Very DANGEROUS BUG with OpenVPN wizard!

peske

Guyz, today I've discovered a very dangerous bug (it opens firewall!) with OpenVPN wizard. Actually, OpenVPN wizard is to blame for a wrong firewall entry, but much more dangerous is pfSense behavior after that - it literally turned off the firewall completely. My environment:

• pfSense 2.4.3-RELEASE (amd64), VMware appliance;

• Installed packages: Lightsquid 3.0.6_4; Open-VM-Tools 10.1.0,1; openvpn-client-export 1.4.14; squid 0.4.43_1; squidGuard 1.16.4

Key configuration (with steps):

• Three OpenVPN clients configured for three shared-key OpenVPN site-to-site connections;

• Configured port forwarding for ports 80 and 443 to some LAN server. The appropriate firewall rules created automatically;

• OpenVPN wizard executed in order to configure a VPN server (on port 1194), for connecting external users.

I've ended up with the following firewall rules:

• No "Floating" rules;

• Only automatically generated "WAN" rules: blocking private and bogon networks, rule created by OpenVPN wizard, allowing connection from any to 1194, and two automatic rules created automatically while port-forwarding described above is created;

• There are few "LAN" rules, but they aren't important at all for this.

When I've finished that, I've tried to access the website I've published by mentioned port-forwarding rules from the internet (from WAN). So, I've entered an address (i.e. http://www.site.com), and I've got a big surprise: not because my port-forwarding didn't worked, but because I've got pfSense administrative web UI! It was complaining about "possible DNS attack" because of a wrong URL address, but as soon as I've entered my WAN IP there (i.e. http://1.2.3.4) - I've got regular login page for the web UI!
I've even tried by deleting all port-forwarding rules, and the accompanying firewall filtering rules, but even after that, and after rebooting the appliance, I was still able to access administrative web UI from WAN! Again, there were no any rules that would allow that: I've ended up with no "Floating" rules, and with only three "WAN" rules (blocking private and bogon networks, and any to 1194 created by OpenVPN wizard), so no rule could allow accessing the administrative web UI, yet I was able to access it. Conclusion is obvious: the firewall is turned off completely!
Important thing to note is that I was getting an alarm with message like

There were error(s) loading the rules: /tmp/rules.debug:155: unknown protocol udp4...

Here's part of the line (from /tmp/rules.debug file) that was causing the message:

pass  in  quick  on $WAN reply-to ( em0 1.2.3.1 ) inet proto udp4  from any to 1.2.3.4 tracker 1524482114 keep state  label "USER_RULE: OpenVPN VPN clients wizard"

The fix was rather easy: I've opened the corresponding rule in web UI, and noticed that "Protocol" dropdown list contains "any". I've changed that to "UDP", saved the rule and applied the changes. After that alarm about error didn't fire anymore, and the corresponding line in /tmp/rules.debug file became:

pass  in  quick  on $WAN reply-to ( em0 1.2.3.1 ) inet proto udp  from any to 1.2.3.4 port 1194 tracker 1524482114 keep state  label "USER_RULE: OpenVPN VPN clients wizard"

After that everything started working as expected: I wasn't able to access the administrative web UI from WAN side, and port-forward (after I've recreated the rules) started working normally.

The biggest issue here is that obviously pfSense firewall crashed completely (all traffic was passing freely) because of the error caused by OpenVPN, and this should not happen, of course.

jimp

Known issue. Been fixed for a while. https://redmine.pfsense.org/issues/8391

Easily fixed by editing the rule and fixing the protocol, then click save, then apply.

bsilva

What change would I make to the rules to close this?

Apparently I created my OpenVPN instance before I upgraded pfSense.

It looks like I can modify the WAN Pass rule to only allow port 1194 instead of *. Correct?

Thanks.

akuma1x

@bsilva Yeah, that's essentially the change you have to make.

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: UDP
Source: Any
Destination: WAN address
Port Range: 1194 (Open VPN)

And, you're done.

Jeff

stephenw10

If you're hitting this when running the OpenVPN wizard you are running a very old version and should update immediately!

The bug here was the rule created was invalid so it prevented the ruleset loading not that it added a rule that opened traffic to any port.

If you're running something newer that 2.4.3 then this thread is probably completely unrelated to what you're seeing and you should start a new thread.

Steve