https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-04-05T23:10:16ZpfSense bugtrackerpfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=403532019-04-05T23:10:16ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Change ovpn_auth_verify_async to php-cgi. Fixes #9460" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/ce76f299853dccb036de229f08a30013593c98fd">ce76f299853dccb036de229f08a30013593c98fd</a>.</p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=403652019-04-08T08:20:52ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>In Progress</i></li><li><strong>Assignee</strong> changed from <i>Jim Pingle</i> to <i>Renato Botelho</i></li><li><strong>% Done</strong> changed from <i>100</i> to <i>0</i></li></ul><p>Looks like the issue in fcgicli should be addressed as a better fix. Assigning to Renato per his request.</p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=403662019-04-08T17:49:30ZJim Pingle
<ul></ul><p>Tested a potential change from Renato and it appears to work as expected</p>
<pre>
+ /usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d 'username=amltcA%3D%3D&password=amltcA%3D%3D&cn=&strictcn=false&authcfg=TG9jYWwgRGF0YWJhc2U=&modeid=server2&nas_port=1194'
+ result=OK
+ auth_result=0
+ [ OK '=' OK ]
+ auth_result=1
+ printf %s 1
+ exit 0
</pre> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=403672019-04-08T19:18:43ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>check_reload_status 0.0.10 should fix it</p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=404362019-04-29T22:19:15ZJake K
<ul></ul><p>OpenVPN auth both local and radius are now functioning for me</p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=404372019-04-30T07:05:48ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=512952021-02-19T07:56:15ZJoakim Gilje
<ul></ul><p>Hi all, after a recent upgrade to pfsense 2.5 as released, I had to manually apply the reverted patch ce76f299853dccb036de229f08a30013593c98fd. On my setup, I have OpenVPN with FreeRADIUS authentication (with OTP if relevant) for OpenVPN authentication to succeed.</p>
<p>Before applying the patch, I only got AUTH_FAILED on the client side.</p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=513432021-02-20T06:23:47ZAurelian Rau
<ul></ul><p>Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.<br />We do not want to manually modify anything, will a fix for this be released publicly eventually?<br />Thank you!</p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=513442021-02-20T07:48:35ZViktor Gurov
<ul></ul><p>Aurelian Rau wrote:</p>
<blockquote>
<p>Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.<br />We do not want to manually modify anything, will a fix for this be released publicly eventually?<br />Thank you!</p>
</blockquote>
<p>Unable to reproduce - it works fine with 'Local Database' + RADIUS/LDAP sources</p>
<p>For assistance in solving problems, please post on the <a href="https://forum.netgate.com" class="external">Netgate Forum</a> or the <a href="https://www.reddit.com/r/pfSense/" class="external">pfSense Subreddit</a> .</p>
<p>See <a href="https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html" class="external">Reporting Issues with pfSense Software</a> for more information.</p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=513662021-02-21T00:02:24ZElon l
<ul></ul><p>I am also having the same issue using "Local Database".</p>
<p>The error in the OpenVPN server log is "Connection reset, restarting [0]"</p>
<p>If I make the user password shorter like 10 characters it will auth fine.</p>
<p>On another note not sure if this is the right place or a new issue. I have issues earlier on in the authentication process that deals with the certs I have to make "/usr/local/sbin/ovpn_auth_verify" to always exit 0 or TLS verify fails.</p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=513712021-02-21T01:19:17ZViktor Gurov
<ul></ul><p>similar issue: <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: OpenVPN authentication and certificate validation fail due to size of data passed through ``fcgic... (Closed)" href="https://redmine.pfsense.org/issues/4521">#4521</a></p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=519122021-03-03T15:38:21ZMarcos M
<ul></ul><p>Another report of this issue. Setup is pfSense 21.02p1 OpenVPN + RADIUS + Yubikey. Logs show:</p>
<pre>
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 TLS: Username/Password authentication deferred for username 'miverson' [CN SET]
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 [miverson] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PUSH: Received control message: 'PUSH_REQUEST'
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Delayed exit in 5 seconds
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 SENT CONTROL [someuser]: 'AUTH_FAILED' (status=1)
Mar 2 11:21:50 innen openvpn[27750]: 96.27.85.24:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting
</pre>
<p>Applying the patch from <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: OpenVPN authentication and certificate validation fail due to size of data passed through ``fcgic... (Closed)" href="https://redmine.pfsense.org/issues/4521">#4521</a> did not fix it. Re-applying ce76f299853dccb036de229f08a30013593c98fd form here did. It's possible that both are needed in some circumstances.</p> pfSense - Bug #9460: OpenVPN local auth failing due to fcgicli outputhttps://redmine.pfsense.org/issues/9460?journal_id=519162021-03-03T16:23:37ZElon l
<ul></ul><p>Applying the patch from <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: OpenVPN authentication and certificate validation fail due to size of data passed through ``fcgic... (Closed)" href="https://redmine.pfsense.org/issues/4521">#4521</a> fixed the certificate verify before the AUTH_FAILED for me and applying ce76f299853dccb036de229f08a30013593c98fd from here fixed the AUTH_FAILED.</p>
<p>After applying the 2 patches I can now connect to OpenVPN.</p>