Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense (2.3.3) Hangs on boot with invalid OpenVPN password

    OpenVPN
    8
    12
    2564
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      o2051867 last edited by

      I've noticed an issue when configuring pfSense as an OpenVPN client:

      If an OpenVPN client is configured with an incorrect password, pfSense will hang at boot waiting indefinitely on the password to be entered via the console.
      Please see below where pfSense hangs during boot.
      [Edit] I've since noticed that it hangs on boot waiting for a password, even with a correct password set via the web-gui [/Edit]

      ***** FILE SYSTEM MARKED CLEAN *****
      Filesystems are clean, continuing…
      Mounting filesystems...

      ___
      / f
      / p _
      / Sense
      _
      / 
          _
      _/

      Welcome to pfSense 2.3.3-RELEASE (Patch 1) on the 'pfSense' platform...

      No core dumps found.
      Creating symlinks......ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/ipsec /usr/local/lib/perl5/5.24/mach/CORE
      32-bit compatibility ldconfig path: /usr/lib32
      done.
      External config loader 1.0 is now starting... da0s1 da0s1a da0s1b
      Launching the init system....... done.
      Initializing.................. done.
      Starting device manager (devd)...done.
      Loading configuration......done.
      Updating configuration...done.
      Cleaning backup cache.................................done.
      Setting up extended sysctls...done.
      padlock0: No ACE support.
      aesni0: <aes-cbc,aes-xts,aes-gcm,aes-icm>on motherboard
      Setting timezone...done.
      Configuring loopback interface...done.
      Starting syslog...done.
      Starting Secure Shell Services...done.
      Setting up polling defaults...done.
      Setting up interfaces microcode...done.
      Configuring loopback interface...done.
      Creating wireless clone interfaces...done.
      Configuring LAGG interfaces...done.
      Configuring VLAN interfaces...done.
      Configuring QinQ interfaces...done.
      Configuring WAN interface...done.
      Configuring LANWIRELESS interface...done.
      Configuring LANPHYSICAL interface...done.
      Configuring LAN interface...done.
      Configuring CARP settings...done.
      Syncing OpenVPN settings...Enter Auth Password:</aes-cbc,aes-xts,aes-gcm,aes-icm>

      Only after entering a correct password via the console will pfSense continue to boot. If the remote server has changed or invalidated the password, it appears pfsense can no longer be completely booted without console access.

      Can anyone replicate this, or advise on how to prevent the boot hang (without removing the OpenVPN configuration)?

      1 Reply Last reply Reply Quote 0
      • F
        Fabio72 last edited by

        Do you use certificates with passwords?

        1 Reply Last reply Reply Quote 0
        • O
          o2051867 last edited by

          @Fabio72:

          Do you use certificates with passwords?

          There's a trusted CA certificate used in conjunction with this VPN provider if that is what you're asking, but no certificate in use requires a password to decrypt.

          1 Reply Last reply Reply Quote 0
          • D
            disconnected last edited by

            I have exactly same behavior after update to 2.3.3.
            Did not yet solve it.

            1 Reply Last reply Reply Quote 0
            • D
              disconnected last edited by

              maybe it can be due the /var/etc/openvpn/server1.tls-auth has ^M in, but I can try it only @ next week, maybe can you try, o2051867?

              1 Reply Last reply Reply Quote 0
              • D
                disconnected last edited by

                due the /var/etc/openvpn/server1.tls-auth has ^M

                No, its not that.

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  Try adding this to your client's advanced options:

                  auth-retry nointeract
                  
                  1 Reply Last reply Reply Quote 0
                  • B
                    bobobo last edited by

                    I also ran into this issue running 2.3.3, and adding

                    auth-retry nointeract
                    

                    to the "Custom options" in the openVPN server Advanced Configuration didn't fix it.

                    I have snort installed and I'm running pfsense in a VM, but other than that my config is pretty basic. My openvpn settings are just the defaults from the wizard with one client.

                    Hope that helps!

                    1 Reply Last reply Reply Quote 0
                    • S
                      Spudnet last edited by

                      @o2051867:

                      I've noticed an issue when configuring pfSense as an OpenVPN client:

                      If an OpenVPN client is configured with an incorrect password, pfSense will hang at boot waiting indefinitely on the password to be entered via the console.
                      Please see below where pfSense hangs during boot.
                      [Edit] I've since noticed that it hangs on boot waiting for a password, even with a correct password set via the web-gui [/Edit]

                      ***** FILE SYSTEM MARKED CLEAN *****
                      Filesystems are clean, continuing…
                      Mounting filesystems...

                      ___
                      / f
                      / p _
                      / Sense
                      _
                      / 
                          _
                      _/

                      Welcome to pfSense 2.3.3-RELEASE (Patch 1) on the 'pfSense' platform...

                      No core dumps found.
                      Creating symlinks......ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/ipsec /usr/local/lib/perl5/5.24/mach/CORE
                      32-bit compatibility ldconfig path: /usr/lib32
                      done.
                      External config loader 1.0 is now starting... da0s1 da0s1a da0s1b
                      Launching the init system....... done.
                      Initializing.................. done.
                      Starting device manager (devd)...done.
                      Loading configuration......done.
                      Updating configuration...done.
                      Cleaning backup cache.................................done.
                      Setting up extended sysctls...done.
                      padlock0: No ACE support.
                      aesni0: <aes-cbc,aes-xts,aes-gcm,aes-icm>on motherboard
                      Setting timezone...done.
                      Configuring loopback interface...done.
                      Starting syslog...done.
                      Starting Secure Shell Services...done.
                      Setting up polling defaults...done.
                      Setting up interfaces microcode...done.
                      Configuring loopback interface...done.
                      Creating wireless clone interfaces...done.
                      Configuring LAGG interfaces...done.
                      Configuring VLAN interfaces...done.
                      Configuring QinQ interfaces...done.
                      Configuring WAN interface...done.
                      Configuring LANWIRELESS interface...done.
                      Configuring LANPHYSICAL interface...done.
                      Configuring LAN interface...done.
                      Configuring CARP settings...done.
                      Syncing OpenVPN settings...Enter Auth Password:</aes-cbc,aes-xts,aes-gcm,aes-icm>

                      Only after entering a correct password via the console will pfSense continue to boot. If the remote server has changed or invalidated the password, it appears pfsense can no longer be completely booted without console access.

                      Can anyone replicate this, or advise on how to prevent the boot hang (without removing the OpenVPN configuration)?

                      I have this exact same issue with 2.3.4-RELEASE-p1

                      I have tried everything recommended on this post and nothing works, was it ever resolved please?

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        You have something in your OpenVPN configuration that is requiring a password (either the login password, a password to decrypt a key, etc) but that password is not present in the configuration.

                        1 Reply Last reply Reply Quote 0
                        • jimp
                          jimp Rebel Alliance Developer Netgate last edited by

                          Also of note, this does not appear to happen on 2.4, at least with an incorrect password. I tried with a missing password and with an incorrect password and in either case it did not stop at boot time.

                          So it's also possible this is a side effect of an OpenVPN 2.3.x bug or misbehavior.

                          Either way, it appears to be solved now.

                          1 Reply Last reply Reply Quote 0
                          • H
                            heliocoeur last edited by

                            vpn > openvpn > client

                            and put a password to the user.

                            if needed put a password to the same user in system > user manager

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense Plus
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy