Bug #14577: OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp`` - pfSense - pfSense bugtracker

Actions

Copy link

Bug #14577

closed

OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp``

Added by Michael Mercier 10 months ago. Updated 7 months ago.

Status:

Needs Patch

Priority:

Normal

Assignee:

Marcos M

Category:

OpenVPN

Target version:

CE-Next

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

Plus-Next

Release Notes:

Default

Affected Version:

Affected Architecture:

6100

Description

Hello,

I am seeing duplicate ovpn_ovpns1_<user>_<port>.rules files in the /tmp directory, and I also see duplicate entries when running pfSsh playback pfanchordrill

Another observation I have made:

Some users have a /tmp/<user> file containing routes, some don't.

As an example:

[23.05.1-RELEASE][root@vpn]/tmp:ls ovpn_ovpns1_* | awk -F'_' '{print $3}' | xargs ls
ls: user105: No such file or directory
ls: user109: No such file or directory
ls: user110: No such file or directory
ls: user115: No such file or directory
ls: user119: No such file or directory
user100    user106    user116
user101    user107    user117
user101    user108    user118
user102    user111    user120
user103    user112    user121
user104    user113    user121
user104    user115    user122

NOTE:
The 6100 was upgraded to 23.05.1 yesterday (July 12th, 2023). Before that the device was running 22.05, I was experiencing https://redmine.pfsense.org/issues/12332 on the device.

Please let me know if there is any additional information I can provide.

Thanks,
Mike

Related issues

Actions

Copy link

Updated by Jim Pingle 10 months ago

Project changed from pfSense Plus to pfSense
Subject changed from OpenVPN not removing cisco-avpair files in /tmp to OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp``
Category changed from OpenVPN to OpenVPN
Assignee set to Marcos M
Target version set to 2.8.0
Affected Plus Version deleted (~~23.05.1~~)
Plus Target Version set to 23.09

Actions

Copy link

Updated by Jim Pingle 10 months ago

Related to Bug #12332: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases added

Actions

Copy link

Updated by Marcos M 10 months ago

I presume the "duplicate" ovpn_ovpns1_<user>_<port>.rules files differ by port number, in which case it'd mean the client has attempted the connection multiple times which could be due to an unstable connection. Or potentially simpler, simultaneous connections are being allowed.

The file "{$g['tmp_path']}/{$username}" is meant to be removed after the user has connected - I'm not sure yet why it would remain.

Actions

Copy link

Updated by Michael Mercier 10 months ago

Yes, the "duplicate" ovpn_ovpns1_<user>_<port>.rules differ by port number, multiple connections are not enabled on the device.

Actions

Copy link

Updated by Marcos M 10 months ago

Status changed from New to Feedback

The duplicate connections are disconnected automatically after the timeout period, at which point the related files/rules are removed. As for the user files persisting, try to recreate the issue after clearing out all of the temp files.

See below for a patch that will output some debugging info to /tmp/_test.txt. If you can recreate the issue, attach the debug info as well:

Show Hide

diff --git a/src/etc/inc/openvpn.attributes.php b/src/etc/inc/openvpn.attributes.php
index 292c2eea4d..a171fc0274 100644
--- a/src/etc/inc/openvpn.attributes.php
+++ b/src/etc/inc/openvpn.attributes.php
@@ -31,8 +31,10 @@ $rules = parse_cisco_acl($attributes, $dev);
 $filename = "{$g['tmp_path']}/ovpn_{$dev}_{$username}_{$untrusted_port}.rules";
 if (!empty($rules)) {
     @file_put_contents($filename, $rules);
+    file_put_contents('/tmp/_test.txt', "openvpn.attributes.php: Create $filename" . PHP_EOL, FILE_APPEND);
 } else {
     unlink_if_exists($filename);
+    file_put_contents('/tmp/_test.txt', "openvpn.attributes.php: Remove $filename" . PHP_EOL, FILE_APPEND);
 }

 ?>
diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php
index 436c4e1bf6..dcafc8858b 100644
--- a/src/etc/inc/openvpn.auth-user.php
+++ b/src/etc/inc/openvpn.auth-user.php
@@ -130,6 +130,7 @@ if ($authenticated == false) {

 if (file_exists("/etc/inc/openvpn.attributes.php")) {
     include_once("/etc/inc/openvpn.attributes.php");
+    file_put_contents('/tmp/_test.txt', "openvpn.auth-user.php: Call openvpn.attributes.php" . PHP_EOL, FILE_APPEND);
 }

 $content = "";
@@ -156,6 +157,7 @@ if (isset($attributes['framed_ip'])) {

 if (!empty($content)) {
     @file_put_contents("{$g['tmp_path']}/{$username}", $content);
+    file_put_contents('/tmp/_test.txt', "openvpn.auth-user.php: Create {$g['tmp_path']}/{$username}" . PHP_EOL, FILE_APPEND);
 }

 syslog(LOG_NOTICE, "user '{$username}' authenticated");
diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index 8b41dbc39b..b483ae1856 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -824,6 +824,7 @@ function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive, $opt = "")
     $fpath = "{$g['openvpn_base']}/{$mode_id}/{$directive}";
     openvpn_create_dirs();
     file_put_contents($fpath, base64_decode($data));
+    file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$fpath} [openvpn_add_keyfile()]" . PHP_EOL, FILE_APPEND);
     //chown($fpath, 'nobody');
     //chgrp($fpath, 'nobody');
     @chmod($fpath, 0600);
@@ -837,6 +838,7 @@ function openvpn_delete_tmp($mode, $id) {
     /* delete temporary files created by connect script */
     if (($mode == "server") && (isset($id))) {
         unlink_if_exists("{$g['tmp_path']}/ovpn_ovpns{$id}_*.rules");
+        file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$g['tmp_path']}/ovpn_ovpns{$id}_*.rules [openvpn_delete_tmp()]" . PHP_EOL, FILE_APPEND);
     }

     /* delete temporary files created by OpenVPN; only delete old files to
@@ -847,6 +849,7 @@ function openvpn_delete_tmp($mode, $id) {
         foreach ($tmpfiles as $tmpfile) {
             if ((time() - filemtime($tmpfile)) > 60) {
                 @unlink_if_exists($tmpfile);
+                file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$g['tmp_path']}/openvpn_cc*.tmp [openvpn_delete_tmp()]" . PHP_EOL, FILE_APPEND);
             }
         }
     }
@@ -1339,6 +1342,7 @@ function openvpn_reconfigure($mode, $settings) {
                 $userpass .= "\n";
             }
             file_put_contents($up_file, $userpass);
+            file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$up_file} [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
         }

         if ($settings['proxy_addr']) {
@@ -1348,6 +1352,7 @@ function openvpn_reconfigure($mode, $settings) {
                 $proxypas = "{$settings['proxy_user']}\n";
                 $proxypas .= "{$settings['proxy_passwd']}\n";
                 file_put_contents("{$g['openvpn_base']}/{$mode_id}/proxy_auth", $proxypas);
+                file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$g['openvpn_base']}/{$mode_id}/proxy_auth [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
             }
             $conf .= " \n";
         }
@@ -1385,6 +1390,8 @@ function openvpn_reconfigure($mode, $settings) {
             /* Cleanup old CA/CRL references */
             @unlink_if_exists("{$capath}/*.0");
             @unlink_if_exists("{$capath}/*.r*");
+            file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$capath}/*.0 [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
+            file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$capath}/*.r* [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
             /* Find the CRL listed in the settings */
             if (!empty($settings['crlref'])) {
                 $crl = lookup_crl($settings['crlref']);
@@ -1602,11 +1609,14 @@ function openvpn_reconfigure($mode, $settings) {
     openvpn_create_dirs();
     $fpath = "{$g['openvpn_base']}/{$mode_id}/config.ovpn";
     file_put_contents($fpath, $conf);
+    file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$fpath} [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
     unset($conf);
     $fpath = "{$g['openvpn_base']}/{$mode_id}/interface";
     file_put_contents($fpath, $interface);
+    file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$fpath} [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
     $fpath = "{$g['openvpn_base']}/{$mode_id}/connuserlimit";
     file_put_contents($fpath, $connlimit);
+    file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$fpath} [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
     //chown($fpath, 'nobody');
     //chgrp($fpath, 'nobody');
     @chmod("{$g['openvpn_base']}/{$mode_id}/config.ovpn", 0600);
@@ -1632,6 +1642,7 @@ function openvpn_stop_process($mode, $settings) {
         /* read the pid file */
         $pid = rtrim(file_get_contents($pfile));
         unlink($pfile);
+        file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$pfile} [openvpn_stop_process()]" . PHP_EOL, FILE_APPEND);
         syslog(LOG_INFO, "OpenVPN terminate old pid: {$pid}");

