Bug #12076
closed
OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses
0%
Description
Current OpenVPN script implemented to trigger Cisco-AVPair ACL in PF chains allows the {clientip} syntax to match IP address of the client initiating the VPN connection.
The script (/usr/local/sbin/openvpn.attributes.sh) relies on ${ifconfig_pool_remote_ip} variable passed from OpenVPN to generate a PF rule (temporary file) to later insert in PF running configuration.
For some reason the IP address returned by the OpenVPN pool is not the same as the Framed-IP-Address indicated by Radius (see screenshots). I also dumped variables passed by OpenVPN to the script and none contains the Framed-IP-Address.
The workaround I implemented on my pfsense was to replace the {clientip} substitution pattern while processing /etc/inc/util.inc if a framed_ip is set in attribute.
Files
| pfsense_ovpn-radius-framedip.png (57.5 KB) pfsense_ovpn-radius-framedip.png | Connection logs from OpenVPN client and server | ||
| pfsense_ovpn-radius-framedip2.png (13.6 KB) pfsense_ovpn-radius-framedip2.png | Framed-IP-Address configured for user (AD / NPS) | ||
| ifconfig_Ubuntu.png (17.9 KB) ifconfig_Ubuntu.png | |||
| pcap_with_radius.png (98 KB) pcap_with_radius.png | |||
| vpnuser_IPv4_and_IPv6_attributes.png (94.5 KB) vpnuser_IPv4_and_IPv6_attributes.png |
Related issues
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by 
