Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    WARNING: Failed running command (–auth-user-pass-verify): external program exit

    OpenVPN
    3
    9
    8197
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bheinsius last edited by

      Hi,

      After upgrade from 2.3.2_1 to 2.3.3_1, I cannot connect through openvpn anymore.
      pfsense openvpn log says:

      Apr 27 00:14:22	openvpn		user 'xxxxx' could not authenticate.
      Apr 27 00:14:22	openvpn	15998	1.2.3.4:32594 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
      Apr 27 00:14:22	openvpn	15998	1.2.3.4:32594 TLS Auth Error: Auth Username/Password verification failed for peer
      Apr 27 00:14:22	openvpn	15998	1.2.3.4:32594 [xxxxx] Peer Connection Initiated with [AF_INET]95.97.223.48:32594
      

      My openvpn client prompts me for user and password, which is good.
      openvpn client log says:

      Thu Apr 27 00:14:14 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
      Thu Apr 27 00:14:14 2017 Windows version 6.2 (Windows 8 or greater) 64bit
      Thu Apr 27 00:14:14 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
      Thu Apr 27 00:14:19 2017 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
      Thu Apr 27 00:14:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]4.3.2.1:1194
      Thu Apr 27 00:14:19 2017 UDP link local (bound): [AF_INET][undef]:1194
      Thu Apr 27 00:14:19 2017 UDP link remote: [AF_INET]4.3.2.1:1194
      Thu Apr 27 00:14:19 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Thu Apr 27 00:14:20 2017 [VPN Server Cert] Peer Connection Initiated with [AF_INET]4.3.2.1:1194
      Thu Apr 27 00:14:21 2017 AUTH: Received control message: AUTH_FAILED
      Thu Apr 27 00:14:21 2017 SIGUSR1[soft,auth-failure] received, process restarting
      
      

      Apart from unchecking General Settings: DNS Server Override Allow DNS server list to be overridden by DHCP/PPP on WAN, I did not change anything in the pfsense configuration.

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        The username/password don't fail when tested. Either the username/password is wrong, or somehow it's failing to authenticate. Without knowing more about the server settings it's impossible to say what might be happening.

        1 Reply Last reply Reply Quote 0
        • B
          bheinsius last edited by

          I just recreated the pfsense user to be sure i got correct username/password but the problem remains.
          what server settings can I post to help diagnose?

          1 Reply Last reply Reply Quote 0
          • B
            bheinsius last edited by

            In the Endian forum at http://www.efwsupport.com/index.php?topic=5261.0 I found this:

            i had the same problem, just change in /etc/openvpn/openvpn.conf.tmpl
            from auth-user-pass-verify "/usr/bin/openvpn-auth-user-pass" via-env to  auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
            and then restart service.
            this will work.

            I applied this change to my /var/etc/openvpn/server1.conf and restarted the openvpn server and now I can connect again.
            Is this a safe change to make permanently?

            1 Reply Last reply Reply Quote 0
            • B
              bheinsius last edited by

              I compared this line in /var/etc/openvpn/server1.conf between 2.3.3-RELEASE (i386) and 2.3.3-RELEASE-p1 (amd64):

              2.3.3-RELEASE (i386):

              auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user xxxxxxxxxxxxxxxxxxxxxx false server1 1194" via-env
              
              

              2.3.3-RELEASE-p1 (amd64):

              auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
              

              so something seems to have changed between these versions (?)

              1 Reply Last reply Reply Quote 0
              • B
                bheinsius last edited by

                To get it working on 2.3.3-RELEASE-p1 (amd64) I changed this afternoon:

                auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
                

                to

                auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-file
                

                I just looked again and now 2.3.3-RELEASE-p1 (amd64) reads:

                auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user xxxxxxxxxxxxxxxxx false server1 1194" via-env
                

                the same as on 2.3.3-RELEASE (i386).

                Do the settings get updated after changing via-env to via-file?

                1 Reply Last reply Reply Quote 0
                • J
                  jvorhees last edited by

                  Hi !

                  Same problem here after upgrade to 2.3.4, user auth is successful via diagnostics (for ldap or local database auth servers, no changes made here between upgrade),
                  but fail for ovpn clients using ldap or local db on ovpn server side configuration.

                  Clients are prompted to enter again and again credentials

                  ovpn server log:

                  WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
                  user 'testuser' authenticated 
                  

                  User still authenticated ? :o

                  Any clues ?

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    We saw this happen to a customer the other day, something was broken in their PHP installation and it was messing with the way the auth script was returning a value to the caller.

                    At least for them, running "pkg update -f; pkg upgrade -f" to reinstall everything fixed it up. But it could be a sign of something deeper.

                    1 Reply Last reply Reply Quote 0
                    • B
                      bheinsius last edited by

                      It may have the same cause as the problem at https://forum.pfsense.org/index.php?topic=127274 "Short hostnames not working on 2.3.3"
                      There you have to make a change in the dns forwarder settings to get it working properly after a reboot. It does not matter what you change.
                      It looks like some post-boot trigger is missing somewhere.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense Plus
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy