Bug #14577
closed
OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp``
Added by Michael Mercier 10 months ago. Updated 8 months ago.
0%
Description
Hello,
I am seeing duplicate ovpn_ovpns1_<user>_<port>.rules files in the /tmp directory, and I also see duplicate entries when running pfSsh playback pfanchordrill
Another observation I have made:
Some users have a /tmp/<user> file containing routes, some don't.
As an example:
[23.05.1-RELEASE][root@vpn]/tmp:ls ovpn_ovpns1_* | awk -F'_' '{print $3}' | xargs ls
ls: user105: No such file or directory
ls: user109: No such file or directory
ls: user110: No such file or directory
ls: user115: No such file or directory
ls: user119: No such file or directory
user100 user106 user116
user101 user107 user117
user101 user108 user118
user102 user111 user120
user103 user112 user121
user104 user113 user121
user104 user115 user122
NOTE:
The 6100 was upgraded to 23.05.1 yesterday (July 12th, 2023). Before that the device was running 22.05, I was experiencing https://redmine.pfsense.org/issues/12332 on the device.
Please let me know if there is any additional information I can provide.
Thanks,
Mike
Related issues
Updated by Jim Pingle 10 months ago
- Project changed from pfSense Plus to pfSense
- Subject changed from OpenVPN not removing cisco-avpair files in /tmp to OpenVPN not removing old Cisco-AVPair anchor rules and files in ``/tmp``
- Category changed from OpenVPN to OpenVPN
- Assignee set to Marcos M
- Target version set to 2.8.0
- Affected Plus Version deleted (
23.05.1) - Plus Target Version set to 23.09
Updated by Jim Pingle 10 months ago
- Related to Bug #12332: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases added
Updated by Marcos M 10 months ago
I presume the "duplicate" ovpn_ovpns1_<user>_<port>.rules files differ by port number, in which case it'd mean the client has attempted the connection multiple times which could be due to an unstable connection. Or potentially simpler, simultaneous connections are being allowed.
The file "{$g['tmp_path']}/{$username}" is meant to be removed after the user has connected - I'm not sure yet why it would remain.
Updated by Michael Mercier 10 months ago
Yes, the "duplicate" ovpn_ovpns1_<user>_<port>.rules differ by port number, multiple connections are not enabled on the device.
Updated by Marcos M 10 months ago
- Status changed from New to Feedback
The duplicate connections are disconnected automatically after the timeout period, at which point the related files/rules are removed. As for the user files persisting, try to recreate the issue after clearing out all of the temp files.
See below for a patch that will output some debugging info to /tmp/_test.txt. If you can recreate the issue, attach the debug info as well:
diff --git a/src/etc/inc/openvpn.attributes.php b/src/etc/inc/openvpn.attributes.php
index 292c2eea4d..a171fc0274 100644
--- a/src/etc/inc/openvpn.attributes.php
+++ b/src/etc/inc/openvpn.attributes.php
@@ -31,8 +31,10 @@ $rules = parse_cisco_acl($attributes, $dev);
$filename = "{$g['tmp_path']}/ovpn_{$dev}_{$username}_{$untrusted_port}.rules";
if (!empty($rules)) {
@file_put_contents($filename, $rules);
+ file_put_contents('/tmp/_test.txt', "openvpn.attributes.php: Create $filename" . PHP_EOL, FILE_APPEND);
} else {
unlink_if_exists($filename);
+ file_put_contents('/tmp/_test.txt', "openvpn.attributes.php: Remove $filename" . PHP_EOL, FILE_APPEND);
}
?>
diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php
index 436c4e1bf6..dcafc8858b 100644
--- a/src/etc/inc/openvpn.auth-user.php
