OpenVPN Server Local User Auth fails

askmyteapot · Mar 23, 2019, 2:18 PM

Just did a clean install of the latest pfSense-CE-2.5.0-DEVELOPMENT-amd64-20190322-1846.iso
Restored a backup config from 2.4.5.
Had issues with limiters fq_codel (will post in the relevent thread later) but got around them.
Now i'm having issues with my restored OpenVPN server. (TLS/SSL + User Auth)
Android client is now coming up with User authentication failed. Confirmed user and pass is right by logging into webgui with the user and it worked.
Set OpenVPN server to just TLS/SSL and the Android client could connect successfully.
When setting back to (TLS/SSL + User Auth), the following lines appear in the logs.

Mar 24 00:09:36 	openvpn 	94261 	PLUGIN auth-script: Deferred handler using script_path=/usr/local/sbin/ovpn_auth_verify_async
Mar 24 00:09:36 	openvpn 	94261 	PLUGIN auth-script: child pid is 21034
Mar 24 00:09:36 	openvpn 	94261 	PLUGIN auth-script: child pid 21034 exited with status 2
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2

Not sure if the status=2 is causing the issue.
Further down in the log...

Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1557'
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-GCM', remote='cipher AES-128-CBC'
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 UDPv4 WRITE [307] to [AF_INET]49.197.71.255:39095: P_CONTROL_V1 kid=0 [ 2651600047 2609898766 3189723140 3930503631 688794624 2396 2520653825 4 1056037397 692393527 6 386073344 4167072851 2401625684 1809007358 2566972647 2104800708 4118103862 1363080285 114085263 1546078306 2212178568 882013750 4008937817
Mar 24 00:09:36 	openvpn 	94261 	GET INST BY REAL: 49.197.71.255:39095 [ok]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 UDPv4 READ [50] from [AF_INET]49.197.71.255:39095: P_ACK_V1 kid=0 [ 2481286693 3363267202 2731812521 4189351195 315582976 2396 2520678657 6 172959299 1205737731 ]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 PID_TEST [0] [TLS_WRAP-0] [00000000] 1553350273:8 1553350273:9 t=1553350176[0] r=[0,64,15,0,1] sl=[56,8,64,528]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 [drew] Peer Connection Initiated with [AF_INET]49.197.71.255:39095
Mar 24 00:09:36 	openvpn 	94261 	GET INST BY REAL: 49.197.71.255:39095 [ok]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 UDPv4 READ [84] from [AF_INET]49.197.71.255:39095: P_CONTROL_V1 kid=0 [ 2636486593 1410710294 3407882541 2455197233 891879936 2652 2520678656 5 386073344 620756992 0 49665802 3547306292 3084479555 2364870493 2007252858 1671351021 714980085 ]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 PID_TEST [0] [TLS_WRAP-0] [000000000] 1553350273:9 1553350273:10 t=1553350176[0] r=[0,64,15,0,1] sl=[55,9,64,528]
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 PUSH: Received control message: 'PUSH_REQUEST'
Mar 24 00:09:36 	openvpn 	94261 	49.197.71.255:39095 UDPv4 WRITE [50] to [AF_INET]49.197.71.255:39095: P_ACK_V1 kid=0 [ 2254214924 2210486392 3861789963 260172450 2185896192 2652 2520653825 5 1056037397 692393527 ]
Mar 24 00:09:36 	openvpn 	51472 	user 'drew' authenticated
Mar 24 00:09:37 	openvpn 	94261 	MULTI: REAP range 64 -> 80
Mar 24 00:09:37 	openvpn 	94261 	GET INST BY REAL: 49.197.71.255:39095 [ok]
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 UDPv4 READ [84] from [AF_INET]49.197.71.255:39095: P_CONTROL_V1 kid=0 [ 3044613334 1537108664 534725816 71769235 1396917760 2908 2520678656 6 386073344 620756992 0 62467761 3598569386 3282609047 3581504482 2638250502 1149779244 3560133383 ]
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 PID_TEST [0] [TLS_WRAP-0] [1111111111] 1553350273:10 1553350273:11 t=1553350177[0] r=[-1,64,15,0,1] sl=[54,10,64,528]
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 PUSH: Received control message: 'PUSH_REQUEST'
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 Delayed exit in 5 seconds
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 SENT CONTROL [drew]: 'AUTH_FAILED' (status=1)
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 UDPv4 WRITE [50] to [AF_INET]49.197.71.255:39095: P_ACK_V1 kid=0 [ 2011762674 1758620063 350603334 2125900976 1444156928 2908 2520653825 6 1056037397 692393527 ]
Mar 24 00:09:37 	openvpn 	94261 	49.197.71.255:39095 UDPv4 WRITE [83] to [AF_INET]49.197.71.255:39095: P_CONTROL_V1 kid=0 [ 4227960004 2810946759 1702983362 3156146900 1807026176 3164 2520653824 7 386073344 610303059 2401625684 1822214085 3978464131 3712649075 4162719785 2056988182 4182534334 739210862 ]

Tantawi · Mar 24, 2019, 12:28 AM

Having exactly the same problem. Doesn't matter if upgrading or clean installing with config restore.

Because I am lazy, I opened a bug report with exactly what you have posed here: https://redmine.pfsense.org/issues/9427 :)

jake · Mar 24, 2019, 4:29 AM

Same here. I have a more convoluted setup however. I use FreeRadius with OTP enabled which further authenticates with Duo. (I know it's crazy, I did it more to see if it would work) I've tried with local authentication also with the same results. One thing I did notice is that in 2.5 "ecdsa-with-SHA1" is not a option for Auth Digest Algorithm. That is what I had it set in 2.4.5. I did experiment with changing it to SHA1 (which is available) but received the same authentication error.

Tantawi · Mar 26, 2019, 8:11 PM

This post is deleted!

briandoc · Apr 5, 2019, 6:58 PM

Having same issue. Upgraded to latest 2.5 after 2.45 DEV build corrupted. Restored backup. Everything seems to work but OpenVPN with local AUTH. Recreated OpenVPN server and firewall rules, exported new clients and installed. Still get "AUTH: Received control message: AUTH_FAILED". Can login locally with user/pass combination. OpenVPN log shows user authenticated.

jimp · Apr 6, 2019, 4:06 AM

This should be fixed now, was an output change in one of the auth scripts.

https://redmine.pfsense.org/issues/9460

Tantawi · Apr 6, 2019, 5:48 AM

@jimp Thank you! looking forward to next build with this included to try. You can also close my ticket here: https://redmine.pfsense.org/issues/9427

Rico · Apr 6, 2019, 7:55 AM

No need to wait, you can patch your system right now.
https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

-Rico

briandoc · Apr 7, 2019, 3:06 AM

Thank you. My issue is resolved with this latest build!