OPNsense Forum
English Forums => Virtual private networks => Topic started by: crally on November 04, 2022, 05:53:01 am
-
Hello,
after my update to 22.7.4 (meanwhile 22.7.7) I can't connect via OpenVPN when using user authentication.
user and server are active and valid.
When testing user via "System: Access: Examiner" it says its valid.
I have had activated the "VPN: OpenVPN: Server: Server mode" to "SSL/TLS + user auth", but that doesn't work anymore.
When changing to just "SSL/TLS" everything is working again.
The logs said:
2022-11-04T05:35:29 Notice openvpn 2a01:xxxxxxxxx [vpn_user] Peer Connection Initiated with [AF_INET6]2a01:xxxxxxxxx
2022-11-04T05:35:29 Error openvpn 2a01:xxxxxxxxx TLS Auth Error: Auth Username/Password verification failed for peer
2022-11-04T05:35:29 Warning openvpn 2a01:xxxxxxxxx WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255
2022-11-04T05:35:29 Warning openvpn user 'vpn_user' could not authenticate.
2022-11-04T05:35:28 Notice openvpn 2a01:xxxxxxxxx peer info: IV_SSO=webauth,openurl,crtext
2022-11-04T05:35:28 Notice openvpn 2a01:xxxxxxxxx peer info: IV_GUI_VER=net.openvpn.connect.ios_3.3.2-5086
2022-11-04T05:35:28 Notice openvpn 2a01:xxxxxxxxx peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
2022-11-04T05:35:28 Notice openvpn 2a01:xxxxxxxxx peer info: IV_PROTO=30
2022-11-04T05:35:28 Notice openvpn 2a01:xxxxxxxxx peer info: IV_TCPNL=1
2022-11-04T05:35:28 Notice openvpn 2a01:xxxxxxxxx peer info: IV_NCP=2
2022-11-04T05:35:28 Notice openvpn 2a01:xxxxxxxxx peer info: IV_PLAT=ios
2022-11-04T05:35:28 Notice openvpn 2a01:xxxxxxxxx peer info: IV_VER=3.git::08aaaaaa
(changed IP, MAC, and user name)
Created new user and client cert, but got the same error.
I didn't try to create new Server so far.
Seems to me, that the Server can't proof the user with the local database.
-
we are having the same issue after upgrading to 22.7.7_1 today :-\
-
Update: we were able to fix the issue by creating a new CA, Server/Client Certificates and CRL
-
Update: we were able to fix the issue by creating a new CA, Server/Client Certificates and CRL
Ok thanks. Will try that, too.