2.0.2 –> 2.0.3 Upgrade crashed OpenVPN

yayaasd

Hi,

i just updated to new version of pfSense.

had a openvpn server on pfsense with user auth. via ldap on a win 2008 server. with 2.0.2 it worked for months out of the box.
after upgrading to 2.0.3 i got the following error:

May 21 15:45:25	openvpn[12835]: IP:47209 Connection reset, restarting [-1]
May 21 15:44:37	openvpn[12835]: TCPv4_SERVER link remote: IP:47209
May 21 15:44:37	openvpn[12835]: TCPv4_SERVER link local: [undef]
May 21 15:44:37	openvpn[12835]: TCP connection established with IP:47209
May 21 15:44:37	openvpn[12835]: Re-using SSL/TLS context
May 21 15:44:32	openvpn[12835]: IP:34604 Connection reset, restarting [0]
May 21 15:44:30	openvpn[12835]: IP:34604 [vpnuser] Peer Connection Initiated with IP:34604
May 21 15:44:30	openvpn[12835]: IP:34604 TLS Auth Error: Auth Username/Password verification failed for peer
May 21 15:44:30	openvpn[12835]: IP:34604 WARNING: [b]Failed running command (--auth-user-pass-verify): external program exited with error status: 255[/b]
May 21 15:44:30	openvpn: user admin1 could not authenticate.
May 21 15:44:30	openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
May 21 15:44:30	openvpn: : Now Searching in server AD_VPN, container CN=GSG_VPN_Users,OU=Security Groups,OU=Company,DC=Company,DC=local with filter (samaccountname=admin1).
May 21 15:44:30	openvpn: : Now Searching for admin1 in directory.
May 21 15:44:29	openvpn[12835]: TCPv4_SERVER link remote: IP:34604
May 21 15:44:29	openvpn[12835]: TCPv4_SERVER link local: [undef]
May 21 15:44:29	openvpn[12835]: TCP connection established with IP:34604
May 21 15:44:29	openvpn[12835]: Re-using SSL/TLS context

someone any idea about this?
couldn`t found much about this problem

jimp

That's not an OpenVPN issue, it's an issue with your AD auth.

Check Diagnostics > Authentication, try to login there with the same account.

yayaasd

ok, just recognized it now, thx for your help.

but why am i not be able to auth with AD anymore? just checked multiple users - no one is able to do that.
going to check AD setting onve more, but i`m annoyed..

EDIT:
getting this for checking the connection in user-manager:

Testing pfSense LDAP settings... One moment please...
Attempting connection to		OK
Attempting bind to		OK
Attempting to fetch Organizational Units from		OK
Organization units found:

....(all OUs)

EDIT2:
Some more information about the probelm from the system logs:
sys.auth is my user for accessing the AD due to user

May 21 18:56:35	php: /diag_authentication.php: ERROR! Either LDAP search failed, or multiple users were found.
May 21 18:56:35	php: /diag_authentication.php: Now Searching in server AD_VPN, container CN=GSG_VPN_Users,OU=Security_Groups,OU=Company,DC=company,DC=local with filter (samaccountname=sys.auth).
May 21 18:56:35	php: /diag_authentication.php: Now Searching for sys.auth in directory.

yayaasd

anyone else with several problem?
or any idea for next step?

yayaasd

Just solved the Problem, many thx for your help!

here is the result:

We`re using authentication via AD group membership and after updating to 2.0.3 the /etc/inc/auth.inc was overwritten - just forgot that we patched that.
here is the original thread: http://forum.pfsense.org/index.php/topic,28816.0.html

you could also download the patched file here (just remove .patched.txt)

regards

auth.inc.patched.txt

phil.davis

That file is very old! There are lots of diffs against the current 2.0.3 version that are due to new/changed things in 2.0.n since your changes were done. I am interested in using functionality like this soon, so I have looked through the diffs and applied the bits that seem relevant to the current 2.0.3 version of auth.inc
The file is in my GitHub at present - https://github.com/phil-davis/pfsense/blob/RELENG_2_0/etc/inc/auth.inc - but that changes on a regular basis, so I have also attached it here.
I have nothing to test this against at present. I have made sure the syntax is OK in a test VM.
Can someone try this version on 2.0.3 and report back if it works?

Once we have a good working version against 2.0.3 code, then we can integrate it up with the main branch, review how it works, test, remove some of the "debug" logging and submit a change that will eventually appear in 2.2. IMHO it would be good to have this functionality and it is much better if it is built-in to the system, rather than people trying to find bits of patched code.

auth.inc.ldap-group-2-0-3.txt

yayaasd

ok, thx for your information.
i`m going to test this and give you a reply.

yayaasd

@yayaasd:

ok, thx for your information.
i`m going to test this and give you a reply.

sorry dude, not working with your version of auth.inc. got "authentication failed"

doktornotor

AD is still completely broken even with latest 2.1RC snapshots (not just with OpenVPN). In all those years, has any patch been submitted via GitHub to make the thing usable?  ???

yayaasd

yes, the one i attached to one of mine posts is working fine

doktornotor

Well, that is very good, however the question was why nothing has been merged for all those years, when obviously there are serious issues with the AD/LDAP code. Anyone submitted any of those patches? pf is current the only piece of SW being used in place that I completely failed to get working with AD.

jimp

Not sure how it's broken for some, but I know it's working for several others that I've helped setup personally, and I tested it myself against server 2012 when updating the book for 2.1.

If we can get more details of exactly how it's broken on 2.1 we can work on fixing it though. The only issue I think some people have is with trying to lock down by group membership and even then it works for most people if they get the DNs and such just right. That can vary a LOT depending on your AD structure though.

The group patches are already on 2.1, maybe not the ones from that thread but the "Extended Query" box is where that is handled.

I've also been working on this page:
http://doc.pfsense.org/index.php/LDAP_Troubleshooting

Primarily focusing on SSL issues since those are the most common ones I hear about, but I'm open to other suggestions to put there.

For people having issues on 2.1, the LDAP Debugging section of that page may be the best thing to try.

yayaasd

hi,

sorry was very busy at past time.

tryed again with 2.0.3 and get those messages:

Jul 21 14:43:31	openvpn[21604]: IP_client:18020 TLS Auth Error: Auth Username/Password verification failed for peer
Jul 21 14:43:31	openvpn[21604]: IP_client:18020 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255
Jul 21 14:43:31	openvpn: user USER could not authenticate.
Jul 21 14:43:31	openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
Jul 21 14:43:31	openvpn: : Now Searching in server AD_VPN, container CN=VPN_Users,OU=Group,OU=Group,OU=NAME,DC=NAME,DC=local with filter (samaccountname=USER).
Jul 21 14:43:31	openvpn: : Now Searching for USER in directory.
Jul 21 14:43:29	openvpn[21604]: IP_client:18020 LZO compression initialized
Jul 21 14:43:29	openvpn[21604]: IP_client:18020 Re-using SSL/TLS context
Jul 21 14:37:12	openvpn[18895]: Initialization Sequence Completed
Jul 21 14:37:12	openvpn[18895]: Peer Connection Initiated with IP_Server:1194

going to have a look at the LDAP-Troubleshooting when having enougth time again ;-)