         /* send a term signal to the process */
@@ -1746,6 +1757,8 @@ function openvpn_delete($mode, $settings) {
     /* remove the configuration files */
     unlink_if_exists("{$g['openvpn_base']}/{$mode_id}/*/*");
     unlink_if_exists("{$g['openvpn_base']}/{$mode_id}/*");
+    file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$g['openvpn_base']}/{$mode_id}/*/* [openvpn_delete()]" . PHP_EOL, FILE_APPEND);
+    file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$g['openvpn_base']}/{$mode_id}/* [openvpn_delete()]" . PHP_EOL, FILE_APPEND);
     openvpn_delete_tmp($mode, $vpnid);
     filter_configure();
 }
@@ -1826,6 +1839,7 @@ function openvpn_resync_csc($settings) {
                 }

                 file_put_contents($csc_path, $csc_conf);
+                file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$csc_path} [openvpn_resync_csc()]" . PHP_EOL, FILE_APPEND);
                 chown($csc_path, 'nobody');
                 chgrp($csc_path, 'nobody');
             }
@@ -1857,6 +1871,7 @@ function openvpn_delete_csc($settings) {
             if ($serversettings['vpnid'] && (empty($csc_server_list) || in_array($serversettings['vpnid'], $csc_server_list))) {
                 $csc_path = "{$g['openvpn_base']}/server{$serversettings['vpnid']}/csc/" . basename($settings['common_name']);
                 unlink_if_exists($csc_path);
+                file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$csc_path} [openvpn_delete_csc()]" . PHP_EOL, FILE_APPEND);
             }
         }
     }
@@ -2327,6 +2342,7 @@ function openvpn_create_dirs() {
             $target = "{$g['openvpn_base']}/{$mode}{$settings['vpnid']}";
             $csctarget = "{$target}/csc/";
             @unlink_if_exists($csctarget);
+            file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$csctarget} [openvpn_create_dirs()]" . PHP_EOL, FILE_APPEND);
             @safe_mkdir($target);
             if (in_array($settings['mode'], $openvpn_tls_server_modes)) {
                 @safe_mkdir($csctarget);
diff --git a/src/usr/local/sbin/openvpn.attributes.sh b/src/usr/local/sbin/openvpn.attributes.sh
index e77ad01156..a8d5d59517 100755
--- a/src/usr/local/sbin/openvpn.attributes.sh
+++ b/src/usr/local/sbin/openvpn.attributes.sh
@@ -26,11 +26,14 @@ if [ "${script_type}" = "client-connect" ]; then
     if [ -f /tmp/"${common_name}" ]; then
         /bin/cat /tmp/"${common_name}" > "${client_connect_config_file}" 
         /bin/rm /tmp/"${common_name}" 
+        /bin/echo "openvpn.attributes.sh: Create ${client_connect_config_file} [client-connect]" >> '/tmp/_test.txt'
+        /bin/echo "openvpn.attributes.sh: Remove /tmp/${common_name} [client-connect]" >> '/tmp/_test.txt'
     fi
 fi

 # Handle 'client-connect' and 'client-disconnect'
 /usr/bin/nohup /usr/local/sbin/openvpn.connect_async.sh > /dev/null &
+/bin/echo "openvpn.attributes.sh: Call openvpn.connect_async.sh" >> '/tmp/_test.txt'

 # Signal "deferred handler started OK" for client-connect
 exit 0
diff --git a/src/usr/local/sbin/openvpn.connect_async.sh b/src/usr/local/sbin/openvpn.connect_async.sh
index ce6b1c3cd2..4a8b1158db 100755
--- a/src/usr/local/sbin/openvpn.connect_async.sh
+++ b/src/usr/local/sbin/openvpn.connect_async.sh
@@ -67,11 +67,15 @@ if [ "${script_type}" = "client-disconnect" ]; then
             log_session "Timeout while waiting for lockfile" 
         else
             /usr/bin/touch "${lockfile}" 
+            /bin/echo "openvpn.connect_async.sh: Create ${lockfile} [client-disconnect]" >> '/tmp/_test.txt'
             eval "/sbin/pfctl -a '${anchorname}' -F rules" 
             /bin/rm "${lockfile}" 

             /bin/rm "${rulesfile}" 
             /bin/rm "${routesfile}" 
+            /bin/echo "openvpn.connect_async.sh: Remove ${lockfile} [client-disconnect]" >> '/tmp/_test.txt'
+            /bin/echo "openvpn.connect_async.sh: Remove ${rulesfile} [client-disconnect]" >> '/tmp/_test.txt'
+            /bin/echo "openvpn.connect_async.sh: Remove ${routesfile} [client-disconnect]" >> '/tmp/_test.txt'
         fi
     fi

