Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    2.0.2 –> 2.0.3 Upgrade crashed OpenVPN

    Installation and Upgrades
    4
    13
    3790
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yayaasd last edited by

      Hi,

      i just updated to new version of pfSense.

      had a openvpn server on pfsense with user auth. via ldap on a win 2008 server. with 2.0.2 it worked for months out of the box.
      after upgrading to 2.0.3 i got the following error:

      
      May 21 15:45:25	openvpn[12835]: IP:47209 Connection reset, restarting [-1]
      May 21 15:44:37	openvpn[12835]: TCPv4_SERVER link remote: IP:47209
      May 21 15:44:37	openvpn[12835]: TCPv4_SERVER link local: [undef]
      May 21 15:44:37	openvpn[12835]: TCP connection established with IP:47209
      May 21 15:44:37	openvpn[12835]: Re-using SSL/TLS context
      May 21 15:44:32	openvpn[12835]: IP:34604 Connection reset, restarting [0]
      May 21 15:44:30	openvpn[12835]: IP:34604 [vpnuser] Peer Connection Initiated with IP:34604
      May 21 15:44:30	openvpn[12835]: IP:34604 TLS Auth Error: Auth Username/Password verification failed for peer
      May 21 15:44:30	openvpn[12835]: IP:34604 WARNING: [b]Failed running command (--auth-user-pass-verify): external program exited with error status: 255[/b]
      May 21 15:44:30	openvpn: user admin1 could not authenticate.
      May 21 15:44:30	openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
      May 21 15:44:30	openvpn: : Now Searching in server AD_VPN, container CN=GSG_VPN_Users,OU=Security Groups,OU=Company,DC=Company,DC=local with filter (samaccountname=admin1).
      May 21 15:44:30	openvpn: : Now Searching for admin1 in directory.
      May 21 15:44:29	openvpn[12835]: TCPv4_SERVER link remote: IP:34604
      May 21 15:44:29	openvpn[12835]: TCPv4_SERVER link local: [undef]
      May 21 15:44:29	openvpn[12835]: TCP connection established with IP:34604
      May 21 15:44:29	openvpn[12835]: Re-using SSL/TLS context
      
      

      someone any idea about this?
      couldn`t found much about this problem

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        That's not an OpenVPN issue, it's an issue with your AD auth.

        Check Diagnostics > Authentication, try to login there with the same account.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • Y
          yayaasd last edited by

          ok, just recognized it now, thx for your help.

          but why am i not be able to auth with AD anymore? just checked multiple users - no one is able to do that.
          going to check AD setting onve more, but i`m annoyed..

          EDIT:
          getting this for checking the connection in user-manager:

          Testing pfSense LDAP settings... One moment please...
          Attempting connection to		OK
          Attempting bind to		OK
          Attempting to fetch Organizational Units from		OK
          Organization units found:
          
          ....(all OUs)
          
          

          EDIT2:
          Some more information about the probelm from the system logs:
          sys.auth is my user for accessing the AD due to user

          
          May 21 18:56:35	php: /diag_authentication.php: ERROR! Either LDAP search failed, or multiple users were found.
          May 21 18:56:35	php: /diag_authentication.php: Now Searching in server AD_VPN, container CN=GSG_VPN_Users,OU=Security_Groups,OU=Company,DC=company,DC=local with filter (samaccountname=sys.auth).
          May 21 18:56:35	php: /diag_authentication.php: Now Searching for sys.auth in directory.
          
          
          1 Reply Last reply Reply Quote 0
          • Y
            yayaasd last edited by

            anyone else with several problem?
            or any idea for next step?

