[bug] openvpn.attributes.php doesn't expand username properly (peruser fw rules)



  • I've been testing radius with cisco-avpairs to install custom per-user firewall rules under openvpn. This almost work well, with the exception of aforementioned script that fails to expand common name of the user being authenticated, which in turn ends with pfctl trying to install per-user rules at 'openvpn/' key instead of 'openvpn/<user>'.

    The logs always show something like:

    Apr 19 16:06:41 	openvpn 		user 'msl' authenticated
    Apr 19 16:06:41 	openvpn 		/openvpn.auth-user.php: The command '/sbin/pfctl -a 'openvpn/' -f /tmp/ovpn_2060''.rules' returned exit code '1', the output was 'pfctl: pfctl_rules' 
    

    Block near the top of the file that is responsible for setting up $common_name seems do be doing noting. The non-working expansion is from mwexec command:

    if (!empty($rules)) {
            $pid = posix_getpid();
            @file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
            mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f {$g['tmp_path']}/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
            @unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");
    }
    
    

    This is happening in version 2.4.3 (community edition). FWIW, the firewall rules seem to be correctly translated from avpairs into pf dialect.</user>


  • Rebel Alliance Developer Netgate

    Hmm, the username from openvpn should be in one of the environment vars it's checking. Open a bug report at https://redmine.pfsense.org/ and we'll take a look at it to see why it isn't getting the username as expected.