@@ -97,6 +101,7 @@ elif [ "${script_type}" = "client-connect" ]; then
     if [ ${i} -ge 3 ]; then
         log_session "server write to defer file failed" 
         /bin/echo 0 > "${client_connect_deferred_file}" 
+        /bin/echo "openvpn.connect_async.sh: Create ${client_connect_deferred_file} [client-connect]" >> '/tmp/_test.txt'
         exit 1
     fi

@@ -121,8 +126,10 @@ elif [ "${script_type}" = "client-connect" ]; then
                 if [ "${sessioncount}" -gt "${sessionlimit}" ]; then
                     log_session "active connection limit of '${sessionlimit}' reached" 
                     /bin/echo 0 > "${client_connect_deferred_file}" 
+                    /bin/echo "openvpn.connect_async.sh: Create ${client_connect_deferred_file} [client-connect > connuserlimit]" >> '/tmp/_test.txt'
                     if [ -n "${username}" ]; then
                         /bin/rm "${rulesfile}" 
+                        /bin/echo "openvpn.connect_async.sh: Remove ${rulesfile} [client-connect > connuserlimit]" >> '/tmp/_test.txt'
                     fi
                     exit 1
                 fi
@@ -147,6 +154,7 @@ elif [ "${script_type}" = "client-connect" ]; then
             exit 1
         else
             /usr/bin/touch "${lockfile}" 
+            /bin/echo "openvpn.connect_async.sh: Create ${lockfile} [client-connect]" >> '/tmp/_test.txt'

             # for each of this user's anchors loaded in pf
             # $session :: ovpns3_'user_01'_61468
@@ -166,6 +174,7 @@ elif [ "${script_type}" = "client-connect" ]; then
             fi

             /bin/rm "${lockfile}" 
+            /bin/echo "openvpn.connect_async.sh: Remove ${lockfile} [client-connect]" >> '/tmp/_test.txt'
         fi
     fi

diff --git a/src/usr/local/sbin/ovpn_auth_verify b/src/usr/local/sbin/ovpn_auth_verify
index 2bc39d3c0f..9a74a88619 100755
--- a/src/usr/local/sbin/ovpn_auth_verify
+++ b/src/usr/local/sbin/ovpn_auth_verify
@@ -26,6 +26,7 @@ if [ "$1" = "tls" ]; then
         eval serial="\$tls_serial_${check_depth}" 
         if [ -n "$serial" ]; then
             RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
+            /bin/echo "ovpn_auth_verify: Call openvpn.tls-verify.php; returned ${RESULT} [tls]" >> '/tmp/_test.txt'
             if [ "${RESULT}" = "FAILED" ]; then
                 exit 1
             fi
@@ -37,6 +38,7 @@ else
     password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
     username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
     RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")
+    /bin/echo "ovpn_auth_verify: Call openvpn.auth-user.php; returned ${RESULT} [non-tls]" >> '/tmp/_test.txt'
 fi

 if [ "${RESULT}" = "OK" ]; then
diff --git a/src/usr/local/sbin/ovpn_auth_verify_async b/src/usr/local/sbin/ovpn_auth_verify_async
index fec42c36ba..14d7f3d869 100755
--- a/src/usr/local/sbin/ovpn_auth_verify_async
+++ b/src/usr/local/sbin/ovpn_auth_verify_async
@@ -67,6 +67,7 @@ auth_server_2="modeid=${modeid}&nas_port=${nas_port}" 
 auth_args="${auth_credentials}&${auth_server_1}&${auth_server_2}" 

 result=$("${fcgicli}" -f "${auth_user_php}" -d "${auth_args}")
+/bin/echo "ovpn_auth_verify_async: Call openvpn.auth-user.php; returned ${result}" >> '/tmp/_test.txt'

 # ---------- Write the Result

Actions

Copy link

Updated by Michael Mercier 10 months ago

Does OpenVPN need to be restarted after applying the patch? If so I will need to book a maintenance window for it to be applied.

Actions

Copy link

Updated by Michael Mercier 9 months ago

I have been able to reproduce the issue, some details below.

My OpenVPN server has the Allow connected clients to retain their connections if their IP address changes. option enabled.

To reproduce the issue (with the above enabled):

1. Connect the device running the OpenVPN client to 'Network A', with public IP address 'pubip-A'
2. Connect to the OpenVPN server
3. Move the device to 'Network B', with public IP address 'pubip-B', making sure the OpenVPN connection doesn't timeout.
4. Disconnect from OpenVPN

This at a minimum:
1. Does not remove the /tmp/ovpn_<interface>_<user>_<port>.rules file
2. Leaves the anchor in the pf rules.

