[bug] openvpn.attributes.php doesn't expand username properly (peruser fw rules)

msoltyspl · Apr 19, 2018, 2:18 PM

I've been testing radius with cisco-avpairs to install custom per-user firewall rules under openvpn. This almost work well, with the exception of aforementioned script that fails to expand common name of the user being authenticated, which in turn ends with pfctl trying to install per-user rules at 'openvpn/' key instead of 'openvpn/<user>'.

The logs always show something like:

Apr 19 16:06:41 	openvpn 		user 'msl' authenticated
Apr 19 16:06:41 	openvpn 		/openvpn.auth-user.php: The command '/sbin/pfctl -a 'openvpn/' -f /tmp/ovpn_2060''.rules' returned exit code '1', the output was 'pfctl: pfctl_rules'

Block near the top of the file that is responsible for setting up $common_name seems do be doing noting. The non-working expansion is from mwexec command:

if (!empty($rules)) {
        $pid = posix_getpid();
        @file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
        mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f {$g['tmp_path']}/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
        @unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");
}

This is happening in version 2.4.3 (community edition). FWIW, the firewall rules seem to be correctly translated from avpairs into pf dialect.</user>

jimp · Apr 20, 2018, 2:36 PM

Hmm, the username from openvpn should be in one of the environment vars it's checking. Open a bug report at https://redmine.pfsense.org/ and we'll take a look at it to see why it isn't getting the username as expected.