Bug #9460
closedOpenVPN local auth failing due to fcgicli output
100%
Description
OpenVPN local auth is failing on 2.5.0, due to what appears to be a change in fcgicli output.
Testing with set -x
and some fake parameters shows it getting some extra output that it doesn't expect.
+ /usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d 'username=amltcA%3D%3D&password=amltcA%3D%3D&cn=&strictcn=false&authcfg=TG9jYWwgRGF0YWJhc2U=&modeid=server2&nas_port=1194' + result='OK (null)' + auth_result=0 + [ 'OK (null)' '=' OK ]
Looks like a simple fix to change it over to php-cgi.
Updated by Jim Pingle over 5 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset ce76f299853dccb036de229f08a30013593c98fd.
Updated by Jim Pingle over 5 years ago
- Status changed from Feedback to In Progress
- Assignee changed from Jim Pingle to Renato Botelho
- % Done changed from 100 to 0
Looks like the issue in fcgicli should be addressed as a better fix. Assigning to Renato per his request.
Updated by Jim Pingle over 5 years ago
Tested a potential change from Renato and it appears to work as expected
+ /usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d 'username=amltcA%3D%3D&password=amltcA%3D%3D&cn=&strictcn=false&authcfg=TG9jYWwgRGF0YWJhc2U=&modeid=server2&nas_port=1194' + result=OK + auth_result=0 + [ OK '=' OK ] + auth_result=1 + printf %s 1 + exit 0
Updated by Renato Botelho over 5 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
check_reload_status 0.0.10 should fix it
Updated by Jake K over 5 years ago
OpenVPN auth both local and radius are now functioning for me
Updated by Joakim Gilje over 3 years ago
Hi all, after a recent upgrade to pfsense 2.5 as released, I had to manually apply the reverted patch ce76f299853dccb036de229f08a30013593c98fd. On my setup, I have OpenVPN with FreeRADIUS authentication (with OTP if relevant) for OpenVPN authentication to succeed.
Before applying the patch, I only got AUTH_FAILED on the client side.
Updated by Aurelian Rau over 3 years ago
Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.
We do not want to manually modify anything, will a fix for this be released publicly eventually?
Thank you!
Updated by Viktor Gurov over 3 years ago
Aurelian Rau wrote:
Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.
We do not want to manually modify anything, will a fix for this be released publicly eventually?
Thank you!
Unable to reproduce - it works fine with 'Local Database' + RADIUS/LDAP sources
For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .
See Reporting Issues with pfSense Software for more information.
Updated by Elon l over 3 years ago
I am also having the same issue using "Local Database".
The error in the OpenVPN server log is "Connection reset, restarting [0]"
If I make the user password shorter like 10 characters it will auth fine.
On another note not sure if this is the right place or a new issue. I have issues earlier on in the authentication process that deals with the certs I have to make "/usr/local/sbin/ovpn_auth_verify" to always exit 0 or TLS verify fails.
Updated by Marcos M over 3 years ago
Another report of this issue. Setup is pfSense 21.02p1 OpenVPN + RADIUS + Yubikey. Logs show:
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 TLS: Username/Password authentication deferred for username 'miverson' [CN SET] Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 [miverson] Peer Connection Initiated with [AF_INET]x.x.x.x:1194 Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PUSH: Received control message: 'PUSH_REQUEST' Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Delayed exit in 5 seconds Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 SENT CONTROL [someuser]: 'AUTH_FAILED' (status=1) Mar 2 11:21:50 innen openvpn[27750]: 96.27.85.24:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting
Applying the patch from #4521 did not fix it. Re-applying ce76f299853dccb036de229f08a30013593c98fd form here did. It's possible that both are needed in some circumstances.
Updated by Elon l over 3 years ago
Applying the patch from #4521 fixed the certificate verify before the AUTH_FAILED for me and applying ce76f299853dccb036de229f08a30013593c98fd from here fixed the AUTH_FAILED.
After applying the 2 patches I can now connect to OpenVPN.