Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    User Auth Failed

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 3 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • blasterspikeB
      blasterspike @ryoung81
      last edited by

      I'm testing a fix, let me know if this works for you as well.
      Get a shell access to your pfSense box, edit this file

      /usr/local/sbin/ovpn_auth_verify_async
      

      and change line #78 from

      if [ "${result}" = "OK" ]; then
      

      to

      if [ "${result}" = "....OK" ]; then
      
      B 1 Reply Last reply Reply Quote 0
      • B
        bpmartin @blasterspike
        last edited by

        @blasterspike I'm having the same problem with ovpn_auth_verify (no _async). The equivalent fix seems to resolve the problem, but I can't see where the "...." prefix is coming from. I'm no PHP guy, but the routine it calls to generate ${RESULT} appears to just be returning "OK" (no dots). Yet when I run it from the command line, dots appear.

        My fix was to leave the conditional as-is, and insert immediately above it:

        [ "${RESULT}" = "...OK" ]] && RESULT="OK" # Remove dots if present
        

        If yours is the fix, is it going into some future update? I don't want to have to keep patching this myself.

        blasterspikeB 1 Reply Last reply Reply Quote 0
        • blasterspikeB
          blasterspike @bpmartin
          last edited by

          Unfortunately I know very little too about PHP to be able to debug this issue.
          I don't think that Netgate is aware of this, therefore I don't see a patch coming. I have seen a tendency in their issue tracker that you have to provide the complete debug and point at where the error is for the bug to be taken into consideration.
          I have already spent enough time debugging it, hopefully someone more capable on PHP will be able to help us.

          I hate too thinking about patching this at every upgrade.

          R B 2 Replies Last reply Reply Quote 0
          • R
            ryoung81 @blasterspike
            last edited by

            @blasterspike we actually just went ahead and moved our production over to fortigate. No issues :/

            1 Reply Last reply Reply Quote 0
            • B
              bpmartin
              last edited by

              Looking into the further, I believe I've found out why it's happening. When ovpn_auth_verify runs the php-cgi command to run /etc/inc/openvpn.auth-user.php, ovpn.auth-user.php or some lower level command may conditionally print dots as a progress indicator. On fast systems, no dots appear. On slower systems, 1 or more dots may appear. Probably they would appear on a fast system too, if the system were under a heavy load.

              This also means that the number of dots preceding "OK" is variable. Matching a specific number of leading dots is not reliable. My new patch is:

              41a42
              > RESULT=$(echo $RESULT | tr -d ".")
              

              The variable number of dots also explains why reports aren't more widespread. It only happens on variably, depending on system performance and load.

              1 Reply Last reply Reply Quote 0
              • B
                bpmartin
                last edited by

                I neglected to mention that I'm experiencing this on the current stable release, 2.6.0, built 31/Jan/2022.

                1 Reply Last reply Reply Quote 0
                • B
                  bpmartin @blasterspike
                  last edited by bpmartin

                  @blasterspike I know you've subsequently migrated off of pfSense, but is there any chance you can tell me what release of pfSense you were running when you last experienced this problem?

                  I have but 13327 open with the developers, but they're rejecting it because they think the report is on an outdated release. I'd like to document which release you were experiencing this problem with, and what hardware you were running pfSense on.

                  Also, was this the reason you migrated off, or or there other issues?

                  blasterspikeB 1 Reply Last reply Reply Quote 0
                  • blasterspikeB
                    blasterspike @bpmartin
                    last edited by blasterspike

                    @bpmartin I'm still using pfSense, I think you are confusing me with ryoung81.

                    I'm using

                    2.6.0-RELEASE (amd64)
                    built on Mon Jan 31 19:57:53 UTC 2022
                    FreeBSD 12.3-STABLE
                    

                    In total, I had to edit 2 files with this "....OK" trick to have OpenVPN working again
                    /usr/local/sbin/ovpn_auth_verify
                    /usr/local/sbin/ovpn_auth_verify_async

                    I discovered this problem about User Auth Failed while debugging this other issue
                    https://forum.netgate.com/topic/171707/openvpn-server-certificate-verify-failed-on-pfsense-2-6-0/3

                    I don't even think that my hardware is suffering to justify this behaviour, I'm using pfSense at home and the traffic is low.
                    However this is the box where it is running

                    Intel(R) Celeron(R) CPU J3160 @ 1.60GHz
                    4 CPUs: 1 package(s) x 4 core(s)
                    AES-NI CPU Crypto: Yes (active)
                    QAT Crypto: No 
                    
                    4GB of RAM
                    
                    1 Reply Last reply Reply Quote 0
                    • B
                      bpmartin
                      last edited by bpmartin

                      Apologies for the confustion @blasterspike ... I was obviously reading and writing too early in the morning.

                      The bug report can be found at:

                      https://redmine.pfsense.org/issues/13327

                      It's currently in "Rejected" status because the developer thought it was in regards to an obsolete release. I'd appreciate it if you and others that are on current releases would update the ticket to include that it's affecting you, too. I think it may be performance related, so basic hardware information may be useful too. I just copied my CPU info off the pfSense Dashboard, and added the amount of memory I have.

                      Right now I'm afraid I have a credibility problem, understandably, since this is a widely used package and I'm the only one reporting it. Showing that more sites are experiencing it might be enough to get it fixed. Especially so since one possible fix is just one line of code that I've already provided.

                      blasterspikeB 1 Reply Last reply Reply Quote 1
                      • blasterspikeB
                        blasterspike @bpmartin
                        last edited by

                        @bpmartin I have replied to that issue as well. Unfortunately as it is closed, I believe it will go into oblivion...

                        B 1 Reply Last reply Reply Quote 0
                        • B
                          bpmartin @blasterspike
                          last edited by

                          @blasterspike Thank you for updating the bug. Since Jim Pingle took ownership and rejected it, I'm hoping he'll get update notifications, review it, and consider reopening it. If not, I'll look for other ways to reach out. I suppose you could open a bug of your own, too, if you thought that was a good idea. You could just refer to 13327 and report you're having the same experience on the current release. I'm not sure which approach will be the most effective. We know it's a real bug - it's just that the developers don't.

                          1 Reply Last reply Reply Quote 0
                          • M mlaustin referenced this topic on
                          • johnpozJ johnpoz referenced this topic on
                          • johnpozJ johnpoz referenced this topic on
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.