+++ b/src/etc/inc/openvpn.auth-user.php
@@ -130,6 +130,7 @@ if ($authenticated == false) {
if (file_exists("/etc/inc/openvpn.attributes.php")) {
include_once("/etc/inc/openvpn.attributes.php");
+ file_put_contents('/tmp/_test.txt', "openvpn.auth-user.php: Call openvpn.attributes.php" . PHP_EOL, FILE_APPEND);
}
$content = "";
@@ -156,6 +157,7 @@ if (isset($attributes['framed_ip'])) {
if (!empty($content)) {
@file_put_contents("{$g['tmp_path']}/{$username}", $content);
+ file_put_contents('/tmp/_test.txt', "openvpn.auth-user.php: Create {$g['tmp_path']}/{$username}" . PHP_EOL, FILE_APPEND);
}
syslog(LOG_NOTICE, "user '{$username}' authenticated");
diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index 8b41dbc39b..b483ae1856 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -824,6 +824,7 @@ function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive, $opt = "")
$fpath = "{$g['openvpn_base']}/{$mode_id}/{$directive}";
openvpn_create_dirs();
file_put_contents($fpath, base64_decode($data));
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$fpath} [openvpn_add_keyfile()]" . PHP_EOL, FILE_APPEND);
//chown($fpath, 'nobody');
//chgrp($fpath, 'nobody');
@chmod($fpath, 0600);
@@ -837,6 +838,7 @@ function openvpn_delete_tmp($mode, $id) {
/* delete temporary files created by connect script */
if (($mode == "server") && (isset($id))) {
unlink_if_exists("{$g['tmp_path']}/ovpn_ovpns{$id}_*.rules");
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$g['tmp_path']}/ovpn_ovpns{$id}_*.rules [openvpn_delete_tmp()]" . PHP_EOL, FILE_APPEND);
}
/* delete temporary files created by OpenVPN; only delete old files to
@@ -847,6 +849,7 @@ function openvpn_delete_tmp($mode, $id) {
foreach ($tmpfiles as $tmpfile) {
if ((time() - filemtime($tmpfile)) > 60) {
@unlink_if_exists($tmpfile);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$g['tmp_path']}/openvpn_cc*.tmp [openvpn_delete_tmp()]" . PHP_EOL, FILE_APPEND);
}
}
}
@@ -1339,6 +1342,7 @@ function openvpn_reconfigure($mode, $settings) {
$userpass .= "\n";
}
file_put_contents($up_file, $userpass);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$up_file} [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
}
if ($settings['proxy_addr']) {
@@ -1348,6 +1352,7 @@ function openvpn_reconfigure($mode, $settings) {
$proxypas = "{$settings['proxy_user']}\n";
$proxypas .= "{$settings['proxy_passwd']}\n";
file_put_contents("{$g['openvpn_base']}/{$mode_id}/proxy_auth", $proxypas);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$g['openvpn_base']}/{$mode_id}/proxy_auth [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
}
$conf .= " \n";
}
@@ -1385,6 +1390,8 @@ function openvpn_reconfigure($mode, $settings) {
/* Cleanup old CA/CRL references */
@unlink_if_exists("{$capath}/*.0");
@unlink_if_exists("{$capath}/*.r*");
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$capath}/*.0 [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$capath}/*.r* [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
/* Find the CRL listed in the settings */
if (!empty($settings['crlref'])) {
$crl = lookup_crl($settings['crlref']);
@@ -1602,11 +1609,14 @@ function openvpn_reconfigure($mode, $settings) {
openvpn_create_dirs();
$fpath = "{$g['openvpn_base']}/{$mode_id}/config.ovpn";
file_put_contents($fpath, $conf);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$fpath} [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
unset($conf);
$fpath = "{$g['openvpn_base']}/{$mode_id}/interface";
