PfSense (2.3.3) Hangs on boot with invalid OpenVPN password



  • I've noticed an issue when configuring pfSense as an OpenVPN client:

    If an OpenVPN client is configured with an incorrect password, pfSense will hang at boot waiting indefinitely on the password to be entered via the console.
    Please see below where pfSense hangs during boot.
    [Edit] I've since noticed that it hangs on boot waiting for a password, even with a correct password set via the web-gui [/Edit]

    ***** FILE SYSTEM MARKED CLEAN *****
    Filesystems are clean, continuing…
    Mounting filesystems...

    ___
    / f
    / p _
    / Sense
    _

        _
    _/

    Welcome to pfSense 2.3.3-RELEASE (Patch 1) on the 'pfSense' platform...

    No core dumps found.
    Creating symlinks......ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/ipsec /usr/local/lib/perl5/5.24/mach/CORE
    32-bit compatibility ldconfig path: /usr/lib32
    done.
    External config loader 1.0 is now starting... da0s1 da0s1a da0s1b
    Launching the init system....... done.
    Initializing.................. done.
    Starting device manager (devd)...done.
    Loading configuration......done.
    Updating configuration...done.
    Cleaning backup cache.................................done.
    Setting up extended sysctls...done.
    padlock0: No ACE support.
    aesni0: <aes-cbc,aes-xts,aes-gcm,aes-icm>on motherboard
    Setting timezone...done.
    Configuring loopback interface...done.
    Starting syslog...done.
    Starting Secure Shell Services...done.
    Setting up polling defaults...done.
    Setting up interfaces microcode...done.
    Configuring loopback interface...done.
    Creating wireless clone interfaces...done.
    Configuring LAGG interfaces...done.
    Configuring VLAN interfaces...done.
    Configuring QinQ interfaces...done.
    Configuring WAN interface...done.
    Configuring LANWIRELESS interface...done.
    Configuring LANPHYSICAL interface...done.
    Configuring LAN interface...done.
    Configuring CARP settings...done.
    Syncing OpenVPN settings...Enter Auth Password:</aes-cbc,aes-xts,aes-gcm,aes-icm>

    Only after entering a correct password via the console will pfSense continue to boot. If the remote server has changed or invalidated the password, it appears pfsense can no longer be completely booted without console access.

    Can anyone replicate this, or advise on how to prevent the boot hang (without removing the OpenVPN configuration)?



  • Do you use certificates with passwords?



  • @Fabio72:

    Do you use certificates with passwords?

    There's a trusted CA certificate used in conjunction with this VPN provider if that is what you're asking, but no certificate in use requires a password to decrypt.



  • I have exactly same behavior after update to 2.3.3.
    Did not yet solve it.



  • maybe it can be due the /var/etc/openvpn/server1.tls-auth has ^M in, but I can try it only @ next week, maybe can you try, o2051867?



  • due the /var/etc/openvpn/server1.tls-auth has ^M

    No, its not that.


  • Rebel Alliance Developer Netgate

    Try adding this to your client's advanced options:

    auth-retry nointeract
    


  • I also ran into this issue running 2.3.3, and adding

    auth-retry nointeract
    

    to the "Custom options" in the openVPN server Advanced Configuration didn't fix it.

    I have snort installed and I'm running pfsense in a VM, but other than that my config is pretty basic. My openvpn settings are just the defaults from the wizard with one client.

    Hope that helps!



  • @o2051867:

    I've noticed an issue when configuring pfSense as an OpenVPN client:

    If an OpenVPN client is configured with an incorrect password, pfSense will hang at boot waiting indefinitely on the password to be entered via the console.
    Please see below where pfSense hangs during boot.
    [Edit] I've since noticed that it hangs on boot waiting for a password, even with a correct password set via the web-gui [/Edit]

    ***** FILE SYSTEM MARKED CLEAN *****
    Filesystems are clean, continuing…
    Mounting filesystems...

    ___
    / f
    / p _
    / Sense
    _

        _
    _/

    Welcome to pfSense 2.3.3-RELEASE (Patch 1) on the 'pfSense' platform...

    No core dumps found.
    Creating symlinks......ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/ipsec /usr/local/lib/perl5/5.24/mach/CORE
    32-bit compatibility ldconfig path: /usr/lib32
    done.
    External config loader 1.0 is now starting... da0s1 da0s1a da0s1b
    Launching the init system....... done.
    Initializing.................. done.
    Starting device manager (devd)...done.
    Loading configuration......done.
    Updating configuration...done.
    Cleaning backup cache.................................done.
    Setting up extended sysctls...done.
    padlock0: No ACE support.
    aesni0: <aes-cbc,aes-xts,aes-gcm,aes-icm>on motherboard
    Setting timezone...done.
    Configuring loopback interface...done.
    Starting syslog...done.
    Starting Secure Shell Services...done.
    Setting up polling defaults...done.
    Setting up interfaces microcode...done.
    Configuring loopback interface...done.
    Creating wireless clone interfaces...done.
    Configuring LAGG interfaces...done.
    Configuring VLAN interfaces...done.
    Configuring QinQ interfaces...done.
    Configuring WAN interface...done.
    Configuring LANWIRELESS interface...done.
    Configuring LANPHYSICAL interface...done.
    Configuring LAN interface...done.
    Configuring CARP settings...done.
    Syncing OpenVPN settings...Enter Auth Password:</aes-cbc,aes-xts,aes-gcm,aes-icm>

    Only after entering a correct password via the console will pfSense continue to boot. If the remote server has changed or invalidated the password, it appears pfsense can no longer be completely booted without console access.

    Can anyone replicate this, or advise on how to prevent the boot hang (without removing the OpenVPN configuration)?

    I have this exact same issue with 2.3.4-RELEASE-p1

    I have tried everything recommended on this post and nothing works, was it ever resolved please?


  • LAYER 8 Netgate

    You have something in your OpenVPN configuration that is requiring a password (either the login password, a password to decrypt a key, etc) but that password is not present in the configuration.


  • Rebel Alliance Developer Netgate

    Also of note, this does not appear to happen on 2.4, at least with an incorrect password. I tried with a missing password and with an incorrect password and in either case it did not stop at boot time.

    So it's also possible this is a side effect of an OpenVPN 2.3.x bug or misbehavior.

    Either way, it appears to be solved now.



  • vpn > openvpn > client

    and put a password to the user.

    if needed put a password to the same user in system > user manager


Log in to reply