Project

General

Profile

Actions

Bug #9460

closed

OpenVPN local auth failing due to fcgicli output

Added by Jim Pingle over 5 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
04/05/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:
All

Description

OpenVPN local auth is failing on 2.5.0, due to what appears to be a change in fcgicli output.

Testing with set -x and some fake parameters shows it getting some extra output that it doesn't expect.

+ /usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d 'username=amltcA%3D%3D&password=amltcA%3D%3D&cn=&strictcn=false&authcfg=TG9jYWwgRGF0YWJhc2U=&modeid=server2&nas_port=1194'
+ result='OK
(null)'
+ auth_result=0
+ [ 'OK
(null)' '=' OK ]

Looks like a simple fix to change it over to php-cgi.

Actions #1

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to In Progress
  • Assignee changed from Jim Pingle to Renato Botelho
  • % Done changed from 100 to 0

Looks like the issue in fcgicli should be addressed as a better fix. Assigning to Renato per his request.

Actions #3

Updated by Jim Pingle over 5 years ago

Tested a potential change from Renato and it appears to work as expected

+ /usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d 'username=amltcA%3D%3D&password=amltcA%3D%3D&cn=&strictcn=false&authcfg=TG9jYWwgRGF0YWJhc2U=&modeid=server2&nas_port=1194'
+ result=OK
+ auth_result=0
+ [ OK '=' OK ]
+ auth_result=1
+ printf %s 1
+ exit 0
Actions #4

Updated by Renato Botelho over 5 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

check_reload_status 0.0.10 should fix it

Actions #5

Updated by Jake K over 5 years ago

OpenVPN auth both local and radius are now functioning for me

Actions #6

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to Resolved
Actions #7

Updated by Joakim Gilje almost 4 years ago

Hi all, after a recent upgrade to pfsense 2.5 as released, I had to manually apply the reverted patch ce76f299853dccb036de229f08a30013593c98fd. On my setup, I have OpenVPN with FreeRADIUS authentication (with OTP if relevant) for OpenVPN authentication to succeed.

Before applying the patch, I only got AUTH_FAILED on the client side.

Actions #8

Updated by Aurelian Rau almost 4 years ago

Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.
We do not want to manually modify anything, will a fix for this be released publicly eventually?
Thank you!

Actions #9

Updated by Viktor Gurov almost 4 years ago

Aurelian Rau wrote:

Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.
We do not want to manually modify anything, will a fix for this be released publicly eventually?
Thank you!

Unable to reproduce - it works fine with 'Local Database' + RADIUS/LDAP sources

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions #10

Updated by Elon l almost 4 years ago

I am also having the same issue using "Local Database".

The error in the OpenVPN server log is "Connection reset, restarting [0]"

If I make the user password shorter like 10 characters it will auth fine.

On another note not sure if this is the right place or a new issue. I have issues earlier on in the authentication process that deals with the certs I have to make "/usr/local/sbin/ovpn_auth_verify" to always exit 0 or TLS verify fails.

Actions #11

Updated by Viktor Gurov almost 4 years ago

similar issue: #4521

Actions #12

Updated by Marcos M almost 4 years ago

Another report of this issue. Setup is pfSense 21.02p1 OpenVPN + RADIUS + Yubikey. Logs show:

Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 TLS: Username/Password authentication deferred for username 'miverson' [CN SET]
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 [miverson] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PUSH: Received control message: 'PUSH_REQUEST'
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Delayed exit in 5 seconds
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 SENT CONTROL [someuser]: 'AUTH_FAILED' (status=1)
Mar  2 11:21:50 innen openvpn[27750]: 96.27.85.24:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting 

Applying the patch from #4521 did not fix it. Re-applying ce76f299853dccb036de229f08a30013593c98fd form here did. It's possible that both are needed in some circumstances.

Actions #13

Updated by Elon l almost 4 years ago

Applying the patch from #4521 fixed the certificate verify before the AUTH_FAILED for me and applying ce76f299853dccb036de229f08a30013593c98fd from here fixed the AUTH_FAILED.

After applying the 2 patches I can now connect to OpenVPN.

Actions

Also available in: Atom PDF