Strange problems with OpenVPN authentication


  • Hi.

    pfsense version is 2.2.6-RELEASE (amd64)

    I'm using OpenVPN with backend freeradius + OTP.

    Now, the problem is when user tries to authenticate:

    1. sometimes they're unable to log in at all and they're blocked after 10 attempts and I need to remove local file to unlock them
    2. sometimes they log in in first try
    3. sometimes they can't log in in first 2-4 or 5 tries and after that they log in

    So, as you can see it has no order and it happens on random basics.

    Error in openvpn log is as follows:

    May 10 12:06:52 openvpn[98946]: XX:51000 Connection reset, restarting [0]
    May 10 12:06:49 openvpn[98946]: XX:51000 [XX] Peer Connection Initiated with [AF_INET]XX:51000
    May 10 12:06:49 openvpn[98946]: XX:51000 TLS Auth Error: Auth Username/Password verification failed for peer
    May 10 12:06:49 openvpn[98946]: XX:51000 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
    May 10 12:06:49 openvpn: user 'XX' could not authenticate.
    May 10 12:06:46 openvpn[98946]: TCP connection established with [AF_INET]XX:51000

    Same user get the same error and after few tries he log in successfully. So yes, in the end, users are able to log in, however whole process of authentication is annoying.

    Once they log in:

    May 10 12:07:06 openvpn[98946]: XX/XX:51001 send_push_reply(): safe_cap=940
    May 10 12:07:04 openvpn[98946]: XX/XX:51001 MULTI_sva: pool returned IPv4=XX, IPv6=(Not enabled)
    May 10 12:07:04 openvpn[98946]: XX:51001 [XX] Peer Connection Initiated with [AF_INET]XX:51001
    May 10 12:07:04 openvpn: user 'XX' authenticated
    May 10 12:07:01 openvpn[98946]: TCP connection established with [AF_INET]XX:51001

    So my question is basically, how could same command run after 10-15 sec and before that I received "WARNING: Failed running command (–auth-user-pass-verify) + TLS Auth Error: Auth Username/Password verification failed for peer".

    So far I've tried to:

    1. change FQDN with IP in vpn client file - didn't help
    2. delete freeradius user and re-create it - didn't help
    3. delete user cert + whole user and re-create it + adding the same in free radius = also didn't help
    4. I didn't use any special characters in password

    Any ideas what to check?


  • Error 1:

    May 10 12:06:49 openvpn[98946]: XX:51000 TLS Auth Error: Auth Username/Password verification failed for peer

    Error 2:

    May 10 12:06:49 openvpn[98946]: XX:51000 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1

    Most probably, –auth-user-pass-verify fails due to Error 1
    So, solve Error 1 first.

    Any ideas what to check?

    Yes, try setting

    wait=3
    

    or 5 in radiusplugin.cnf
    It is the time in seconds radius waits for a response.


  • Hi and thanks Pippin. I will try setting this setting and let you know how it goes.


  • @Pippin

    this didn't help

    On the other hand, pfsense log I've put is in reverse order, so basically what you quoted above, error 2 is before error 1, so most likely error 1 fails because of the error 2

    I will do some more troubleshooting about that error two.

    EDIT:

    In openvpn config file I saw this:
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Radius' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn1_ssl' 1 "

    but this files does not exist if I try to "ls" them on the server. I've no idea how is this working for some users and some users have problems.


  • Ah, missed the reverse order, not very experienced with pfSense "reversed way"  :)

    If possible look at both logs, server and client with

    verb 4
    

    set in configs.

    Maybe the server is to busy at the times logons fail?
    OpenVPN being single threaded, I can imagine the verify is not "processed in time".

    No expert here though…..


  • I'll try with verb 4 and see how it goes.

    About the server business - I doubt, server is using like 10% of his potential in all meanings.


  • It didn't help, same problems.

    If the same user tries to connect via different user, e.g. my user - it's a success, every time in first attempt. However, yes, with his account/mobile OTP - problem. It's definitely not his PC, as he's able to log in with different accounts from the office and it's also not VPN client problem. Only difference is where OTP is generate, either his mobile or ours.

    EDIT:

    We've found the problem. Starting with point that he can connect as described above, we knew it's mobile-related problem. It seems like somehow his time on phone was ahead in time and once I increased OTP Lifetime from 3 to 6 on freeradius settings he was able to log in always in first try.

    Thanks for all the help!