BUG --- PF sense fails to boot when insufficient info provided with OpenVPN Client record
-
I have witnessed several instances where pfsense will not start - system halts when loading the open vpn config on each entry that is incomplete. It took me a while to figure out what was happening but it appears that if you have an openvpn client defined with a username but null passwords the router will fail to reboot without a keystroke at the console.
Same if you have a client without a certificate selected.
Seems like the web interface should check for these issues before allowing a save - or the bood sequence should not halt just because it is waiting for openvpn info that wasnt provided through the GUI
TO reproduce the error - VPN/OPENVPN/CLIENTS/EDIT
create a client record - add a username but leave the password blank and save.
OR
create a record with a user and password but no certificate selectedTHEN reboot -
During the boot sequence it will halt asking for AUTH Password on each incomplete openvpn client record... the only way to complete the boot is to provide keyboard input.Configuring LAN interface...done.
Configuring CARP settings...done.
Syncing OpenVPN settings...Enter Auth Password:
Enter Auth Password:
Enter Auth Password:
done. -
@mattjoy
Did you set a check at Authentication Retry in the client config? -
The issue is not with clients reconnecting - the problem is that the operating system will not finish booting to where the network can connect if you have an Open VPN client configuration defined wrong.
-
https://redmine.pfsense.org/issues/10409
-
thank you - I didnt see that post
-
I applied the latest patch but have not tested yet since it is a production firewall.
I do note that the prior version also was allowing a client to be defined without a certificate also caused halts - this alternate way of failing to boot was not mentioned in the bugreport so may still be needed to check certificate is not null on the webform.
https://redmine.pfsense.org/issues/10409
-
Clients may not need a certificate if it's an auth-only setup. The client GUI can't know what the server expects, the user has to configure it properly. There is only so much foot-shooting the GUI can prevent.