Bug #1681
closedOpenVPN tun IPs fail HTTP REFERER checks
100%
Description
tun IPs on OpenVPN connections fail the local IP check used for the HTTP_REFERER web interface protection, so the default GUI can't be accessed on tun IPs.
Updated by Jim Pingle almost 12 years ago
- Target version set to 2.1
This gets annoying when trying to help customers fix up broken OpenVPN routing, we should fix this sooner rather than later...
Updated by Renato Botelho almost 12 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 71034b51ff8831b43cf70c6f26955e6e6bdee5ca.
Updated by Chris Buechler over 11 years ago
- Status changed from Feedback to Resolved
Updated by Per von Zweigbergk over 10 years ago
This bug has not been correctly resolved, as tested with pfSense 2.1-RELEASE.
The changeset listed earlier does remove the red warning box when accessing the OpenVPN server IP address. However, it does not remove the warning box correctly when accessing an OpenVPN client address.
It also does not resolve the issue with the unbypassable HTTP_REFERER warning.
Two further changes need to happen for this to be correctly resolved:
1. The warning box needs to not be shown when accessing an OpenVPN client IP.
2. The HTTP_REFERER check needs to also take into account OpenVPN server and client IP addresses.
Updated by Per von Zweigbergk over 10 years ago
I'm going to see if I can't just make a fix for this myself.
Updated by Per von Zweigbergk over 10 years ago
This should fix it: https://github.com/pfsense/pfsense/pull/1043
Updated by Jim Thompson over 10 years ago
- Assignee set to Jim Pingle
pull request received 3 months ago. assigned to Pingle.
please ensure that a CLA is on-file before reviewing the patch.
Updated by Jim Pingle over 10 years ago
I could not find an ICLA or CCLA in the database.
@Per von Zweigbergk:
If you could please sign either the Individual CLA ( https://portal.pfsense.org/members/signup/ICLA ) or the Corporate CLA (
https://portal.pfsense.org/members/signup/CCLA ) if you're active on behalf of a company, then we can review the patch for inclusion.
Thanks!
I added the same note to the pull request on github.
Updated by Chris Buechler about 10 years ago
- Status changed from New to Confirmed
still no CLA.
Per - could you please go through that process as Jim noted so we can accept this?
Updated by Ermal Luçi about 10 years ago
- Status changed from Confirmed to Feedback
The pull request seems to add only the CP users which should anyhow be allowed to go through openvpn to the gui.
The openvpn client is already covered before if assigned.
If not assigned i am unsure this is a safe thing to do.
Updated by Chris Buechler about 10 years ago
- Status changed from Feedback to Resolved
this seems to be fine, works where it's reasonable to work, can be assigned if desired in other circumstances.