Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Server Local User Auth fails

    Scheduled Pinned Locked Moved 2.5 Development Snapshots (Retired)
    9 Posts 6 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      askmyteapot
      last edited by

      Just did a clean install of the latest pfSense-CE-2.5.0-DEVELOPMENT-amd64-20190322-1846.iso
      Restored a backup config from 2.4.5.
      Had issues with limiters fq_codel (will post in the relevent thread later) but got around them.
      Now i'm having issues with my restored OpenVPN server. (TLS/SSL + User Auth)
      Android client is now coming up with User authentication failed. Confirmed user and pass is right by logging into webgui with the user and it worked.
      Set OpenVPN server to just TLS/SSL and the Android client could connect successfully.
      When setting back to (TLS/SSL + User Auth), the following lines appear in the logs.

      Mar 24 00:09:36 	openvpn 	94261 	PLUGIN auth-script: Deferred handler using script_path=/usr/local/sbin/ovpn_auth_verify_async
Mar 24 00:09:36 	openvpn 	94261 	PLUGIN auth-script: child pid is 21034
Mar 24 00:09:36 	openvpn 	94261 	PLUGIN auth-script: child pid 21034 exited with status 2
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2

      Not sure if the status=2 is causing the issue.
      Further down in the log...

      Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1557'
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-GCM', remote='cipher AES-128-CBC'
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 UDPv4 WRITE [307] to [AF_INET]49.197.71.255:39095: P_CONTROL_V1 kid=0 [ 2651600047 2609898766 3189723140 3930503631 688794624 2396 2520653825 4 1056037397 692393527 6 386073344 4167072851 2401625684 1809007358 2566972647 2104800708 4118103862 1363080285 114085263 1546078306 2212178568 882013750 4008937817
Mar 24 00:09:36 	openvpn 	94261 	GET INST BY REAL: 49.197.71.255:39095 [ok]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 UDPv4 READ [50] from [AF_INET]49.197.71.255:39095: P_ACK_V1 kid=0 [ 2481286693 3363267202 2731812521 4189351195 315582976 2396 2520678657 6 172959299 1205737731 ]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 PID_TEST [0] [TLS_WRAP-0] [00000000] 1553350273:8 1553350273:9 t=1553350176[0] r=[0,64,15,0,1] sl=[56,8,64,528]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 [drew] Peer Connection Initiated with [AF_INET]49.197.71.255:39095
Mar 24 00:09:36 	openvpn 	94261 	GET INST BY REAL: 49.197.71.255:39095 [ok]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 UDPv4 READ [84] from [AF_INET]49.197.71.255:39095: P_CONTROL_V1 kid=0 [ 2636486593 1410710294 3407882541 2455197233 891879936 2652 2520678656 5 386073344 620756992 0 49665802 3547306292 3084479555 2364870493 2007252858 1671351021 714980085 ]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 PID_TEST [0] [TLS_WRAP-0] [000000000] 1553350273:9 1553350273:10 t=1553350176[0] r=[0,64,15,0,1] sl=[55,9,64,528]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 PUSH: Received control message: 'PUSH_REQUEST'
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 UDPv4 WRITE [50] to [AF_INET]49.197.71.255:39095: P_ACK_V1 kid=0 [ 2254214924 2210486392 3861789963 260172450 2185896192 2652 2520653825 5 1056037397 692393527 ]
Mar 24 00:09:36 	openvpn 	51472 	user 'drew' authenticated
Mar 24 00:09:37 	openvpn 	94261 	MULTI: REAP range 64 -> 80
Mar 24 00:09:37 	openvpn 	94261 	GET INST BY REAL: 49.197.71.255:39095 [ok]
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 UDPv4 READ [84] from [AF_INET]49.197.71.255:39095: P_CONTROL_V1 kid=0 [ 3044613334 1537108664 534725816 71769235 1396917760 2908 2520678656 6 386073344 620756992 0 62467761 3598569386 3282609047 3581504482 2638250502 1149779244 3560133383 ]
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 PID_TEST [0] [TLS_WRAP-0] [1111111111] 1553350273:10 1553350273:11 t=1553350177[0] r=[-1,64,15,0,1] sl=[54,10,64,528]
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 PUSH: Received control message: 'PUSH_REQUEST'
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 Delayed exit in 5 seconds
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 SENT CONTROL [drew]: 'AUTH_FAILED' (status=1)
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 UDPv4 WRITE [50] to [AF_INET]49.197.71.255:39095: P_ACK_V1 kid=0 [ 2011762674 1758620063 350603334 2125900976 1444156928 2908 2520653825 6 1056037397 692393527 ]
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 UDPv4 WRITE [83] to [AF_INET]49.197.71.255:39095: P_CONTROL_V1 kid=0 [ 4227960004 2810946759 1702983362 3156146900 1807026176 3164 2520653824 7 386073344 610303059 2401625684 1822214085 3978464131 3712649075 4162719785 2056988182 4182534334 739210862 ]
      1 Reply Last reply Reply Quote 0
      • T
        Tantawi
        last edited by

        Having exactly the same problem. Doesn't matter if upgrading or clean installing with config restore.

        Because I am lazy, I opened a bug report with exactly what you have posed here: https://redmine.pfsense.org/issues/9427 :)

        1 Reply Last reply Reply Quote 0
        • J
          jake
          last edited by jake

          Same here. I have a more convoluted setup however. I use FreeRadius with OTP enabled which further authenticates with Duo. (I know it's crazy, I did it more to see if it would work) I've tried with local authentication also with the same results. One thing I did notice is that in 2.5 "ecdsa-with-SHA1" is not a option for Auth Digest Algorithm. That is what I had it set in 2.4.5. I did experiment with changing it to SHA1 (which is available) but received the same authentication error.

          1 Reply Last reply Reply Quote 0
          • T
            Tantawi
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • B
              briandoc
              last edited by

              Having same issue. Upgraded to latest 2.5 after 2.45 DEV build corrupted. Restored backup. Everything seems to work but OpenVPN with local AUTH. Recreated OpenVPN server and firewall rules, exported new clients and installed. Still get "AUTH: Received control message: AUTH_FAILED". Can login locally with user/pass combination. OpenVPN log shows user authenticated.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                This should be fixed now, was an output change in one of the auth scripts.

                https://redmine.pfsense.org/issues/9460

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                T 1 Reply Last reply Reply Quote 2
                • T
                  Tantawi @jimp
                  last edited by Tantawi

                  @jimp Thank you! looking forward to next build with this included to try. You can also close my ticket here: https://redmine.pfsense.org/issues/9427

                  1 Reply Last reply Reply Quote 0
                  • RicoR
                    Rico LAYER 8 Rebel Alliance
                    last edited by

                    No need to wait, you can patch your system right now. ☺
                    https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

                    -Rico

                    1 Reply Last reply Reply Quote 0
                    • B
                      briandoc
                      last edited by

                      Thank you. My issue is resolved with this latest build!

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.