pfSense

Tested a potential change from Renato and it appears to work as expected

+ /usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d 'username=amltcA%3D%3D&password=amltcA%3D%3D&cn=&strictcn=false&authcfg=TG9jYWwgRGF0YWJhc2U=&modeid=server2&nas_port=1194'
+ result=OK
+ auth_result=0
+ [ OK '=' OK ]
+ auth_result=1
+ printf %s 1
+ exit 0

OpenVPN auth both local and radius are now functioning for me

Hi all, after a recent upgrade to pfsense 2.5 as released, I had to manually apply the reverted patch ce76f299853dccb036de229f08a30013593c98fd. On my setup, I have OpenVPN with FreeRADIUS authentication (with OTP if relevant) for OpenVPN authentication to succeed.

Before applying the patch, I only got AUTH_FAILED on the client side.

Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.
We do not want to manually modify anything, will a fix for this be released publicly eventually?
Thank you!

Aurelian Rau wrote:

Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.
We do not want to manually modify anything, will a fix for this be released publicly eventually?
Thank you!

Unable to reproduce - it works fine with 'Local Database' + RADIUS/LDAP sources

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

I am also having the same issue using "Local Database".

The error in the OpenVPN server log is "Connection reset, restarting [0]"

If I make the user password shorter like 10 characters it will auth fine.

On another note not sure if this is the right place or a new issue. I have issues earlier on in the authentication process that deals with the certs I have to make "/usr/local/sbin/ovpn_auth_verify" to always exit 0 or TLS verify fails.

similar issue: #4521

Another report of this issue. Setup is pfSense 21.02p1 OpenVPN + RADIUS + Yubikey. Logs show:

Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 TLS: Username/Password authentication deferred for username 'miverson' [CN SET]
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 [miverson] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PUSH: Received control message: 'PUSH_REQUEST'
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Delayed exit in 5 seconds
Mar  2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 SENT CONTROL [someuser]: 'AUTH_FAILED' (status=1)
Mar  2 11:21:50 innen openvpn[27750]: 96.27.85.24:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting 

Applying the patch from #4521 did not fix it. Re-applying ce76f299853dccb036de229f08a30013593c98fd form here did. It's possible that both are needed in some circumstances.

Applying the patch from #4521 fixed the certificate verify before the AUTH_FAILED for me and applying ce76f299853dccb036de229f08a30013593c98fd from here fixed the AUTH_FAILED.

After applying the 2 patches I can now connect to OpenVPN.