file_put_contents($fpath, $interface);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$fpath} [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
$fpath = "{$g['openvpn_base']}/{$mode_id}/connuserlimit";
file_put_contents($fpath, $connlimit);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$fpath} [openvpn_reconfigure()]" . PHP_EOL, FILE_APPEND);
//chown($fpath, 'nobody');
//chgrp($fpath, 'nobody');
@chmod("{$g['openvpn_base']}/{$mode_id}/config.ovpn", 0600);
@@ -1632,6 +1642,7 @@ function openvpn_stop_process($mode, $settings) {
/* read the pid file */
$pid = rtrim(file_get_contents($pfile));
unlink($pfile);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$pfile} [openvpn_stop_process()]" . PHP_EOL, FILE_APPEND);
syslog(LOG_INFO, "OpenVPN terminate old pid: {$pid}");
/* send a term signal to the process */
@@ -1746,6 +1757,8 @@ function openvpn_delete($mode, $settings) {
/* remove the configuration files */
unlink_if_exists("{$g['openvpn_base']}/{$mode_id}/*/*");
unlink_if_exists("{$g['openvpn_base']}/{$mode_id}/*");
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$g['openvpn_base']}/{$mode_id}/*/* [openvpn_delete()]" . PHP_EOL, FILE_APPEND);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$g['openvpn_base']}/{$mode_id}/* [openvpn_delete()]" . PHP_EOL, FILE_APPEND);
openvpn_delete_tmp($mode, $vpnid);
filter_configure();
}
@@ -1826,6 +1839,7 @@ function openvpn_resync_csc($settings) {
}
file_put_contents($csc_path, $csc_conf);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Create {$csc_path} [openvpn_resync_csc()]" . PHP_EOL, FILE_APPEND);
chown($csc_path, 'nobody');
chgrp($csc_path, 'nobody');
}
@@ -1857,6 +1871,7 @@ function openvpn_delete_csc($settings) {
if ($serversettings['vpnid'] && (empty($csc_server_list) || in_array($serversettings['vpnid'], $csc_server_list))) {
$csc_path = "{$g['openvpn_base']}/server{$serversettings['vpnid']}/csc/" . basename($settings['common_name']);
unlink_if_exists($csc_path);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$csc_path} [openvpn_delete_csc()]" . PHP_EOL, FILE_APPEND);
}
}
}
@@ -2327,6 +2342,7 @@ function openvpn_create_dirs() {
$target = "{$g['openvpn_base']}/{$mode}{$settings['vpnid']}";
$csctarget = "{$target}/csc/";
@unlink_if_exists($csctarget);
+ file_put_contents('/tmp/_test.txt', "openvpn.inc: Remove {$csctarget} [openvpn_create_dirs()]" . PHP_EOL, FILE_APPEND);
@safe_mkdir($target);
if (in_array($settings['mode'], $openvpn_tls_server_modes)) {
@safe_mkdir($csctarget);
diff --git a/src/usr/local/sbin/openvpn.attributes.sh b/src/usr/local/sbin/openvpn.attributes.sh
index e77ad01156..a8d5d59517 100755
--- a/src/usr/local/sbin/openvpn.attributes.sh
+++ b/src/usr/local/sbin/openvpn.attributes.sh
@@ -26,11 +26,14 @@ if [ "${script_type}" = "client-connect" ]; then
if [ -f /tmp/"${common_name}" ]; then
/bin/cat /tmp/"${common_name}" > "${client_connect_config_file}"
/bin/rm /tmp/"${common_name}"
+ /bin/echo "openvpn.attributes.sh: Create ${client_connect_config_file} [client-connect]" >> '/tmp/_test.txt'
+ /bin/echo "openvpn.attributes.sh: Remove /tmp/${common_name} [client-connect]" >> '/tmp/_test.txt'
fi
fi
# Handle 'client-connect' and 'client-disconnect'
/usr/bin/nohup /usr/local/sbin/openvpn.connect_async.sh > /dev/null &
+/bin/echo "openvpn.attributes.sh: Call openvpn.connect_async.sh" >> '/tmp/_test.txt'
# Signal "deferred handler started OK" for client-connect
exit 0
diff --git a/src/usr/local/sbin/openvpn.connect_async.sh b/src/usr/local/sbin/openvpn.connect_async.sh
index ce6b1c3cd2..4a8b1158db 100755
--- a/src/usr/local/sbin/openvpn.connect_async.sh
+++ b/src/usr/local/sbin/openvpn.connect_async.sh
@@ -67,11 +67,15 @@ if [ "${script_type}" = "client-disconnect" ]; then
log_session "Timeout while waiting for lockfile"
else
/usr/bin/touch "${lockfile}"
+ /bin/echo "openvpn.connect_async.sh: Create ${lockfile} [client-disconnect]" >> '/tmp/_test.txt'
eval "/sbin/pfctl -a '${anchorname}' -F rules"
/bin/rm "${lockfile}"
/bin/rm "${rulesfile}"
/bin/rm "${routesfile}"
+ /bin/echo "openvpn.connect_async.sh: Remove ${lockfile} [client-disconnect]" >> '/tmp/_test.txt'
+ /bin/echo "openvpn.connect_async.sh: Remove ${rulesfile} [client-disconnect]" >> '/tmp/_test.txt'
+ /bin/echo "openvpn.connect_async.sh: Remove ${routesfile} [client-disconnect]" >> '/tmp/_test.txt'
fi
fi
@@ -97,6 +101,7 @@ elif [ "${script_type}" = "client-connect" ]; then
if [ ${i} -ge 3 ]; then
log_session "server write to defer file failed"
/bin/echo 0 > "${client_connect_deferred_file}"
+ /bin/echo "openvpn.connect_async.sh: Create ${client_connect_deferred_file} [client-connect]" >> '/tmp/_test.txt'
exit 1
fi
@@ -121,8 +126,10 @@ elif [ "${script_type}" = "client-connect" ]; then
if [ "${sessioncount}" -gt "${sessionlimit}" ]; then
log_session "active connection limit of '${sessionlimit}' reached"
/bin/echo 0 > "${client_connect_deferred_file}"
+ /bin/echo "openvpn.connect_async.sh: Create ${client_connect_deferred_file} [client-connect > connuserlimit]" >> '/tmp/_test.txt'
if [ -n "${username}" ]; then
/bin/rm "${rulesfile}"
+ /bin/echo "openvpn.connect_async.sh: Remove ${rulesfile} [client-connect > connuserlimit]" >> '/tmp/_test.txt'
fi
exit 1
fi
@@ -147,6 +154,7 @@ elif [ "${script_type}" = "client-connect" ]; then
exit 1
else
/usr/bin/touch "${lockfile}"
+ /bin/echo "openvpn.connect_async.sh: Create ${lockfile} [client-connect]" >> '/tmp/_test.txt'
# for each of this user's anchors loaded in pf
# $session :: ovpns3_'user_01'_61468
@@ -166,6 +174,7 @@ elif [ "${script_type}" = "client-connect" ]; then
fi
/bin/rm "${lockfile}"
+ /bin/echo "openvpn.connect_async.sh: Remove ${lockfile} [client-connect]" >> '/tmp/_test.txt'
fi
fi
diff --git a/src/usr/local/sbin/ovpn_auth_verify b/src/usr/local/sbin/ovpn_auth_verify
index 2bc39d3c0f..9a74a88619 100755
--- a/src/usr/local/sbin/ovpn_auth_verify
+++ b/src/usr/local/sbin/ovpn_auth_verify
@@ -26,6 +26,7 @@ if [ "$1" = "tls" ]; then
eval serial="\$tls_serial_${check_depth}"
if [ -n "$serial" ]; then
RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
+ /bin/echo "ovpn_auth_verify: Call openvpn.tls-verify.php; returned ${RESULT} [tls]" >> '/tmp/_test.txt'
if [ "${RESULT}" = "FAILED" ]; then
exit 1
fi
@@ -37,6 +38,7 @@ else
password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")
+ /bin/echo "ovpn_auth_verify: Call openvpn.auth-user.php; returned ${RESULT} [non-tls]" >> '/tmp/_test.txt'
fi
if [ "${RESULT}" = "OK" ]; then
diff --git a/src/usr/local/sbin/ovpn_auth_verify_async b/src/usr/local/sbin/ovpn_auth_verify_async
index fec42c36ba..14d7f3d869 100755
--- a/src/usr/local/sbin/ovpn_auth_verify_async
+++ b/src/usr/local/sbin/ovpn_auth_verify_async
@@ -67,6 +67,7 @@ auth_server_2="modeid=${modeid}&nas_port=${nas_port}"
auth_args="${auth_credentials}&${auth_server_1}&${auth_server_2}"
result=$("${fcgicli}" -f "${auth_user_php}" -d "${auth_args}")
+/bin/echo "ovpn_auth_verify_async: Call openvpn.auth-user.php; returned ${result}" >> '/tmp/_test.txt'
# ---------- Write the Result
Updated by Michael Mercier 10 months ago
Does OpenVPN need to be restarted after applying the patch? If so I will need to book a maintenance window for it to be applied.
