HEADS UP: Updated OpenVPN Client Export package 1.2.5 for Heartbleed fix
-
I updated the OpenVPN Client Export package to 1.2.5 and it should show up any time now. The only change is an updated windows installer, 2.3.3-I001 which includes (among other fixes) a new OpenSSL library.
On WINDOWS clients make sure that you UNINSTALL both the client and the tap drivers (for good measure) from any Windows system before installing the updated client obtained from the export package. If you run the new exported Windows client installer on top of an existing install it will likely skip the actual client install and only copy the config files, leaving the client vulnerable.
If your client settings did not change you can also reinstall the client from OpenVPN directly if you wish.
For more information on how Heartbleed affects OpenVPN, see https://community.openvpn.net/openvpn/wiki/heartbleed
Short story: If your server uses a TLS Authentication Key in combination with certificates, your exposure is limited, provided all of your clients are trustworthy. Be wary of public VPN services until they are patched.
-
Yeah - I'm not too sure if I have a perfect grasp of the problem for pfsense current stable release becausue alot of people are talking like its the end of the world for pfsense, but my thinking was that only the openvpn client export would need fixing?
I checked my current stable pfsense and got this:
$ openssl version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: date not available
platform: FreeBSD-amd64
options:Ā bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc
OPENSSLDIR: "/etc/ssl"Doesn't seem to be the effected versions.
Not sure if I'm missing something obvious.Ā I have been know to make mistakes now and again.
-
There are other threads discussing that, this is just for the client export.
In short: There is also OpenSSL 1.0.1 under /usr/local/ and that is used for OpenVPN and others and that is vulnerable. It's not the end of the world unless you have things configured insecurely to begin with.
-
Ah - So it is the end of the world after all.
Thanks. -
Tried to install the 1.2.5 package
pbi_add: Invalid file for usercheck!
of zip-3.0-amd64.pbi p7zip-9.20.1-amd64 failed!Installation aborted.Removing packageā¦
-
Must be just an issue with the 64-bit version.
OpenVPN Client Export 1.2.5 has installed fine on my 32-bit pfSense 2.1.2-RELEASE -
I guess it wasn't the end of the worldā¦Ā :o
I just hope someone didn't save 2+ years of the entire world's web traffic on a fat HDD to play back at their whim...
Noooooooooo biggie...Ā Ā :-\
-
Tried to install the 1.2.5 package
pbi_add: Invalid file for usercheck!
of zip-3.0-amd64.pbi p7zip-9.20.1-amd64 failed!Installation aborted.Removing packageā¦
We're aware of that and working on a fix, I'll bump the version again once it's confirmed. It happened to one of mine on a 32-bit install also. Not certain why it's inconsistent but we have a potential fix in the works.
-
Is there a way to filter so no older versions of the clients are able to connect to the server?
-
Not that I'm aware of, at least not easily.
You might have one of the openvpn scripts that runs on connect dump all of $_ENV somewhere to see if the client version is passed to the server. If so a check could be coded in.
-
OK I'm not sure why/how but that usercheck error isn't actually from the PBI installing wrong or a problem with the PBI, it's something about the local filesystem still having some files left over from p7zip somehow.
This cleared it up for me (from the shell):
fetch https://files.pfsense.org/packages/8/All/p7zip-9.20.1-i386.pbi rm -rf /var/db/pbi/installed/p7zip-9.20.1-i386/ pbi_add -f --no-checksig p7zip-9.20.1-i386.pbiIf you're on amd64:
fetch https://files.pfsense.org/packages/amd64/8/All/p7zip-9.20.1-amd64.pbi rm -rf /var/db/pbi/installed/p7zip-9.20.1-amd64/ pbi_add -f --no-checksig p7zip-9.20.1-amd64.pbiAnd then I could reinstall the package from the GUI OK.
-
Interesting, i see the theory in this.
I'll try when i am local and let you know the outcome.
-
This isn't working for me.Ā I've tried your solution but it's just not working.Ā From the command line is says success but from the GUI this is the result:
:1
Beginning package installation for OpenVPN Client Export Utility .
Downloading package configuration fileā¦ done.
Saving updated package information... done.
Downloading OpenVPN Client Export Utility and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/8/All/zip-3.0-i386.pbi ...Ā [ repository]
(extracting)Downloading https://files.pfsense.org/packages/8/All/p7zip-9.20.1-i386.pbi ā¦Ā [ repository]
(extracting)
Loading package configurationā¦ done.
Configuring package components...
Additional files... openvpn-client-export.tgz failed.
Removing package...
Starting package deletion for zip-3.0-i386...done.
Starting package deletion for p7zip-9.20.1-i386...done.
Removing OpenVPN Client Export Utility components...
Tabs items... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
done.
Failed to install package.Installation halted.
:2
Shell:
I have to first use this command:Ā /etc/rc.conf_mount_rw
- Puts it into read / write otherwise I get a "read only" error.
/etc/rc.conf_mount_rw
fetch https://files.pfsense.org/packages/8/All/p7zip-9.20.1-i386.pbi
p7zip-9.20.1-i386.pbiĀ Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā 100% ofĀ 965 kBĀ 436 kBpsrm -rf /var/db/pbi/installed/p7zip-9.20.1-i386/
pbi_add -f āno-checksig p7zip-9.20.1-i386.pbi
Verifying Checksum...OK
Extracting to: /usr/pbi/p7zip-i386
Installed: p7zip-9.20.1
:3
I then go back to the GUI:
System > Packages > OpenVPN Client Export Utility > + > Confirm >
Scroll back up to ":1" in this post.