            1 Reply Last reply Reply Quote 0
            • Y
              yayaasd last edited by

              Just solved the Problem, many thx for your help!

              here is the result:

              We`re using authentication via AD group membership and after updating to 2.0.3 the /etc/inc/auth.inc was overwritten - just forgot that we patched that.
              here is the original thread: http://forum.pfsense.org/index.php/topic,28816.0.html

              you could also download the patched file here (just remove .patched.txt)

              regards

              auth.inc.patched.txt

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis last edited by

                That file is very old! There are lots of diffs against the current 2.0.3 version that are due to new/changed things in 2.0.n since your changes were done. I am interested in using functionality like this soon, so I have looked through the diffs and applied the bits that seem relevant to the current 2.0.3 version of auth.inc
                The file is in my GitHub at present - https://github.com/phil-davis/pfsense/blob/RELENG_2_0/etc/inc/auth.inc - but that changes on a regular basis, so I have also attached it here.
                I have nothing to test this against at present. I have made sure the syntax is OK in a test VM.
                Can someone try this version on 2.0.3 and report back if it works?

                Once we have a good working version against 2.0.3 code, then we can integrate it up with the main branch, review how it works, test, remove some of the "debug" logging and submit a change that will eventually appear in 2.2. IMHO it would be good to have this functionality and it is much better if it is built-in to the system, rather than people trying to find bits of patched code.

                auth.inc.ldap-group-2-0-3.txt

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • Y
                  yayaasd last edited by

                  ok, thx for your information.
                  i`m going to test this and give you a reply.

                  1 Reply Last reply Reply Quote 0
                  • Y
                    yayaasd last edited by

                    @yayaasd:

                    ok, thx for your information.
                    i`m going to test this and give you a reply.

                    sorry dude, not working with your version of auth.inc. got "authentication failed"

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned last edited by

                      AD is still completely broken even with latest 2.1RC snapshots (not just with OpenVPN). In all those years, has any patch been submitted via GitHub to make the thing usable?  ???

                      1 Reply Last reply Reply Quote 0
                      • Y
                        yayaasd last edited by

                        yes, the one i attached to one of mine posts is working fine

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned last edited by

                          Well, that is very good, however the question was why nothing has been merged for all those years, when obviously there are serious issues with the AD/LDAP code. Anyone submitted any of those patches? pf is current the only piece of SW being used in place that I completely failed to get working with AD.

                          1 Reply Last reply Reply Quote 0
                          • jimp
                            jimp Rebel Alliance Developer Netgate last edited by

                            Not sure how it's broken for some, but I know it's working for several others that I've helped setup personally, and I tested it myself against server 2012 when updating the book for 2.1.

                            If we can get more details of exactly how it's broken on 2.1 we can work on fixing it though. The only issue I think some people have is with trying to lock down by group membership and even then it works for most people if they get the DNs and such just right. That can vary a LOT depending on your AD structure though.

                            The group patches are already on 2.1, maybe not the ones from that thread but the "Extended Query" box is where that is handled.

                            I've also been working on this page:
                            http://doc.pfsense.org/index.php/LDAP_Troubleshooting

                            Primarily focusing on SSL issues since those are the most common ones I hear about, but I'm open to other suggestions to put there.

                            For people having issues on 2.1, the LDAP Debugging section of that page may be the best thing to try.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • Y
                              yayaasd last edited by

                              hi,

                              sorry was very busy at past time.

                              tryed again with 2.0.3 and get those messages:

                              
                              Jul 21 14:43:31	openvpn[21604]: IP_client:18020 TLS Auth Error: Auth Username/Password verification failed for peer
                              Jul 21 14:43:31	openvpn[21604]: IP_client:18020 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255
                              Jul 21 14:43:31	openvpn: user USER could not authenticate.
                              Jul 21 14:43:31	openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
                              Jul 21 14:43:31	openvpn: : Now Searching in server AD_VPN, container CN=VPN_Users,OU=Group,OU=Group,OU=NAME,DC=NAME,DC=local with filter (samaccountname=USER).
                              Jul 21 14:43:31	openvpn: : Now Searching for USER in directory.
                              Jul 21 14:43:29	openvpn[21604]: IP_client:18020 LZO compression initialized
                              Jul 21 14:43:29	openvpn[21604]: IP_client:18020 Re-using SSL/TLS context
                              Jul 21 14:37:12	openvpn[18895]: Initialization Sequence Completed
                              Jul 21 14:37:12	openvpn[18895]: Peer Connection Initiated with IP_Server:1194
                              
                              

                              going to have a look at the LDAP-Troubleshooting when having enougth time again ;-)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post