Project

General

Profile

Actions

Bug #12076

closed

OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses

Added by Florian Lourdault 11 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
06/23/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Current OpenVPN script implemented to trigger Cisco-AVPair ACL in PF chains allows the {clientip} syntax to match IP address of the client initiating the VPN connection.

The script (/usr/local/sbin/openvpn.attributes.sh) relies on ${ifconfig_pool_remote_ip} variable passed from OpenVPN to generate a PF rule (temporary file) to later insert in PF running configuration.

For some reason the IP address returned by the OpenVPN pool is not the same as the Framed-IP-Address indicated by Radius (see screenshots). I also dumped variables passed by OpenVPN to the script and none contains the Framed-IP-Address.

The workaround I implemented on my pfsense was to replace the {clientip} substitution pattern while processing /etc/inc/util.inc if a framed_ip is set in attribute.


Files

pfsense_ovpn-radius-framedip.png (57.5 KB) pfsense_ovpn-radius-framedip.png Connection logs from OpenVPN client and server Florian Lourdault, 06/23/2021 03:35 PM
pfsense_ovpn-radius-framedip2.png (13.6 KB) pfsense_ovpn-radius-framedip2.png Framed-IP-Address configured for user (AD / NPS) Florian Lourdault, 06/23/2021 04:21 PM
ifconfig_Ubuntu.png (17.9 KB) ifconfig_Ubuntu.png Azamat Khakimyanov, 10/31/2021 11:05 AM
pcap_with_radius.png (98 KB) pcap_with_radius.png Azamat Khakimyanov, 10/31/2021 11:09 AM
vpnuser_IPv4_and_IPv6_attributes.png (94.5 KB) vpnuser_IPv4_and_IPv6_attributes.png Azamat Khakimyanov, 10/31/2021 11:11 AM

Related issues

Has duplicate Bug #12497: OpenVPN Server assignes random IPv4 addresses to active clients even if FreeRadius has configured Framed-IP for all these remote clientsDuplicateViktor Gurov

Actions
Actions #2

Updated by Renato Botelho 11 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho

PR has been merged. Thanks!

Actions #3

Updated by Renato Botelho 11 months ago

  • Target version set to 2.6.0
  • Plus Target Version set to 21.09
Actions #4

Updated by Jim Pingle 9 months ago

  • Subject changed from OpenVPN + Radius + Framed-Ip-Address + Cisco-AVPair: clientip != framedip to OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses

Updating subject for release notes.

Actions #5

Updated by Jim Pingle 7 months ago

  • Plus Target Version changed from 21.09 to 22.01
Actions #6

Updated by Azamat Khakimyanov 7 months ago

Tested on 22.01-DEVELOPMENT (built on Sun Oct 31 05:21:32 UTC 2021)

Neither Windows 10, nor Ubuntu 21.10 were able to get correct Framed-IPv4/IPv6 addresses with active OpenVPN tunnel - in both cases IP-addresses were just random IPs from OpenVPN pool.

For example I created 'vpnuser' (vpnuser_IPv4_and_IPv6_attributes.png) with:
- IPv4 address: 10.99.11.11
- IPv6 address: 2001:db8:99::11,
but when I connected from Ubuntu 21.10 I got IPv4: 10.99.11.16 and IPv6: 2001:db8:99::100e (ifconfig_Ubuntu.png).
In PCAP I caught traffic between pfSense and FreeRadius and I saw that FreeRadius sent Framed-IP-address and Framed-IPv6-address I configured (pcap_with_radius.png)

In OpenVPN log on pfSense I saw nothing about Framed-IPs, and I wasn't able to see it in OpenVPN log on Windows as Florian saw according to his screenshot (pfsense_ovpn-radius-framedip.png)

Actions #7

Updated by Jim Pingle 5 months ago

The static addresses were broken by 7aaa20d95a345c4688e8786c755c7d0433451688 which is related to #12407 / #12332 / #12267

Backing out that commit, clients get static addresses again. I noted that on the issues.

Actions #8

Updated by Jim Pingle 5 months ago

  • Status changed from Assigned to Feedback

The above commit has been reverted. Please test this issue again on the next new snapshot, or on a snapshot with that commit reverted.

Actions #9

Updated by Viktor Gurov 4 months ago

  • Has duplicate Bug #12497: OpenVPN Server assignes random IPv4 addresses to active clients even if FreeRadius has configured Framed-IP for all these remote clients added
Actions #10

Updated by Jim Pingle 4 months ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF