Project

General

Profile

Actions

Bug #12332

open

OpenVPN does not clear old Cisco-AVPair anchor rules in some cases

Added by Marcos Mendoza about 2 months ago. Updated 4 days ago.

Status:
Pull Request Review
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Plus-Next
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

After some time, there exists anchor rules for old users no longer connected which is causing unintended rule matching / blocked access.

Running pfSsh.php playback pfanchordrill shows old anchor rulesets for users that are no longer connected and for IPs that have already been re-used by new connections.


Files

ovpn_server.txt (1.32 KB) ovpn_server.txt OpenVPN server configuration Marcos Mendoza, 09/02/2021 10:49 AM
playback_output.txt (108 KB) playback_output.txt Playback command output Marcos Mendoza, 09/02/2021 10:49 AM
active_users.txt (2.17 KB) active_users.txt Current active OpenVPN users Marcos Mendoza, 09/02/2021 10:49 AM
Actions #1

Updated by Marcos Mendoza about 2 months ago

It's possible this is related to #11699

Actions #3

Updated by Marcos Mendoza about 2 months ago

Copying comments here:

  1. It doesn't look like this takes into account the duplicate-cn option
  2. The lines with /tmp/$common_name seem to remain from old code and should probably be removed
  3. It would be really nice to have this patch made compatible with an implementation of #12267. I suspect given duplicate-cn handling, there's going to be some overlap.

I've included a possible solution in the merge request.

Actions #4

Updated by Marcos Mendoza 26 days ago

  • Assignee set to Marcos Mendoza

I've submitted a new merge request which solves this issue. The solution is dependent on #12407
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/402

Actions #5

Updated by Jim Pingle 4 days ago

  • Status changed from New to Pull Request Review
  • Target version set to CE-Next
  • Plus Target Version set to Plus-Next
Actions

Also available in: Atom PDF