Bug #13327
closedValid OpenVPN client connections rejected due to extraneous output to ovpn_auth_verify
100%
Description
OpenVPN was observed rejecting client connections that were previously accepted and had not expired. Research lead to /usr/local/sbin/ovpn_auth_verify. When using TLS, this code calls
/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php and compares the response to "OK". In my case the response received was "....OK", which did not match and caused the connection to be dropped. A log file is attached to this report.
Others have experienced the same problem, as shown in the last half of the forum discussion at: https://forum.netgate.com/topic/171706/user-auth-failed/5
Issuing the same php-cgi command manually showed that the leading dots are apparently a progress indicator for a (not very) long running process. This suggests that the problem will only impact slower or heavily loaded systems.
As a workaround I altered ovpn_auth_verify as follows as compared to git commit 8f2f85c:
@41a42
> RESULT=$(echo $RESULT | tr -d ".")
A copy of the modified ovpn_auth_verify file will be attached to this report.
I first observed and patched this problem 15/Jul/2021. I am available to test proposed changes.
Files