).</p> pfSense - Bug #13327: Valid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verifyhttps://redmine.pfsense.org/issues/13327?journal_id=677642023-06-05T02:09:12ZBrian Martin
<ul></ul><p>Thank you. CE 2.7 is still in development, and I'm not currently interested in to moving to pfSense+, so I won't be prepared to test for a bit. Once CE 2.7 reaches stable status, I expect to move to it fairly quickly. I'm sorry I can't be of any help sooner. I'd really like to test this fix.</p> pfSense - Bug #13327: Valid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verifyhttps://redmine.pfsense.org/issues/13327?journal_id=685352023-07-14T14:03:09ZBrian Martin
<ul></ul><p>I just tested with CE 2.7. I confirmed that my [[patch: <a class="external" href="https://redmine.pfsense.org/issues/13327#note-5">https://redmine.pfsense.org/issues/13327#note-5</a>]] is no longer present after the upgrade, and that I now no longer need the patch in order to log in. The problem appears to be fixed to me. That's great! Thank you so much.</p>
<p>May I ask ... what changed that fixed this issue.</p> pfSense - Bug #13327: Valid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verifyhttps://redmine.pfsense.org/issues/13327?journal_id=685362023-07-14T14:53:50ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Rejected</i> to <i>Resolved</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul>