Bug #12332
closedOpenVPN does not clear old Cisco-AVPair anchor rules in some cases
Added by Marcos M about 3 years ago. Updated over 2 years ago.
100%
Description
After some time, there exists anchor rules for old users no longer connected which is causing unintended rule matching / blocked access.
Running pfSsh.php playback pfanchordrill
shows old anchor rulesets for users that are no longer connected and for IPs that have already been re-used by new connections.
Files
ovpn_server.txt (1.32 KB) ovpn_server.txt | OpenVPN server configuration | Marcos M, 09/02/2021 10:49 AM | |
playback_output.txt (108 KB) playback_output.txt | Playback command output | Marcos M, 09/02/2021 10:49 AM | |
active_users.txt (2.17 KB) active_users.txt | Current active OpenVPN users | Marcos M, 09/02/2021 10:49 AM |
Related issues
Updated by Viktor Gurov about 3 years ago
Updated by Marcos M about 3 years ago
Copying comments here:
- It doesn't look like this takes into account the
duplicate-cn
option - The lines with /tmp/$common_name seem to remain from old code and should probably be removed
- It would be really nice to have this patch made compatible with an implementation of #12267. I suspect given
duplicate-cn
handling, there's going to be some overlap.
I've included a possible solution in the merge request.
Updated by Marcos M about 3 years ago
- Assignee set to Marcos M
I've submitted a new merge request which solves this issue. The solution is dependent on #12407
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/402
Updated by Jim Pingle about 3 years ago
- Status changed from New to Pull Request Review
- Target version set to CE-Next
- Plus Target Version set to Plus-Next
Updated by Viktor Gurov about 3 years ago
- Status changed from Pull Request Review to Feedback
Merged
Updated by Marcos M almost 3 years ago
This is much better than what it was previously. There still exists a rare case in which stale anchor rules will persist. This is due to an OpenVPN bug which does not pass the correct environment variables to the disconnect script. This is fixed on OpenVPN 2.5.5
/ 2.6
which as of now has not been released yet; details here: https://community.openvpn.net/openvpn/ticket/1434
Edit: OpenVPN 2.5.6 is in pfSense 22.05.
Updated by Jim Pingle almost 3 years ago
- Target version changed from CE-Next to 2.6.0
- Plus Target Version changed from Plus-Next to 22.01
Updated by Jim Pingle almost 3 years ago
- Status changed from Feedback to New
The commit for this, 7aaa20d95a345c4688e8786c755c7d0433451688 , broke static IP address assignments from RADIUS.
Updated by Jim Pingle almost 3 years ago
- Target version changed from 2.6.0 to CE-Next
- Plus Target Version changed from 22.01 to 22.05
Commit reverted. We can revisit this in the next release.
Updated by Marcos M almost 3 years ago
- Status changed from New to Pull Request Review
New MR, see: https://redmine.pfsense.org/issues/12267#note-16
Updated by Marcos M over 2 years ago
Tested on 2.6 with patch. The rules are being applied correctly, and files get added/removed as expected. Using the following as an example:
insert into radreply (username,attribute,op,value) values ('testuser','Cisco-AVPair','+=','ip:inacl#1=permit ip host 10.7.0.6 10.100.0.0 0.0.255.255');
[2.6.0-RELEASE][root@pfSense.localdomain]/root: pfSsh.php playback pfanchordrill ipsec rules/nat contents: miniupnpd rules/nat contents: natearly rules/nat contents: natrules rules/nat contents: openvpn rules/nat contents: openvpn/ovpns1_testuser_61726 rules/nat contents: pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16 flags S/SA keep state tftp-proxy rules/nat contents: userrules rules/nat contents: [2.6.0-RELEASE][root@pfSense.localdomain]/root: ls -l /tmp/*vpn* -rw------- 1 root wheel 1 Mar 30 13:22 /tmp/openvpn_acf_62f8da335ccc652b122b1992148339ad.tmp -rw-rw-rw- 1 root wheel 0 Mar 30 13:22 /tmp/openvpnserviceserver1.lock -rw-rw-rw- 1 root wheel 62 Mar 30 13:22 /tmp/ovpn_ovpns1_testuser_61726.rules -rw-r--r-- 1 root wheel 9 Mar 30 13:22 /tmp/ovpns1_router -rw-r--r-- 1 root wheel 0 Mar 30 13:22 /tmp/ovpns1up [2.6.0-RELEASE][root@pfSense.localdomain]/root: cat /tmp/ovpn_ovpns1_testuser_61726.rules pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16
Updated by Jim Pingle over 2 years ago
- Target version changed from CE-Next to 2.7.0
Updated by Marcos M over 2 years ago
- % Done changed from 0 to 100
Applied in changeset 971b9a642df9cba81d91459c56e0dd92107f6115.
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Resolved
Updated by Jim Pingle over 1 year ago
- Related to Bug #14577: OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp`` added