WARNING: Failed running command (–auth-user-pass-verify): external program exit
-
Hi,
After upgrade from 2.3.2_1 to 2.3.3_1, I cannot connect through openvpn anymore.
pfsense openvpn log says:Apr 27 00:14:22 openvpn user 'xxxxx' could not authenticate. Apr 27 00:14:22 openvpn 15998 1.2.3.4:32594 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1 Apr 27 00:14:22 openvpn 15998 1.2.3.4:32594 TLS Auth Error: Auth Username/Password verification failed for peer Apr 27 00:14:22 openvpn 15998 1.2.3.4:32594 [xxxxx] Peer Connection Initiated with [AF_INET]95.97.223.48:32594
My openvpn client prompts me for user and password, which is good.
openvpn client log says:Thu Apr 27 00:14:14 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017 Thu Apr 27 00:14:14 2017 Windows version 6.2 (Windows 8 or greater) 64bit Thu Apr 27 00:14:14 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09 Thu Apr 27 00:14:19 2017 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Thu Apr 27 00:14:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]4.3.2.1:1194 Thu Apr 27 00:14:19 2017 UDP link local (bound): [AF_INET][undef]:1194 Thu Apr 27 00:14:19 2017 UDP link remote: [AF_INET]4.3.2.1:1194 Thu Apr 27 00:14:19 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Apr 27 00:14:20 2017 [VPN Server Cert] Peer Connection Initiated with [AF_INET]4.3.2.1:1194 Thu Apr 27 00:14:21 2017 AUTH: Received control message: AUTH_FAILED Thu Apr 27 00:14:21 2017 SIGUSR1[soft,auth-failure] received, process restarting
Apart from unchecking General Settings: DNS Server Override Allow DNS server list to be overridden by DHCP/PPP on WAN, I did not change anything in the pfsense configuration.
Any ideas?
-
The username/password don't fail when tested. Either the username/password is wrong, or somehow it's failing to authenticate. Without knowing more about the server settings it's impossible to say what might be happening.
-
I just recreated the pfsense user to be sure i got correct username/password but the problem remains.
what server settings can I post to help diagnose? -
In the Endian forum at http://www.efwsupport.com/index.php?topic=5261.0 I found this:
i had the same problem, just change in /etc/openvpn/openvpn.conf.tmpl
from auth-user-pass-verify "/usr/bin/openvpn-auth-user-pass" via-env to auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
and then restart service.
this will work.I applied this change to my /var/etc/openvpn/server1.conf and restarted the openvpn server and now I can connect again.
Is this a safe change to make permanently? -
I compared this line in /var/etc/openvpn/server1.conf between 2.3.3-RELEASE (i386) and 2.3.3-RELEASE-p1 (amd64):
2.3.3-RELEASE (i386):
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user xxxxxxxxxxxxxxxxxxxxxx false server1 1194" via-env
2.3.3-RELEASE-p1 (amd64):
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
so something seems to have changed between these versions (?)
-
To get it working on 2.3.3-RELEASE-p1 (amd64) I changed this afternoon:
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
to
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-file
I just looked again and now 2.3.3-RELEASE-p1 (amd64) reads:
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user xxxxxxxxxxxxxxxxx false server1 1194" via-env
the same as on 2.3.3-RELEASE (i386).
Do the settings get updated after changing via-env to via-file?
-
Hi !
Same problem here after upgrade to 2.3.4, user auth is successful via diagnostics (for ldap or local database auth servers, no changes made here between upgrade),
but fail for ovpn clients using ldap or local db on ovpn server side configuration.Clients are prompted to enter again and again credentials
ovpn server log:
WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1 user 'testuser' authenticated
User still authenticated ? :o
Any clues ?
-
We saw this happen to a customer the other day, something was broken in their PHP installation and it was messing with the way the auth script was returning a value to the caller.
At least for them, running "pkg update -f; pkg upgrade -f" to reinstall everything fixed it up. But it could be a sign of something deeper.
-
It may have the same cause as the problem at https://forum.pfsense.org/index.php?topic=127274 "Short hostnames not working on 2.3.3"
There you have to make a change in the dns forwarder settings to get it working properly after a reboot. It does not matter what you change.
It looks like some post-boot trigger is missing somewhere.