Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [bug] openvpn.attributes.php doesn't expand username properly (peruser fw rules)

    OpenVPN
    2
    2
    536
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      msoltyspl
      last edited by

      I've been testing radius with cisco-avpairs to install custom per-user firewall rules under openvpn. This almost work well, with the exception of aforementioned script that fails to expand common name of the user being authenticated, which in turn ends with pfctl trying to install per-user rules at 'openvpn/' key instead of 'openvpn/<user>'.

      The logs always show something like:

      Apr 19 16:06:41 	openvpn 		user 'msl' authenticated
      Apr 19 16:06:41 	openvpn 		/openvpn.auth-user.php: The command '/sbin/pfctl -a 'openvpn/' -f /tmp/ovpn_2060''.rules' returned exit code '1', the output was 'pfctl: pfctl_rules' 
      

      Block near the top of the file that is responsible for setting up $common_name seems do be doing noting. The non-working expansion is from mwexec command:

      if (!empty($rules)) {
              $pid = posix_getpid();
              @file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
              mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f {$g['tmp_path']}/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
              @unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");
      }
      
      

      This is happening in version 2.4.3 (community edition). FWIW, the firewall rules seem to be correctly translated from avpairs into pf dialect.</user>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Hmm, the username from openvpn should be in one of the environment vars it's checking. Open a bug report at https://redmine.pfsense.org/ and we'll take a look at it to see why it isn't getting the username as expected.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.