OpenVPN Auth Errors after update to pfSense 2.3.3-RELEASE



  • Hi,

    Since upgrading pfSense to 2.3.3-RELEASE I have found my OpenVPN clients no longer connect, reporting an auth error. I have tried exporting the config and importing to a device again as well as resetting the users password. Any additional suggestions?

    Feb 25 14:36:25	openvpn	28337	82.132.94.57:14836 TLS Auth Error: Auth Username/Password verification failed for peer
    Feb 25 14:36:25	openvpn	28337	82.132.94.57:14836 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
    Feb 25 14:36:25	openvpn	28337	82.132.94.57:14836 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Feb 25 14:36:25	openvpn	28337	82.132.94.57:14836 [xxx] Peer Connection Initiated with [AF_INET]82.132.94.57:14836
    Feb 25 14:36:25	openvpn	28337	82.132.94.57:14836 PUSH: Received control message: 'PUSH_REQUEST'
    Feb 25 14:36:25	openvpn	28337	82.132.94.57:14836 Delayed exit in 5 seconds
    Feb 25 14:36:25	openvpn	28337	82.132.94.57:14836 SENT CONTROL [ag]: 'AUTH_FAILED' (status=1)
    

  • Rebel Alliance Developer Netgate

    What auth settings do you have on the tunnel?
    Local? Remote (RADIUS/LDAP)?
    Does authentication still work for that user under Diag > Authentication?

    There were a couple of changes in that area but nothing that I've seen fail now that was working before.



  • How long have you let it attempt to connect for?  I have two clients configured and I noticed that after upgrading to 2.3.3, one was always up and connected following a reboot and the other was failing with authentication error messages similar to what you indicate.  But if I left it for a while (I want to say 10 to 15 minutes) it would eventually connect.  I realize that's not a solution, I'm just wondering if we may be seeing the same issue, and if so whether the fact that it eventually connects may be useful to the devs.  I wish I had my exact log entries, but I don't really want to reboot right now to provoke the issue.  If I do in the near future I'll try to remember to grab them and update this post.  I do recall that mine had some line about a tun device or address already being in use, which does not appear in what you pasted.



  • @jimp:

    What auth settings do you have on the tunnel?
    Local? Remote (RADIUS/LDAP)?
    Does authentication still work for that user under Diag > Authentication?

    There were a couple of changes in that area but nothing that I've seen fail now that was working before.

    I am seeing the same thing as well. I have a site i VPN into once or twice a week. Nothing changed on the client side, upgraded to 2.3.3 from 2.3.2 and now i cant get in.

    I have the VPN tunnel setup to use a radius authentication server that goes back to MS Server 2012 via Network Policy Server hooked to AD.

    Test authentication works just fine under diags

    I am getting these error logs:
    TLS Auth Error: Auth Username/Password verification failed for peer
    WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
    user 'XXXX' could not authenticate.


  • Rebel Alliance Developer Netgate

    Any errors or log entries elsewhere in the logs? The main system log perhaps?

    I just setup a RADIUS-based OpenVPN on 2.3.3 a few moments ago as a test and it works fine.

    Perhaps the Windows server is rejecting the access request for some reason, can you check the logs there?



  • You sir are correct!

    It seems that something in the update changed the format of the radius request - the NPS server was rejecting the request as it couldnt match to a connection policy.

    I was matching on NAS identifier = FQDN of the firewall, but now in the request it sends "openVPN" as the identifier.
    I updated the NPS server to match on Radius Client Friendly Name = FQDN of the firewall and now it works again.



  • @jimp:

    What auth settings do you have on the tunnel?
    Local? Remote (RADIUS/LDAP)?
    Does authentication still work for that user under Diag > Authentication?

    There were a couple of changes in that area but nothing that I've seen fail now that was working before.

    Hi,

    Local authentication and yes I get success when doing a diagnostic authentication. It is setup for TLS+user authentication plus the extra TLS packet authentication. I can't see anything new in the logs, be it OpenVPN or other system logs. I think I might try deleting the existing configuration and setting it up again just to see if I get a different result.



  • @firegood:

    You sir are correct!

    It seems that something in the update changed the format of the radius request - the NPS server was rejecting the request as it couldnt match to a connection policy.

    I was matching on NAS identifier = FQDN of the firewall, but now in the request it sends "openVPN" as the identifier.
    I updated the NPS server to match on Radius Client Friendly Name = FQDN of the firewall and now it works again.

    Yes somethings changed in the openVPN.. it's how just outputting "openVPN" rather than the FQDN.. changed that in my radius servers configs and all is well again.

    Any ideas why???



  • @firegood:

    @jimp:

    What auth settings do you have on the tunnel?
    Local? Remote (RADIUS/LDAP)?
    Does authentication still work for that user under Diag > Authentication?

    There were a couple of changes in that area but nothing that I've seen fail now that was working before.

    I am seeing the same thing as well. I have a site i VPN into once or twice a week. Nothing changed on the client side, upgraded to 2.3.3 from 2.3.2 and now i cant get in.

    I have the VPN tunnel setup to use a radius authentication server that goes back to MS Server 2012 via Network Policy Server hooked to AD.

    Test authentication works just fine under diags

    I am getting these error logs:
    TLS Auth Error: Auth Username/Password verification failed for peer
    WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
    user 'XXXX' could not authenticate.

    i would love to get with you and see how you have the radius setup tied back into AD!