Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WARNING: Failed running command (–auth-user-pass-verify): external program exit

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 12.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bheinsius
      last edited by

      Hi,

      After upgrade from 2.3.2_1 to 2.3.3_1, I cannot connect through openvpn anymore.
      pfsense openvpn log says:

      Apr 27 00:14:22	openvpn		user 'xxxxx' could not authenticate.
Apr 27 00:14:22	openvpn	15998	1.2.3.4:32594 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Apr 27 00:14:22	openvpn	15998	1.2.3.4:32594 TLS Auth Error: Auth Username/Password verification failed for peer
Apr 27 00:14:22	openvpn	15998	1.2.3.4:32594 [xxxxx] Peer Connection Initiated with [AF_INET]95.97.223.48:32594

      My openvpn client prompts me for user and password, which is good.
      openvpn client log says:

      Thu Apr 27 00:14:14 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Thu Apr 27 00:14:14 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Apr 27 00:14:14 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Thu Apr 27 00:14:19 2017 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Apr 27 00:14:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]4.3.2.1:1194
Thu Apr 27 00:14:19 2017 UDP link local (bound): [AF_INET][undef]:1194
Thu Apr 27 00:14:19 2017 UDP link remote: [AF_INET]4.3.2.1:1194
Thu Apr 27 00:14:19 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 27 00:14:20 2017 [VPN Server Cert] Peer Connection Initiated with [AF_INET]4.3.2.1:1194
Thu Apr 27 00:14:21 2017 AUTH: Received control message: AUTH_FAILED
Thu Apr 27 00:14:21 2017 SIGUSR1[soft,auth-failure] received, process restarting

      Apart from unchecking General Settings: DNS Server Override Allow DNS server list to be overridden by DHCP/PPP on WAN, I did not change anything in the pfsense configuration.

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The username/password don't fail when tested. Either the username/password is wrong, or somehow it's failing to authenticate. Without knowing more about the server settings it's impossible to say what might be happening.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          bheinsius
          last edited by

          I just recreated the pfsense user to be sure i got correct username/password but the problem remains.
          what server settings can I post to help diagnose?

          1 Reply Last reply Reply Quote 0
          • B
            bheinsius
            last edited by

            In the Endian forum at http://www.efwsupport.com/index.php?topic=5261.0 I found this:

            i had the same problem, just change in /etc/openvpn/openvpn.conf.tmpl
            from auth-user-pass-verify "/usr/bin/openvpn-auth-user-pass" via-env to  auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
            and then restart service.
            this will work.

            I applied this change to my /var/etc/openvpn/server1.conf and restarted the openvpn server and now I can connect again.
            Is this a safe change to make permanently?

            1 Reply Last reply Reply Quote 0
            • B
              bheinsius
              last edited by

              I compared this line in /var/etc/openvpn/server1.conf between 2.3.3-RELEASE (i386) and 2.3.3-RELEASE-p1 (amd64):

              2.3.3-RELEASE (i386):

              auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user xxxxxxxxxxxxxxxxxxxxxx false server1 1194" via-env

              2.3.3-RELEASE-p1 (amd64):

              auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env

              so something seems to have changed between these versions (?)

              1 Reply Last reply Reply Quote 0
              • B
                bheinsius
                last edited by

                To get it working on 2.3.3-RELEASE-p1 (amd64) I changed this afternoon:

                auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env

                to

                auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-file

                I just looked again and now 2.3.3-RELEASE-p1 (amd64) reads:

                auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user xxxxxxxxxxxxxxxxx false server1 1194" via-env

                the same as on 2.3.3-RELEASE (i386).

                Do the settings get updated after changing via-env to via-file?

                1 Reply Last reply Reply Quote 0
                • J
                  jvorhees
                  last edited by

                  Hi !

                  Same problem here after upgrade to 2.3.4, user auth is successful via diagnostics (for ldap or local database auth servers, no changes made here between upgrade),
                  but fail for ovpn clients using ldap or local db on ovpn server side configuration.

                  Clients are prompted to enter again and again credentials

                  ovpn server log:

                  WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
user 'testuser' authenticated

                  User still authenticated ? :o

                  Any clues ?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    We saw this happen to a customer the other day, something was broken in their PHP installation and it was messing with the way the auth script was returning a value to the caller.

                    At least for them, running "pkg update -f; pkg upgrade -f" to reinstall everything fixed it up. But it could be a sign of something deeper.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • B
                      bheinsius
                      last edited by

                      It may have the same cause as the problem at https://forum.pfsense.org/index.php?topic=127274 "Short hostnames not working on 2.3.3"
                      There you have to make a change in the dns forwarder settings to get it working properly after a reboot. It does not matter what you change.
                      It looks like some post-boot trigger is missing somewhere.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.