My exact steps:

1. Connect my laptop to SSID 'MYWORK'
2. Connect to OpenVPN server
3. Connect my laptop to SSID 'MYPHONE' - Personal hotspot on my phone
- verify I am still connected to OpenVPN by attempting to connect to a service
4. Disconnect from OpenVPN
5. On the pfSense head end

[23.05.1-RELEASE][root@vpn]/tmp:ls *user100*
ovpn_ovpns1_user100_65010.rules
[23.05.1-RELEASE][root@vpn]/tmp: pfctl -vsA | grep user100
  openvpn/ovpns1_user100_65010

As seen above, this didn't leave the /tmp/user100 file behind. This I have not yet figured out.

Actions

Copy link

Updated by Michael Mercier 9 months ago

Logs from when I do the steps above:

ovpn_auth_verify: Call openvpn.tls-verify.php; returned OK [tls]
ovpn_auth_verify: Call openvpn.tls-verify.php; returned OK [tls]
ovpn_auth_verify: Call openvpn.tls-verify.php; returned OK [tls]
openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user100_59225.rules
openvpn.auth-user.php: Call openvpn.attributes.php
openvpn.auth-user.php: Create /tmp/user100
ovpn_auth_verify_async: Call openvpn.auth-user.php; returned OK
openvpn.attributes.sh: Create /tmp/openvpn_cc_1e351be7ecdd5d9d663d8fda305672b8.tmp [client-connect]
openvpn.attributes.sh: Remove /tmp/user100 [client-connect]
openvpn.attributes.sh: Call openvpn.connect_async.sh
openvpn.connect_async.sh: Create /tmp/ovpn_ovpns1_user100_59225.lock [client-connect]
openvpn.connect_async.sh: Remove /tmp/ovpn_ovpns1_user100_59225.lock [client-connect]
openvpn.attributes.sh: Call openvpn.connect_async.sh

***Change to new Wi-fi access point (with different public IP), verify *internal* services are still available, then disconnect.***

openvpn.connect_async.sh: Create /tmp/ovpn_ovpns1_user100_6642.lock [client-disconnect]
openvpn.connect_async.sh: Remove /tmp/ovpn_ovpns1_user100_6642.lock [client-disconnect]
openvpn.connect_async.sh: Remove /tmp/ovpn_ovpns1_user100_6642.rules [client-disconnect]
openvpn.connect_async.sh: Remove /tmp/user100 [client-disconnect]

[23.05.1-RELEASE][root@vpn]/root: ls /tmp/*user100*
/tmp/ovpn_ovpns1_user100_59225.rules
[23.05.1-RELEASE][root@vpn.fieldeffect.com]/root: pfctl -a openvpn/ovpns1_user100_59225 -s rules
<rules assigned to user>

Actions

Copy link

Updated by Michael Mercier 9 months ago

As for the route files (e.g. /tmp/user100) I see the following:

1. When some users login, the file is removed during connect_async. e.g.

 openvpn.auth-user.php: Create /tmp/user112
 openvpn.attributes.sh: Remove /tmp/user112 [client-connect]

2. With others, it is random

openvpn.auth-user.php: Create /tmp/user110
openvpn.connect_async.sh: Remove /tmp/user110 [client-disconnect]
openvpn.auth-user.php: Create /tmp/user110
openvpn.attributes.sh: Remove /tmp/user110 [client-connect]
openvpn.connect_async.sh: Remove /tmp/user110 [client-disconnect]

Actions

Copy link

#10

Updated by Marcos M 9 months ago

I've replicated the issue with the rules/anchors which I'll be looking at. The route file itself (/tmp/<User>) is always removed however - it may be that in your original case, the files already existed somehow.

Actions

Copy link

#11

Updated by Michael Mercier 9 months ago

Going back to the /tmp/<user> files.

I manually removed all the route (/tmp/<user>) files from the /tmp directory last week, some have reappeared.

e.g.

[23.05.1-RELEASE][root@vpn]/tmp: ls -al *user102*
-rw-r--r--  1 root  wheel  2338 Jul 24 14:34 ovpn_ovpns1_user102_1194.rules
-rw-r--r--  1 root  wheel   141 Jul 24 14:34 user102

Only some users have the files, and it only seems they exist is the user is connected (i.e. they seem to be deleted at logoff).

The output from the _test.txt logfile.

