Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limited number of OpenVPN Backend Authentication Servers?

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 422 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • calebhC
      calebh
      last edited by

      We're in the middle of transitioning from the use of one VPN server to four in order to better limit access. This includes four new LDAP (for Active Directory) Authentication Server entries for each OU that corresponds to the new VPN server instances. (Users have already been moved into their respective OUs.) To allow the existing VPN to still function, I selected all four new Authentication Server entries in the "Backend Authentication Servers" option on pfSense. Unfortunately this caused user authentication to fail. The pfSense logs showed that it didn't even try to reach out to our Active Directory server. Where it should list the attempts to authenticate the user against the multiple Auth Server entries, it said

      WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
      

      I found that when I selected only three of the Authentication Server entries, it would succeed for the respective Auth Server entry (the others would obviously note a failed LDAP search since the users didn't exist in those referenced OUs). This seems to apply to any three (no matter which one of the four is left out).

      Since this is a temporary state for our firewall to be in, this limitation isn't debilitating and will be resolved once we deploy the configurations for the new OpenVPN server instances. For now I'm leaving the Auth Server entry unselected for the OU whose users use the VPN the least. We could also adjust the original Auth Server entry to search through parent OU of the four new OUs, but that's outside of the scope of my question. I'm wondering (out of curiosity, and on behalf of someone who might encounter the rare situation of actually needing four different Auth Server entries) if this is a programmatic limitation, or maybe I'm missing something in our setup?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.