WARNING: Failed running command (–auth-user-pass-verify): external program exit

bheinsius · Apr 26, 2017, 11:03 PM

Hi,

After upgrade from 2.3.2_1 to 2.3.3_1, I cannot connect through openvpn anymore.
pfsense openvpn log says:

Apr 27 00:14:22	openvpn		user 'xxxxx' could not authenticate.
Apr 27 00:14:22	openvpn	15998	1.2.3.4:32594 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Apr 27 00:14:22	openvpn	15998	1.2.3.4:32594 TLS Auth Error: Auth Username/Password verification failed for peer
Apr 27 00:14:22	openvpn	15998	1.2.3.4:32594 [xxxxx] Peer Connection Initiated with [AF_INET]95.97.223.48:32594

My openvpn client prompts me for user and password, which is good.
openvpn client log says:

Thu Apr 27 00:14:14 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Thu Apr 27 00:14:14 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Apr 27 00:14:14 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Thu Apr 27 00:14:19 2017 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Apr 27 00:14:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]4.3.2.1:1194
Thu Apr 27 00:14:19 2017 UDP link local (bound): [AF_INET][undef]:1194
Thu Apr 27 00:14:19 2017 UDP link remote: [AF_INET]4.3.2.1:1194
Thu Apr 27 00:14:19 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 27 00:14:20 2017 [VPN Server Cert] Peer Connection Initiated with [AF_INET]4.3.2.1:1194
Thu Apr 27 00:14:21 2017 AUTH: Received control message: AUTH_FAILED
Thu Apr 27 00:14:21 2017 SIGUSR1[soft,auth-failure] received, process restarting

Apart from unchecking General Settings: DNS Server Override Allow DNS server list to be overridden by DHCP/PPP on WAN, I did not change anything in the pfsense configuration.

Any ideas?

jimp · May 6, 2017, 2:21 PM

The username/password don't fail when tested. Either the username/password is wrong, or somehow it's failing to authenticate. Without knowing more about the server settings it's impossible to say what might be happening.

bheinsius · May 6, 2017, 1:40 PM

I just recreated the pfsense user to be sure i got correct username/password but the problem remains.
what server settings can I post to help diagnose?

bheinsius · May 6, 2017, 1:56 PM

In the Endian forum at http://www.efwsupport.com/index.php?topic=5261.0 I found this:

i had the same problem, just change in /etc/openvpn/openvpn.conf.tmpl
from auth-user-pass-verify "/usr/bin/openvpn-auth-user-pass" via-env to auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
and then restart service.
this will work.

I applied this change to my /var/etc/openvpn/server1.conf and restarted the openvpn server and now I can connect again.
Is this a safe change to make permanently?

bheinsius · May 6, 2017, 2:04 PM

I compared this line in /var/etc/openvpn/server1.conf between 2.3.3-RELEASE (i386) and 2.3.3-RELEASE-p1 (amd64):

2.3.3-RELEASE (i386):

auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user xxxxxxxxxxxxxxxxxxxxxx false server1 1194" via-env

2.3.3-RELEASE-p1 (amd64):

auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env

so something seems to have changed between these versions (?)

bheinsius · May 7, 2017, 12:03 AM

To get it working on 2.3.3-RELEASE-p1 (amd64) I changed this afternoon:

auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env

to

auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-file

I just looked again and now 2.3.3-RELEASE-p1 (amd64) reads:

auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user xxxxxxxxxxxxxxxxx false server1 1194" via-env

the same as on 2.3.3-RELEASE (i386).

Do the settings get updated after changing via-env to via-file?

jvorhees · May 11, 2017, 7:09 AM

Hi !

Same problem here after upgrade to 2.3.4, user auth is successful via diagnostics (for ldap or local database auth servers, no changes made here between upgrade),
but fail for ovpn clients using ldap or local db on ovpn server side configuration.

Clients are prompted to enter again and again credentials

ovpn server log:

WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
user 'testuser' authenticated

User still authenticated ? :o

Any clues ?

jimp · May 11, 2017, 11:39 AM

We saw this happen to a customer the other day, something was broken in their PHP installation and it was messing with the way the auth script was returning a value to the caller.

At least for them, running "pkg update -f; pkg upgrade -f" to reinstall everything fixed it up. But it could be a sign of something deeper.

bheinsius · May 27, 2017, 2:18 PM

It may have the same cause as the problem at https://forum.pfsense.org/index.php?topic=127274 "Short hostnames not working on 2.3.3"
There you have to make a change in the dns forwarder settings to get it working properly after a reboot. It does not matter what you change.
It looks like some post-boot trigger is missing somewhere.