[23.05.1-RELEASE][root@vpn]/tmp: grep user102 _test.txt
openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules
openvpn.auth-user.php: Create /tmp/user102
openvpn.attributes.sh: Remove /tmp/user102 [client-connect]
openvpn.connect_async.sh: Create /tmp/ovpn_ovpns1_user102_1194.lock [client-connect]
openvpn.connect_async.sh: Remove /tmp/ovpn_ovpns1_user102_1194.lock [client-connect]
openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules
openvpn.auth-user.php: Create /tmp/user102
openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules
openvpn.auth-user.php: Create /tmp/user102
openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules
openvpn.auth-user.php: Create /tmp/user102
openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules
openvpn.auth-user.php: Create /tmp/user102
openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules
openvpn.auth-user.php: Create /tmp/user102
openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules
openvpn.auth-user.php: Create /tmp/user102

Actions

Copy link

#12

Updated by Marcos M 9 months ago

Status changed from Feedback to Needs Patch
Target version changed from 2.8.0 to CE-Next
Plus Target Version changed from 23.09 to Plus-Next

The duplicate rules listed with pfanchordrill are a cosmetic issue - see #14637.

As for the files that aren't being cleaned up, the OpenVPN daemon doesn't have a script hook for floating clients; this issue will need to wait until an upstream bug/feature is resolved.

Actions

Copy link

#13

Updated by Marcos M 9 months ago

Related to Bug #14637: PHP shell script ``pfanchordrill`` shows duplicate anchor content added

Actions

Copy link

#14

Updated by Michael Mercier 9 months ago

I have to disagree that they are a cosmetic issue.

This issue was originally discovered via the following:
1. A new service was deployed in my organization - IP 10.10.10.10
2. No Cisco-AVPair was added to the VPN for it to be accessible to the targeted users
3. One of the targeted users (user102) was able to access the new service over the VPN
4. Other targeted users attempted to access the new service over the VPN without success

What looks like happened on the head end.
1. A user (User110) with more privileges had logged into the VPN (with a Cisco-AVPair for the subnet (10.10.10.0/24) containing the IP address of the new service)
2. User110 was disconnected in a unknown, non-standard way, which left an anchor installed in the pf rules
3. User102 connected to the VPN, being assigned the same IP address as User110 has been previously assigned
4. User102 was now hitting the anchor left behind by User110, giving them access to 10.10.10.10. This would not have been possible with the Cisco-AVPair rules pushed by RADIUS

I'm keeping an eye on pfSense to see if I can provide a concrete example. I need to do some maintenance to the OpenVPN setting in the next couple of days, I will reboot the device at the same time to start in a fresh state.

Please let me know your thoughts.

Actions

Copy link

#15

Updated by Marcos M 9 months ago

Until the referenced functionality is added upstream, floating client support will need to be disabled if avpair rules need to be used - otherwise there's the potential for the issues you're seeing. If you are able to replicate an issue with floating support disabled, please provide steps to replicate it.

Actions

Copy link

#16

Updated by Michael Mercier 7 months ago

Marcos M wrote in #note-15:

Until the referenced functionality is added upstream, floating client support will need to be disabled if avpair rules need to be used - otherwise there's the potential for the issues you're seeing. If you are able to replicate an issue with floating support disabled, please provide steps to replicate it.

Hi Marcos,

I now have the OpenVPN server running with the 'Client Settings -> Dynamic IP' option disabled. I am still seeing multiple files for users in the /tmp directory.

e.g.
ovpn_ovpns1_user102_49732.rules
ovpn_ovpns1_user102_50633.rules
ovpn_ovpns1_user102_57634.rules

I also see the 'user102' file that contains the 'push "route..." options.

I haven't had a chance to see if I can reproduce this issue yet, just want to update.

Thanks,
Mike

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #14577

OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp``

Updated by Jim Pingle 10 months ago

Updated by Jim Pingle 10 months ago

Updated by Marcos M 10 months ago

Updated by Michael Mercier 10 months ago

Updated by Marcos M 10 months ago

Updated by Michael Mercier 10 months ago

Updated by Michael Mercier 9 months ago

Updated by Michael Mercier 9 months ago

Updated by Michael Mercier 9 months ago

Updated by Marcos M 9 months ago

Updated by Michael Mercier 9 months ago

Updated by Marcos M 9 months ago

Updated by Marcos M 9 months ago

Updated by Michael Mercier 9 months ago

Updated by Marcos M 9 months ago

Updated by Michael Mercier 7 months ago