OpenVPN Credentials Manual Console Input During PFSense Bootup?



  • Is it normal for VPN provider/OpenVPN credentials to be required to be manually input in the console during each PFSense bootup?

    Is it possible to save these credentials on the device so they don't need to be entered every reboot?

    I'm new to PFSense and was thrilled to be able to set up a working instance of ProtonVPN on my SG-1100 using OpenVPN. I wasn't planning on keeping my SG-1100 hooked up to any kind of console, however if entering the OpenVPN credentials is required during every boot sequence I'd better keep a console handy!

    In the console, the prompt looks like this:

    Syncing OpenVPN settings...Enter Auth Username:
    Enter Auth Password:

    Is it also normal that I have been unable to "soft" start the OpenVPN service from within the webconfiguration tool? i.e. under "Status" "OpenVPN" the Start button or refresh button never work, the only way I can get OpenVPN to start is via a hardware restart where I input credentials during bootup as detailed above. This despite the fact that I entered correct credentials on the OpenVPN client configuration page.

    Is there a configuration option which can change this?

    Any insight is appreciated!


  • LAYER 8 Netgate

    You have something requiring a username and password that isn't in the configuration.

    Do the OpenVPN logs give you anything additional to help find it?



  • Thanks for the response!

    It is the ProtonVPN credentials that I'm required to enter in the console and that I would like to save locally on my PFSense box so as to NOT enter them every time at PFSense boot up.

    If I try and use the webconfigurator OpenVPN "Start" or "refresh" buttons (i.e. try and start the ProtonVPN OpenVPN without restarting the SG-1100 PFSense Box and entering the ProtonVPN username/password int the console) I get the below message in logs:

    Jul 10 03:07:31 openvpn 34233 OpenVPN 2.4.8 aarch64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 28 2020
    Jul 10 03:07:31 openvpn 34233 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
    Jul 10 03:07:31 openvpn 34233 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
    Jul 10 03:07:31 openvpn 34233 Exiting due to fatal error


  • LAYER 8 Netgate

    Did you set them here in the client configuration?

    a60f91eb-ba22-4b23-a411-454e79d405e3-image.png


  • LAYER 8 Moderator

    @Strive2Learn said in OpenVPN Credentials Manual Console Input During PFSense Bootup?:

    It is the ProtonVPN credentials that I'm required to enter in the console and that I would like to save locally on my PFSense box so as to NOT enter them every time at PFSense boot up.

    I've configured a ProtonVPN config myself. You don't have anything to enter at bootup, that would make no sense at all. So I assume you just forgot to enter them in the fields @Derelict posted above?



  • JeGr,
    I'm very glad to know that it's just something I've configured incorrectly rather than a system limitation. I suspect my issue has something to do with what I put in in the "custom options" box but I'm not sure.

    I have entered the protonVPN credentials in the webconfigutator under VPN/OpenVPN/Clients/Edit (WAN) as depicted by Derelict. I know the credentials are correct because the connect to protonVPN works when I enter those same credentials in the console! The credentials remain on the Clients/Edit webconfigurator page when I restart the router. The password field is filled but truncated with ****** shorter than the actual password which I assume is a security feature.

    ProtonVPN directs inputting the below items for OpenVPN under "Advanced Configuration" "Custom Options". Could one of these have something to do with this? I have been in contact with them however, they said they have not revisited their directions for the 2.4.5 release.
    boot Username password.PNG
    tun-mtu 1500;
    tun-mtu-extra 32;
    mssfix 1450;
    persist-key;
    persist-tun;
    reneg-sec 0;
    remote-cert-tls server;
    auth-user-pass;
    pull;

    I've also pasted an image of the console traffic.


  • LAYER 8 Netgate

    You should not have to use any custom options to get it working. I would remove all of those, looking at them, and put the username and password in the appropriate fields. You are not setting the username and password anywhere there, so it is prompting for it when it starts.

    Many walkthroughs and much documentation have you putting all kinds of nonsense in custom options that should be in the configuration fields instead. That way the pfSense configuration knows about them and can try to do the right thing as OpenVPN makes changes as time passes.


  • LAYER 8 Moderator

    The only things I put into custom options for my test-server (a ProtonMail CA instance) was the multiple remote instances and tun-mtu/-extras/mssfix as well as reneg-sec 0 but they are somewhat debatable if needed at all. Evey other option is an option in the OpenVPN Client dialogue in pfSense itself and has no reason to be in a custom box. Most VPN docs are pretty bad in that detail.



  • Spot on!

    I tried removing the "custom options" one by one and the

    auth-user-pass

    was the offending entry!

    OpenVPN now starts from the webconfigurator/dashboard, I'm no longer prompted for password during bootup, and the whole system seems faster, unrelated sequences like "Configuring VLAN Interfaces" boot much faster and the dashboard is speedier.

    I'll contact both ProtonVPN and the other configuration guide I've been referencing and suggest a change.

    Now onto the next project creating a rule for Amazon to not go through the VPN!

    Thank you again


  • LAYER 8 Netgate

    @Strive2Learn said in OpenVPN Credentials Manual Console Input During PFSense Bootup?:

    creating a rule for Amazon to not go through the VPN!

    GLWT


Log in to reply