ā¦Failed to install package.
Installation halted.
Sighā¦no OpenVPNĀ :(
-
You're getting a different error than others.
Additional files... openvpn-client-export.tgz failed.In that step, it's trying to fetch https://files.pfsense.org/packages/openvpn-client-export/openvpn-client-export.tgz
The file is there and downloads OK for me. If it doesn't for you, there could be something else blocking it (proxy, IDS/IPS, etc). It is a compressed file that contains windows executables and some IDS signatures would match that.
-
I saw your same answer on another post and I just can't believe that.Ā So, what I did was MANUALLY make the calls and this is where I'm at - the packages are fetched.Ā I suspect it's having a difficult time actually extracting the packages where they go.
[2.1.2-RELEASE][root@pfs1.somedomain.local]/root(5): mount -o rw /dev/ufs/pfsense0
[2.1.2-RELEASE][root@pfs1.somedomain.local]/root(7): cd tmp
[2.1.2-RELEASE][root@pfs1.somedomain.local]/root/tmp(8): ls
apkg_iperf-2.0.5-i386.pbiĀ apkg_zip-3.0-i386.pbi
apkg_p7zip-9.20.1-i386.pbi[2.1.2-RELEASE][root@pfs1.somedomain.local]/root/tmp(9): fetch https://files.pfsense.org/packages/openvpn-client-export/openvpn-client-export.tgz
openvpn-client-export.tgzĀ Ā Ā Ā Ā Ā Ā Ā Ā Ā 100% of 3778 kBĀ 438 kBps[2.1.2-RELEASE][root@pfs1.somedomain.local]/root/tmp(10): ls
apkg_iperf-2.0.5-i386.pbiĀ apkg_zip-3.0-i386.pbi
apkg_p7zip-9.20.1-i386.pbi openvpn-client-export.tgz
So, now that we've established no proxies or antivirus scanners upstream are blocking anything what now?
Can I install it manually?
- By the way, I'm on the embedded 32 bit version on an ALIX board with 3 ports wan,lan, opt.Ā Not sure it matters BUT I saw a post that one user posted saying not all packages on the web ui can be installed on embedded boxes:
https://forum.pfsense.org/index.php?topic=12995.0
Is that possibly my problem?Ā Do I need to trick the system into thinking it's not the embedded version then flip it back after the install?
- Note:Ā 32 bit ALIX board install here
** Note:Ā I imported the config from a PC, I'm going to setup a brand new ALIX, same everything but a fresh install, re-setup manually with NO import.Ā I think the import dirtied up the config even though other packages like iperf seem to install, openvpn-export-utility doesn't seem to be installing, probably because it does more complex things than iperf eh?
I'll update the post with my results.
-
- By the way, I'm on the embedded 32 bit version on an ALIX board with 3 ports wan,lan, opt.Ā Not sure it matters BUT I saw a post that one user posted saying not all packages on the web ui can be installed on embedded boxes:
https://forum.pfsense.org/index.php?topic=12995.0
Is that possibly my problem?Ā Do I need to trick the system into thinking it's not the embedded version then flip it back after the install?
Can'tĀ be. The OpenVPN Client Export package installs perfectly on NanoBSD boxes. I have several of them.
Do you have enough free disk space? -
- By the way, I'm on the embedded 32 bit version on an ALIX board with 3 ports wan,lan, opt.Ā Not sure it matters BUT I saw a post that one user posted saying not all packages on the web ui can be installed on embedded boxes:
https://forum.pfsense.org/index.php?topic=12995.0
Is that possibly my problem?Ā Do I need to trick the system into thinking it's not the embedded version then flip it back after the install?
OpenVPN Client Export Utility is a properly supported package on nanoBSD "embedded". There should be no need to trick the system into anything here. In fact, the available packages list on nanoBSD webGUI already has the unsupported packages filtered out.
Sorry, I have no clue what is the cause of your problem - I have installed this package on at least 4 32 bit Alix system running 2.1.2 with no trouble.
-
Is the file correct?
SHA256 (openvpn-client-export.tgz) = 288fe93bf33c596019b1dddf5400e49a8018457328ad0530df3a2a924a52fda1
If so, then it may be a disk space issue or similar. I have yet to see it fail on any other installation.
-
FYI - my problem was fixed by doing a clean install.Ā I would think the backup and restore function in PFSense would be hardware agnostic but there must be something in there that's hardware specific thus taking the settings from a full intel pc to an alix board something was lost in translation.Ā Whatever it was broke the package installation for openvpn.
Weird, good thing I had a spare system on me ;-)
-
If you're on amd64:
fetch https://files.pfsense.org/packages/8/All/p7zip-9.20.1-amd64.pbi rm -rf /var/db/pbi/installed/p7zip-9.20.1-amd64/ pbi_add -f --no-checksig p7zip-9.20.1-amd64.pbiNeed to update the amd64 instructions because the fetch path was not correct:
fetch https://files.pfsense.org/packages/amd64/8/All/p7zip-9.20.1-amd64.pbi rm -rf /var/db/pbi/installed/p7zip-9.20.1-amd64/ pbi_add -f --no-checksig p7zip-9.20.1-amd64.pbiI've used the above steps on my amd64 setup and they work once the URL path in the fetch command is corrected.
ā
Brett Ussher
