OpenVPN not work after update OPNSense from 23.1.1_2->23.1.3

Started by kpurrucker, March 11, 2023, 02:11:45 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 11, 2023, 02:11:45 AM Last Edit: March 11, 2023, 02:45:24 AM by kpurrucker
Hey, all.

Today I updated OPNSense from 23.1.1_2->23.1.3. Since then the OpenVPN users can not authenticate with the following message in the OpenVPN log file.

Code Select
2023-03-11T01:52:15+01:00 firewall.name.local openvpn 19578 - [meta sequenceId="44"] user 'username' could not authenticate.
2023-03-11T01:52:15+01:00 firewall.name.local openvpn_server1 66835 - [meta sequenceId="45"] xx.xx.216.156:60711 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
2023-03-11T01:52:15+01:00 firewall.name.local openvpn_server1 66835 - [meta sequenceId="46"] xx.xx.216.156:60711 TLS Auth Error: Auth Username/Password verification failed for peer
2023-03-11T01:52:15+01:00 firewall.name.local openvpn_server1 66835 - [meta sequenceId="47"] xx.xx.216.156:60711 [username] Peer Connection Initiated with [AF_INET]xx.xx.216.156:60711


With the Server Mode "Remote Access (SSL/TLS)" instead "Remote Access (SSL/TLS + User Auth)" in OpenVPN Server configuration the login is functional. So the local User Auth Backend seems to be broken.

Has anyone a suggestion?

Thanks much!
March 11, 2023, 10:58:03 AM #1
I have the same issue with the exact same upgrade path.

Since i'am using LDAP as an authentication, it cannot be the local-auth only. Also using Remote Access "User auth". So beside we have the same issue, we have different configurations.

I did tripple check that the LDAP authentication is working under access, also using the test.

Downgraded via
Code Select

opnsense-revert -r 23.1.1_2 opnsense


and everything is working again.
March 14, 2023, 11:06:03 AM #2
It seems the bug wasn't reported yet. So I created an issue: https://github.com/opnsense/core/issues/6417
March 14, 2023, 11:09:13 AM #3
Hi,

In order to debug this, best check how authentication is configured, using a grep:

Code Select

grep -r auth-user-pass-verify /var/etc/openvpn/*.conf


In which case for active servers, it should point to "/usr/local/opnsense/scripts/openvpn/ovpn_event.py"

When it does, it's also possible to test the script, using a file containing username and password, like:

Code Select

/usr/local/opnsense/scripts/openvpn/ovpn_event.py --script_type user-pass-verify --auth_method via-file --common_name root '1' /tmp/mypass.txt ; echo $?


In which case  /tmp/mypass.txt contains something like:

Code Select

root
opnsense


Best regards,

Ad
March 14, 2023, 01:06:54 PM #4
Hi
just wanted to post here to say I am also having an openvpn error after running the upgrade. below is a recent log i am getting in openvpn logs. confirmed the same on 2 separate devices



2023-03-14T11:58:05   Error   openvpn_server2   x.x.x.x:42371 TLS Error: TLS handshake failed   
2023-03-14T11:58:05   Error   openvpn_server2   x.x.x.x:42371 TLS Error: TLS object -> incoming plaintext read error   
2023-03-14T11:58:05   Error   openvpn_server2   x.x.x.x:42371 TLS_ERROR: BIO read tls_read_plaintext error   
2023-03-14T11:58:05   Error   openvpn_server2   1x.x.x.x:42371 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed   
2023-03-14T11:58:05   Warning   openvpn_server2   x.x.x.x:42371 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1   
2023-03-14T11:58:05   Warning   openvpn   Certificate depth 2 exceeded max allowed depth of 1.
March 14, 2023, 02:39:46 PM #5
Hi
just wanted to follow up that i got my issue fixed.
below was what fixed my issue.


in openvpn server settings:

i changed certificate depth to 2

then i adjusted the cipher in use

cipher in use was AES-128-CBC

connection is working now for me now after changing
March 15, 2023, 06:08:48 PM #6
Hi,
Same problem; no luck changing certificate depth to 2.
Same server accepts connections from linux clients, but previously working OpenVPN for Android clients now get this error; no change was made on clients side.

Regards.
March 15, 2023, 09:33:41 PM #7
Same problem here with Viscosity 1.10.6b3 (OpenVPN 2.5.9 under the hood) on MacOS 13.2.1. Tried to change cert depth to 2, create new client connection, ... - nothing works - rolled back to 13.1.1_2 - Auth is via Password + TOTP + Client Cert. Site2Site OpenVPN Connection to  22.7.11_1 works without Problems.
March 16, 2023, 05:02:45 AM #8
I appear to have the same problem as described in the previous posts as well using a password + TOTP + client certificate. However, I noticed that authentication failed with the error message:

WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1

when using the OpenVPN client option 'static-challenge', but worked when this option was not used and the TOTP was concatenated to the password instead. It would be nice to get the prompt for the TOTP code working again. My current assumption is that there is an issue with the /usr/local/opnsense/scripts/openvpn/user_pass_verify.php script since the 23.1.2 update.
March 16, 2023, 10:29:25 AM #9
@ silverspy18 can you try https://github.com/opnsense/core/commit/b5289522604b7863a5b3bd8c8a5a21a334b1f59c ? This should re-add the static-challenge parsing.


Code Select

opnsense-patch b5289522

March 16, 2023, 02:21:57 PM #10
@AdSchellevis Thanx! The Patch work on my testsystem.
March 16, 2023, 02:35:03 PM #11
Hi,

Still same problem on my system after applying patch:

2023-03-16T13:04:12   Warning   openvpn_server2   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts      
2023-03-16T13:04:11   Error   openvpn_server2   event_wait : Interrupted system call (code=4)

Regards.
March 16, 2023, 02:38:24 PM #12
repeating the same message without offering any information I asked for earlier (https://forum.opnsense.org/index.php?topic=32939.msg159704#msg159704) likely isn't going to lead to an improvement. It was sheer luck silverspy18 mentioned static-challenge, otherwise nothing would have changed until now.

Best regards,

Ad
March 16, 2023, 03:18:09 PM #13
Same Problem to me. I am using Linux as Client and had to re-export the openvpn config to get it working again.
March 16, 2023, 05:34:00 PM #14
Well, full reports would help like Ad suggested. Your issue is probably https://github.com/opnsense/core/commit/4b2b60050

Not sure what OpenVPN is expecting here but we will be reverting to the original (deprecated) behaviour and hope they keep supporting it onwards. ;)


Cheers,
Franco
Print
Go Up Pages1 2
User actions