OpenVPN does not clear old Cisco-AVPair anchor rules in some cases
After some time, there exists anchor rules for old users no longer connected which is causing unintended rule matching / blocked access.
pfSsh.php playback pfanchordrill shows old anchor rulesets for users that are no longer connected and for IPs that have already been re-used by new connections.
Updated by Viktor Gurov 9 months ago
Updated by Marcos Mendoza 9 months ago
Copying comments here:
- It doesn't look like this takes into account the
- The lines with /tmp/$common_name seem to remain from old code and should probably be removed
- It would be really nice to have this patch made compatible with an implementation of #12267. I suspect given
duplicate-cnhandling, there's going to be some overlap.
I've included a possible solution in the merge request.
Updated by Marcos Mendoza 6 months ago
This is much better than what it was previously. There still exists a rare case in which stale anchor rules will persist. This is due to an OpenVPN bug which does not pass the correct environment variables to the disconnect script. This is fixed on OpenVPN
2.6 which as of now has not been released yet; details here: https://community.openvpn.net/openvpn/ticket/1434
Edit: OpenVPN 2.5.6 is in pfSense 22.05.
Updated by Marcos Mendoza about 2 months ago
Tested on 2.6 with patch. The rules are being applied correctly, and files get added/removed as expected. Using the following as an example:
insert into radreply (username,attribute,op,value) values ('testuser','Cisco-AVPair','+=','ip:inacl#1=permit ip host 10.7.0.6 10.100.0.0 0.0.255.255');
[2.6.0-RELEASE][root@pfSense.localdomain]/root: pfSsh.php playback pfanchordrill ipsec rules/nat contents: miniupnpd rules/nat contents: natearly rules/nat contents: natrules rules/nat contents: openvpn rules/nat contents: openvpn/ovpns1_testuser_61726 rules/nat contents: pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16 flags S/SA keep state tftp-proxy rules/nat contents: userrules rules/nat contents: [2.6.0-RELEASE][root@pfSense.localdomain]/root: ls -l /tmp/*vpn* -rw------- 1 root wheel 1 Mar 30 13:22 /tmp/openvpn_acf_62f8da335ccc652b122b1992148339ad.tmp -rw-rw-rw- 1 root wheel 0 Mar 30 13:22 /tmp/openvpnserviceserver1.lock -rw-rw-rw- 1 root wheel 62 Mar 30 13:22 /tmp/ovpn_ovpns1_testuser_61726.rules -rw-r--r-- 1 root wheel 9 Mar 30 13:22 /tmp/ovpns1_router -rw-r--r-- 1 root wheel 0 Mar 30 13:22 /tmp/ovpns1up [2.6.0-RELEASE][root@pfSense.localdomain]/root: cat /tmp/ovpn_ovpns1_testuser_61726.rules pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16