Bug #12332: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #12332

closed

OpenVPN does not clear old Cisco-AVPair anchor rules in some cases

Added by Marcos M over 2 years ago. Updated almost 2 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Marcos M

Category:

OpenVPN

Target version:

2.7.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

22.05

Release Notes:

Default

Affected Version:

2.5.2

Affected Architecture:

Description

After some time, there exists anchor rules for old users no longer connected which is causing unintended rule matching / blocked access.

Running pfSsh.php playback pfanchordrill shows old anchor rulesets for users that are no longer connected and for IPs that have already been re-used by new connections.

Files

Download all files

ovpn_server.txt (1.32 KB) ovpn_server.txt	OpenVPN server configuration	Marcos M, 09/02/2021 10:49 AM
playback_output.txt (108 KB) playback_output.txt	Playback command output	Marcos M, 09/02/2021 10:49 AM
active_users.txt (2.17 KB) active_users.txt	Current active OpenVPN users	Marcos M, 09/02/2021 10:49 AM

Related issues

Related to Bug #14577: OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp``

Needs Patch

Marcos M

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Marcos M over 2 years ago

It's possible this is related to #11699

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/379

Actions

Copy link

Updated by Marcos M over 2 years ago

Copying comments here:

It doesn't look like this takes into account the duplicate-cn option
The lines with /tmp/$common_name seem to remain from old code and should probably be removed
It would be really nice to have this patch made compatible with an implementation of #12267. I suspect given duplicate-cn handling, there's going to be some overlap.

I've included a possible solution in the merge request.

Actions

Copy link

Updated by Marcos M over 2 years ago

Assignee set to Marcos M

I've submitted a new merge request which solves this issue. The solution is dependent on #12407
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/402

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Status changed from New to Pull Request Review
Target version set to CE-Next
Plus Target Version set to Plus-Next

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Status changed from Pull Request Review to Feedback

Merged

Actions

Copy link

Updated by Marcos M over 2 years ago

This is much better than what it was previously. There still exists a rare case in which stale anchor rules will persist. This is due to an OpenVPN bug which does not pass the correct environment variables to the disconnect script. This is fixed on OpenVPN 2.5.5 / 2.6 which as of now has not been released yet; details here: https://community.openvpn.net/openvpn/ticket/1434

Edit: OpenVPN 2.5.6 is in pfSense 22.05.

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Target version changed from CE-Next to 2.6.0
Plus Target Version changed from Plus-Next to 22.01

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Status changed from Feedback to New

The commit for this, 7aaa20d95a345c4688e8786c755c7d0433451688 , broke static IP address assignments from RADIUS.

Actions

Copy link

#10

Updated by Jim Pingle over 2 years ago

Target version changed from 2.6.0 to CE-Next
Plus Target Version changed from 22.01 to 22.05

Commit reverted. We can revisit this in the next release.

Actions

Copy link

#11

Updated by Marcos M over 2 years ago

Status changed from New to Pull Request Review

New MR, see: https://redmine.pfsense.org/issues/12267#note-16

Actions

Copy link

#12

Updated by Viktor Gurov about 2 years ago

Status changed from Pull Request Review to Feedback

Merged

Actions

Copy link

#13

Updated by Marcos M about 2 years ago

Tested on 2.6 with patch. The rules are being applied correctly, and files get added/removed as expected. Using the following as an example:

insert into radreply (username,attribute,op,value) values ('testuser','Cisco-AVPair','+=','ip:inacl#1=permit ip host 10.7.0.6 10.100.0.0 0.0.255.255');

[2.6.0-RELEASE][root@pfSense.localdomain]/root: pfSsh.php playback pfanchordrill

ipsec rules/nat contents:

miniupnpd rules/nat contents:

natearly rules/nat contents:

natrules rules/nat contents:

openvpn rules/nat contents:

openvpn/ovpns1_testuser_61726 rules/nat contents:
pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16 flags S/SA keep state

tftp-proxy rules/nat contents:

userrules rules/nat contents:

[2.6.0-RELEASE][root@pfSense.localdomain]/root: ls -l /tmp/*vpn*
-rw-------  1 root  wheel   1 Mar 30 13:22 /tmp/openvpn_acf_62f8da335ccc652b122b1992148339ad.tmp
-rw-rw-rw-  1 root  wheel   0 Mar 30 13:22 /tmp/openvpnserviceserver1.lock
-rw-rw-rw-  1 root  wheel  62 Mar 30 13:22 /tmp/ovpn_ovpns1_testuser_61726.rules
-rw-r--r--  1 root  wheel   9 Mar 30 13:22 /tmp/ovpns1_router
-rw-r--r--  1 root  wheel   0 Mar 30 13:22 /tmp/ovpns1up

[2.6.0-RELEASE][root@pfSense.localdomain]/root: cat /tmp/ovpn_ovpns1_testuser_61726.rules
pass in quick on ovpns1 inet from 10.7.0.6 to 10.100.0.0/16

Actions

Copy link

#14