Bug #9460
closed
OpenVPN local auth failing due to fcgicli output
Added by Jim Pingle over 5 years ago.
Updated over 3 years ago.
Affected Architecture:
All
Description
OpenVPN local auth is failing on 2.5.0, due to what appears to be a change in fcgicli output.
Testing with set -x and some fake parameters shows it getting some extra output that it doesn't expect.
+ /usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d 'username=amltcA%3D%3D&password=amltcA%3D%3D&cn=&strictcn=false&authcfg=TG9jYWwgRGF0YWJhc2U=&modeid=server2&nas_port=1194'
+ result='OK
(null)'
+ auth_result=0
+ [ 'OK
(null)' '=' OK ]
Looks like a simple fix to change it over to php-cgi.
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to In Progress
- Assignee changed from Jim Pingle to Renato Botelho
- % Done changed from 100 to 0
Looks like the issue in fcgicli should be addressed as a better fix. Assigning to Renato per his request.
Tested a potential change from Renato and it appears to work as expected
+ /usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d 'username=amltcA%3D%3D&password=amltcA%3D%3D&cn=&strictcn=false&authcfg=TG9jYWwgRGF0YWJhc2U=&modeid=server2&nas_port=1194'
+ result=OK
+ auth_result=0
+ [ OK '=' OK ]
+ auth_result=1
+ printf %s 1
+ exit 0
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
check_reload_status 0.0.10 should fix it
OpenVPN auth both local and radius are now functioning for me
- Status changed from Feedback to Resolved
Hi all, after a recent upgrade to pfsense 2.5 as released, I had to manually apply the reverted patch ce76f299853dccb036de229f08a30013593c98fd. On my setup, I have OpenVPN with FreeRADIUS authentication (with OTP if relevant) for OpenVPN authentication to succeed.
Before applying the patch, I only got AUTH_FAILED on the client side.
Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.
We do not want to manually modify anything, will a fix for this be released publicly eventually?
Thank you!
Aurelian Rau wrote:
Hello, as Joakim Gilje mentioned, this issue is still present in the release version of pfSense 2.5. We had our OpenVPN instance configured to accept both AD authentication and local database - as long as local database is selected, authenticating with either local users or AD users will always fail. If we only select AD authentication, we can log in with AD users without issues.
We do not want to manually modify anything, will a fix for this be released publicly eventually?
Thank you!
Unable to reproduce - it works fine with 'Local Database' + RADIUS/LDAP sources
For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .
See Reporting Issues with pfSense Software for more information.
I am also having the same issue using "Local Database".
The error in the OpenVPN server log is "Connection reset, restarting [0]"
If I make the user password shorter like 10 characters it will auth fine.
On another note not sure if this is the right place or a new issue. I have issues earlier on in the authentication process that deals with the certs I have to make "/usr/local/sbin/ovpn_auth_verify" to always exit 0 or TLS verify fails.
Another report of this issue. Setup is pfSense 21.02p1 OpenVPN + RADIUS + Yubikey. Logs show:
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 TLS: Username/Password authentication deferred for username 'miverson' [CN SET]
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 [miverson] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 PUSH: Received control message: 'PUSH_REQUEST'
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 Delayed exit in 5 seconds
Mar 2 11:21:45 innen openvpn[27750]: 96.27.85.24:1194 SENT CONTROL [someuser]: 'AUTH_FAILED' (status=1)
Mar 2 11:21:50 innen openvpn[27750]: 96.27.85.24:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting
Applying the patch from #4521 did not fix it. Re-applying ce76f299853dccb036de229f08a30013593c98fd form here did. It's possible that both are needed in some circumstances.
Applying the patch from #4521 fixed the certificate verify before the AUTH_FAILED for me and applying ce76f299853dccb036de229f08a30013593c98fd from here fixed the AUTH_FAILED.
After applying the 2 patches I can now connect to OpenVPN.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by