Project

General

Profile

Actions

Bug #12332

open

OpenVPN does not clear old Cisco-AVPair anchor rules in some cases

Added by Marcos Mendoza 9 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

After some time, there exists anchor rules for old users no longer connected which is causing unintended rule matching / blocked access.

Running pfSsh.php playback pfanchordrill shows old anchor rulesets for users that are no longer connected and for IPs that have already been re-used by new connections.


Files

ovpn_server.txt (1.32 KB) ovpn_server.txt OpenVPN server configuration Marcos Mendoza, 09/02/2021 10:49 AM
playback_output.txt (108 KB) playback_output.txt Playback command output Marcos Mendoza, 09/02/2021 10:49 AM
active_users.txt (2.17 KB) active_users.txt Current active OpenVPN users Marcos Mendoza, 09/02/2021 10:49 AM
Actions #1

Updated by Marcos Mendoza 9 months ago

It's possible this is related to #11699

Actions #3

Updated by Marcos Mendoza 9 months ago

Copying comments here:

  1. It doesn't look like this takes into account the duplicate-cn option
  2. The lines with /tmp/$common_name seem to remain from old code and should probably be removed
  3. It would be really nice to have this patch made compatible with an implementation of #12267. I suspect given duplicate-cn handling, there's going to be some overlap.

I've included a possible solution in the merge request.

Actions #4

Updated by Marcos Mendoza 8 months ago

  • Assignee set to Marcos Mendoza

I've submitted a new merge request which solves this issue. The solution is dependent on #12407
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/402

Actions #5

Updated by Jim Pingle 7 months ago

  • Status changed from New to Pull Request Review
  • Target version set to CE-Next
  • Plus Target Version set to Plus-Next
Actions #6

Updated by Viktor Gurov 6 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #7

Updated by Marcos Mendoza 6 months ago

This is much better than what it was previously. There still exists a rare case in which stale anchor rules will persist. This is due to an OpenVPN bug which does not pass the correct environment variables to the disconnect script. This is fixed on OpenVPN 2.5.5 / 2.6 which as of now has not been released yet; details here: https://community.openvpn.net/openvpn/ticket/1434

Edit: OpenVPN 2.5.6 is in pfSense 22.05.

Actions #8

Updated by Jim Pingle 6 months ago

  • Target version changed from CE-Next to 2.6.0
  • Plus Target Version changed from Plus-Next to 22.01
Actions #9

Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to New

The commit for this, 7aaa20d95a345c4688e8786c755c7d0433451688 , broke static IP address assignments from RADIUS.

Actions #10

Updated by Jim Pingle 5 months ago

  • Target version changed from 2.6.0 to CE-Next
  • Plus Target Version changed from 22.01 to 22.05

Commit reverted. We can revisit this in the next release.

Actions #11

Updated by Marcos Mendoza 4 months ago

  • Status changed from New to Pull Request Review
Actions #12

Updated by Viktor Gurov about 2 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #13

Updated by Marcos Mendoza about 2 months ago

Tested on 2.6 with patch. The rules are being applied correctly, and files get added/removed as expected. Using the following as an example:

insert into radreply (username,attribute,op,value) values ('testuser','Cisco-AVPair','+=','ip:inacl#1=permit ip host 10.7.0.6 10.100.0.0 0.0.255.255');

[2.6.0-RELEASE][root@pfSense.localdomain]/root: pfSsh.php playback pfanchordrill

ipsec rules/nat contents:

miniupnpd rules/nat contents:

natearly rules/nat contents:

natrules rules/nat contents:

openvpn rules/nat contents:

openvpn/ovpns1_testuser_61726 rules/nat contents:
pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16 flags S/SA keep state

tftp-proxy rules/nat contents:

userrules rules/nat contents:

[2.6.0-RELEASE][root@pfSense.localdomain]/root: ls -l /tmp/*vpn*
-rw-------  1 root  wheel   1 Mar 30 13:22 /tmp/openvpn_acf_62f8da335ccc652b122b1992148339ad.tmp
-rw-rw-rw-  1 root  wheel   0 Mar 30 13:22 /tmp/openvpnserviceserver1.lock
-rw-rw-rw-  1 root  wheel  62 Mar 30 13:22 /tmp/ovpn_ovpns1_testuser_61726.rules
-rw-r--r--  1 root  wheel   9 Mar 30 13:22 /tmp/ovpns1_router
-rw-r--r--  1 root  wheel   0 Mar 30 13:22 /tmp/ovpns1up

[2.6.0-RELEASE][root@pfSense.localdomain]/root: cat /tmp/ovpn_ovpns1_testuser_61726.rules
pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16
Actions #14

Updated by Jim Pingle about 2 months ago

  • Target version changed from CE-Next to 2.7.0
Actions #15

Updated by Marcos Mendoza about 2 months ago

  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF