Project

General

Profile

Actions

Bug #1681

closed

OpenVPN tun IPs fail HTTP REFERER checks

Added by Chris Buechler over 10 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
07/15/2011
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

tun IPs on OpenVPN connections fail the local IP check used for the HTTP_REFERER web interface protection, so the default GUI can't be accessed on tun IPs.

Actions #1

Updated by Chris Buechler over 9 years ago

  • Target version deleted (2.1)
Actions #2

Updated by Jim Pingle almost 9 years ago

  • Target version set to 2.1

This gets annoying when trying to help customers fix up broken OpenVPN routing, we should fix this sooner rather than later...

Actions #3

Updated by Renato Botelho almost 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Chris Buechler over 8 years ago

  • Status changed from Feedback to Resolved
Actions #5

Updated by Per von Zweigbergk over 7 years ago

This bug has not been correctly resolved, as tested with pfSense 2.1-RELEASE.

The changeset listed earlier does remove the red warning box when accessing the OpenVPN server IP address. However, it does not remove the warning box correctly when accessing an OpenVPN client address.

It also does not resolve the issue with the unbypassable HTTP_REFERER warning.

Two further changes need to happen for this to be correctly resolved:

1. The warning box needs to not be shown when accessing an OpenVPN client IP.
2. The HTTP_REFERER check needs to also take into account OpenVPN server and client IP addresses.

Actions #6

Updated by Jim Pingle over 7 years ago

  • Status changed from Resolved to New
Actions #7

Updated by Jim Pingle over 7 years ago

  • Target version changed from 2.1 to 2.2
Actions #8

Updated by Per von Zweigbergk over 7 years ago

I'm going to see if I can't just make a fix for this myself.

Actions #10

Updated by Jim Thompson over 7 years ago

  • Assignee set to Jim Pingle

pull request received 3 months ago. assigned to Pingle.

please ensure that a CLA is on-file before reviewing the patch.

Actions #11

Updated by Jim Pingle over 7 years ago

I could not find an ICLA or CCLA in the database.

@Per von Zweigbergk:
If you could please sign either the Individual CLA ( https://portal.pfsense.org/members/signup/ICLA ) or the Corporate CLA (
https://portal.pfsense.org/members/signup/CCLA ) if you're active on behalf of a company, then we can review the patch for inclusion.

Thanks!

I added the same note to the pull request on github.

Actions #12

Updated by Chris Buechler about 7 years ago

  • Status changed from New to Confirmed

still no CLA.

Per - could you please go through that process as Jim noted so we can accept this?

Actions #13

Updated by Ermal Luçi about 7 years ago

  • Status changed from Confirmed to Feedback

The pull request seems to add only the CP users which should anyhow be allowed to go through openvpn to the gui.
The openvpn client is already covered before if assigned.
If not assigned i am unsure this is a safe thing to do.

Actions #14

Updated by Chris Buechler about 7 years ago

  • Status changed from Feedback to Resolved

this seems to be fine, works where it's reasonable to work, can be assigned if desired in other circumstances.

Actions

Also available in: Atom PDF