Project

General

Profile

Actions

Bug #12332

closed

OpenVPN does not clear old Cisco-AVPair anchor rules in some cases

Added by Marcos M over 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

After some time, there exists anchor rules for old users no longer connected which is causing unintended rule matching / blocked access.

Running pfSsh.php playback pfanchordrill shows old anchor rulesets for users that are no longer connected and for IPs that have already been re-used by new connections.


Files

ovpn_server.txt (1.32 KB) ovpn_server.txt OpenVPN server configuration Marcos M, 09/02/2021 10:49 AM
playback_output.txt (108 KB) playback_output.txt Playback command output Marcos M, 09/02/2021 10:49 AM
active_users.txt (2.17 KB) active_users.txt Current active OpenVPN users Marcos M, 09/02/2021 10:49 AM

Related issues

Related to Bug #14577: OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp``Needs PatchMarcos M

Actions
Actions #1

Updated by Marcos M over 3 years ago

It's possible this is related to #11699

Actions #3

Updated by Marcos M over 3 years ago

Copying comments here:

  1. It doesn't look like this takes into account the duplicate-cn option
  2. The lines with /tmp/$common_name seem to remain from old code and should probably be removed
  3. It would be really nice to have this patch made compatible with an implementation of #12267. I suspect given duplicate-cn handling, there's going to be some overlap.

I've included a possible solution in the merge request.

Actions #4

Updated by Marcos M about 3 years ago

  • Assignee set to Marcos M

I've submitted a new merge request which solves this issue. The solution is dependent on #12407
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/402

Actions #5

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Pull Request Review
  • Target version set to CE-Next
  • Plus Target Version set to Plus-Next
Actions #6

Updated by Viktor Gurov about 3 years ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #7

Updated by Marcos M about 3 years ago

This is much better than what it was previously. There still exists a rare case in which stale anchor rules will persist. This is due to an OpenVPN bug which does not pass the correct environment variables to the disconnect script. This is fixed on OpenVPN 2.5.5 / 2.6 which as of now has not been released yet; details here: https://community.openvpn.net/openvpn/ticket/1434

Edit: OpenVPN 2.5.6 is in pfSense 22.05.

Actions #8

Updated by Jim Pingle about 3 years ago

  • Target version changed from CE-Next to 2.6.0
  • Plus Target Version changed from Plus-Next to 22.01
Actions #9

Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to New

The commit for this, 7aaa20d95a345c4688e8786c755c7d0433451688 , broke static IP address assignments from RADIUS.

Actions #10

Updated by Jim Pingle almost 3 years ago

  • Target version changed from 2.6.0 to CE-Next
  • Plus Target Version changed from 22.01 to 22.05

Commit reverted. We can revisit this in the next release.

Actions #11

Updated by Marcos M almost 3 years ago

  • Status changed from New to Pull Request Review
Actions #12

Updated by Viktor Gurov over 2 years ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #13

Updated by Marcos M over 2 years ago

Tested on 2.6 with patch. The rules are being applied correctly, and files get added/removed as expected. Using the following as an example:

insert into radreply (username,attribute,op,value) values ('testuser','Cisco-AVPair','+=','ip:inacl#1=permit ip host 10.7.0.6 10.100.0.0 0.0.255.255');

[2.6.0-RELEASE][root@pfSense.localdomain]/root: pfSsh.php playback pfanchordrill

ipsec rules/nat contents:

miniupnpd rules/nat contents:

natearly rules/nat contents:

natrules rules/nat contents:

openvpn rules/nat contents:

openvpn/ovpns1_testuser_61726 rules/nat contents:
pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16 flags S/SA keep state

tftp-proxy rules/nat contents:

userrules rules/nat contents:

[2.6.0-RELEASE][root@pfSense.localdomain]/root: ls -l /tmp/*vpn*
-rw-------  1 root  wheel   1 Mar 30 13:22 /tmp/openvpn_acf_62f8da335ccc652b122b1992148339ad.tmp
-rw-rw-rw-  1 root  wheel   0 Mar 30 13:22 /tmp/openvpnserviceserver1.lock
-rw-rw-rw-  1 root  wheel  62 Mar 30 13:22 /tmp/ovpn_ovpns1_testuser_61726.rules
-rw-r--r--  1 root  wheel   9 Mar 30 13:22 /tmp/ovpns1_router
-rw-r--r--  1 root  wheel   0 Mar 30 13:22 /tmp/ovpns1up

[2.6.0-RELEASE][root@pfSense.localdomain]/root: cat /tmp/ovpn_ovpns1_testuser_61726.rules
pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16
Actions #14

Updated by Jim Pingle over 2 years ago

  • Target version changed from CE-Next to 2.7.0
Actions #15

Updated by Marcos M over 2 years ago

  • % Done changed from 0 to 100
Actions #16

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Resolved
Actions #17

Updated by Jim Pingle over 1 year ago

  • Related to Bug #14577: OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp`` added
Actions

Also available in: Atom PDF