Bug #12076
closedOpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses
0%
Description
Current OpenVPN script implemented to trigger Cisco-AVPair ACL in PF chains allows the {clientip}
syntax to match IP address of the client initiating the VPN connection.
The script (/usr/local/sbin/openvpn.attributes.sh
) relies on ${ifconfig_pool_remote_ip}
variable passed from OpenVPN to generate a PF rule (temporary file) to later insert in PF running configuration.
For some reason the IP address returned by the OpenVPN pool is not the same as the Framed-IP-Address indicated by Radius (see screenshots). I also dumped variables passed by OpenVPN to the script and none contains the Framed-IP-Address.
The workaround I implemented on my pfsense was to replace the {clientip}
substitution pattern while processing /etc/inc/util.inc
if a framed_ip is set in attribute.
Files
Related issues
Updated by Viktor Gurov over 3 years ago
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
PR has been merged. Thanks!
Updated by Renato Botelho over 3 years ago
- Target version set to 2.6.0
- Plus Target Version set to 21.09
Updated by Jim Pingle over 3 years ago
- Subject changed from OpenVPN + Radius + Framed-Ip-Address + Cisco-AVPair: clientip != framedip to OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses
Updating subject for release notes.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Updated by Azamat Khakimyanov about 3 years ago
- File ifconfig_Ubuntu.png ifconfig_Ubuntu.png added
- File pcap_with_radius.png pcap_with_radius.png added
- File vpnuser_IPv4_and_IPv6_attributes.png vpnuser_IPv4_and_IPv6_attributes.png added
- Status changed from Feedback to Assigned
- Assignee changed from Renato Botelho to Viktor Gurov
Tested on 22.01-DEVELOPMENT (built on Sun Oct 31 05:21:32 UTC 2021)
Neither Windows 10, nor Ubuntu 21.10 were able to get correct Framed-IPv4/IPv6 addresses with active OpenVPN tunnel - in both cases IP-addresses were just random IPs from OpenVPN pool.
For example I created 'vpnuser' (vpnuser_IPv4_and_IPv6_attributes.png) with:
- IPv4 address: 10.99.11.11
- IPv6 address: 2001:db8:99::11,
but when I connected from Ubuntu 21.10 I got IPv4: 10.99.11.16 and IPv6: 2001:db8:99::100e (ifconfig_Ubuntu.png).
In PCAP I caught traffic between pfSense and FreeRadius and I saw that FreeRadius sent Framed-IP-address and Framed-IPv6-address I configured (pcap_with_radius.png)
In OpenVPN log on pfSense I saw nothing about Framed-IPs, and I wasn't able to see it in OpenVPN log on Windows as Florian saw according to his screenshot (pfsense_ovpn-radius-framedip.png)
Updated by Jim Pingle almost 3 years ago
The static addresses were broken by 7aaa20d95a345c4688e8786c755c7d0433451688 which is related to #12407 / #12332 / #12267
Backing out that commit, clients get static addresses again. I noted that on the issues.
Updated by Jim Pingle almost 3 years ago
- Status changed from Assigned to Feedback
The above commit has been reverted. Please test this issue again on the next new snapshot, or on a snapshot with that commit reverted.
Updated by Viktor Gurov almost 3 years ago
- Has duplicate Bug #12497: OpenVPN Server assignes random IPv4 addresses to active clients even if FreeRadius has configured Framed-IP for all these remote clients added
Updated by Jim Pingle almost 3 years ago
- Status changed from Feedback to Resolved