Updated by Michael Mercier 10 months ago
I have been able to reproduce the issue, some details below.
My OpenVPN server has the Allow connected clients to retain their connections if their IP address changes. option enabled.
To reproduce the issue (with the above enabled):
1. Connect the device running the OpenVPN client to 'Network A', with public IP address 'pubip-A'
2. Connect to the OpenVPN server
3. Move the device to 'Network B', with public IP address 'pubip-B', making sure the OpenVPN connection doesn't timeout.
4. Disconnect from OpenVPN
This at a minimum:
1. Does not remove the /tmp/ovpn_<interface>_<user>_<port>.rules file
2. Leaves the anchor in the pf rules.
My exact steps:
1. Connect my laptop to SSID 'MYWORK'
2. Connect to OpenVPN server
3. Connect my laptop to SSID 'MYPHONE' - Personal hotspot on my phone
- verify I am still connected to OpenVPN by attempting to connect to a service
4. Disconnect from OpenVPN
5. On the pfSense head end
[23.05.1-RELEASE][root@vpn]/tmp:ls *user100*
ovpn_ovpns1_user100_65010.rules
[23.05.1-RELEASE][root@vpn]/tmp: pfctl -vsA | grep user100
openvpn/ovpns1_user100_65010
As seen above, this didn't leave the /tmp/user100 file behind. This I have not yet figured out.
Updated by Michael Mercier 10 months ago
Logs from when I do the steps above:
ovpn_auth_verify: Call openvpn.tls-verify.php; returned OK [tls] ovpn_auth_verify: Call openvpn.tls-verify.php; returned OK [tls] ovpn_auth_verify: Call openvpn.tls-verify.php; returned OK [tls] openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user100_59225.rules openvpn.auth-user.php: Call openvpn.attributes.php openvpn.auth-user.php: Create /tmp/user100 ovpn_auth_verify_async: Call openvpn.auth-user.php; returned OK openvpn.attributes.sh: Create /tmp/openvpn_cc_1e351be7ecdd5d9d663d8fda305672b8.tmp [client-connect] openvpn.attributes.sh: Remove /tmp/user100 [client-connect] openvpn.attributes.sh: Call openvpn.connect_async.sh openvpn.connect_async.sh: Create /tmp/ovpn_ovpns1_user100_59225.lock [client-connect] openvpn.connect_async.sh: Remove /tmp/ovpn_ovpns1_user100_59225.lock [client-connect] openvpn.attributes.sh: Call openvpn.connect_async.sh ***Change to new Wi-fi access point (with different public IP), verify *internal* services are still available, then disconnect.*** openvpn.connect_async.sh: Create /tmp/ovpn_ovpns1_user100_6642.lock [client-disconnect] openvpn.connect_async.sh: Remove /tmp/ovpn_ovpns1_user100_6642.lock [client-disconnect] openvpn.connect_async.sh: Remove /tmp/ovpn_ovpns1_user100_6642.rules [client-disconnect] openvpn.connect_async.sh: Remove /tmp/user100 [client-disconnect] [23.05.1-RELEASE][root@vpn]/root: ls /tmp/*user100* /tmp/ovpn_ovpns1_user100_59225.rules [23.05.1-RELEASE][root@vpn.fieldeffect.com]/root: pfctl -a openvpn/ovpns1_user100_59225 -s rules <rules assigned to user>
Updated by Michael Mercier 10 months ago
As for the route files (e.g. /tmp/user100) I see the following:
1. When some users login, the file is removed during connect_async. e.g.
openvpn.auth-user.php: Create /tmp/user112 openvpn.attributes.sh: Remove /tmp/user112 [client-connect]
2. With others, it is random
openvpn.auth-user.php: Create /tmp/user110 openvpn.connect_async.sh: Remove /tmp/user110 [client-disconnect] openvpn.auth-user.php: Create /tmp/user110 openvpn.attributes.sh: Remove /tmp/user110 [client-connect] openvpn.connect_async.sh: Remove /tmp/user110 [client-disconnect]
Updated by Michael Mercier 10 months ago
Going back to the /tmp/<user> files.
I manually removed all the route (/tmp/<user>) files from the /tmp directory last week, some have reappeared.
e.g.
[23.05.1-RELEASE][root@vpn]/tmp: ls -al *user102* -rw-r--r-- 1 root wheel 2338 Jul 24 14:34 ovpn_ovpns1_user102_1194.rules -rw-r--r-- 1 root wheel 141 Jul 24 14:34 user102
Only some users have the files, and it only seems they exist is the user is connected (i.e. they seem to be deleted at logoff).
The output from the _test.txt logfile.
[23.05.1-RELEASE][root@vpn]/tmp: grep user102 _test.txt openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules openvpn.auth-user.php: Create /tmp/user102 openvpn.attributes.sh: Remove /tmp/user102 [client-connect] openvpn.connect_async.sh: Create /tmp/ovpn_ovpns1_user102_1194.lock [client-connect] openvpn.connect_async.sh: Remove /tmp/ovpn_ovpns1_user102_1194.lock [client-connect] openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules openvpn.auth-user.php: Create /tmp/user102 openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules openvpn.auth-user.php: Create /tmp/user102 openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules openvpn.auth-user.php: Create /tmp/user102 openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules openvpn.auth-user.php: Create /tmp/user102 openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules openvpn.auth-user.php: Create /tmp/user102 openvpn.attributes.php: Create /tmp/ovpn_ovpns1_user102_1194.rules openvpn.auth-user.php: Create /tmp/user102
Updated by Marcos M 9 months ago
- Status changed from Feedback to Needs Patch
- Target version changed from 2.8.0 to CE-Next
- Plus Target Version changed from 23.09 to Plus-Next
The duplicate rules listed with pfanchordrill are a cosmetic issue - see #14637.
As for the files that aren't being cleaned up, the OpenVPN daemon doesn't have a script hook for floating clients; this issue will need to wait until an upstream bug/feature is resolved.
Updated by Marcos M 9 months ago
- Related to Bug #14637: PHP shell script ``pfanchordrill`` shows duplicate anchor content added
Updated by Michael Mercier 9 months ago
I have to disagree that they are a cosmetic issue.
This issue was originally discovered via the following:
1. A new service was deployed in my organization - IP 10.10.10.10
2. No Cisco-AVPair was added to the VPN for it to be accessible to the targeted users
3. One of the targeted users (user102) was able to access the new service over the VPN
4. Other targeted users attempted to access the new service over the VPN without success
What looks like happened on the head end.
1. A user (User110) with more privileges had logged into the VPN (with a Cisco-AVPair for the subnet (10.10.10.0/24) containing the IP address of the new service)
2. User110 was disconnected in a unknown, non-standard way, which left an anchor installed in the pf rules
3. User102 connected to the VPN, being assigned the same IP address as User110 has been previously assigned
4. User102 was now hitting the anchor left behind by User110, giving them access to 10.10.10.10. This would not have been possible with the Cisco-AVPair rules pushed by RADIUS
I'm keeping an eye on pfSense to see if I can provide a concrete example. I need to do some maintenance to the OpenVPN setting in the next couple of days, I will reboot the device at the same time to start in a fresh state.
Please let me know your thoughts.
Updated by Marcos M 9 months ago
Until the referenced functionality is added upstream, floating client support will need to be disabled if avpair rules need to be used - otherwise there's the potential for the issues you're seeing. If you are able to replicate an issue with floating support disabled, please provide steps to replicate it.
Updated by Michael Mercier 8 months ago
Marcos M wrote in #note-15:
Until the referenced functionality is added upstream, floating client support will need to be disabled if avpair rules need to be used - otherwise there's the potential for the issues you're seeing. If you are able to replicate an issue with floating support disabled, please provide steps to replicate it.
Hi Marcos,
I now have the OpenVPN server running with the 'Client Settings -> Dynamic IP' option disabled. I am still seeing multiple files for users in the /tmp directory.
e.g.
ovpn_ovpns1_user102_49732.rules
ovpn_ovpns1_user102_50633.rules
ovpn_ovpns1_user102_57634.rules
I also see the 'user102' file that contains the 'push "route..." options.
I haven't had a chance to see if I can reproduce this issue yet, just want to update.
Thanks,
Mike