• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[bug] openvpn.attributes.php doesn't expand username properly (peruser fw rules)

Scheduled Pinned Locked Moved OpenVPN
2 Posts 2 Posters 540 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    msoltyspl
    last edited by Apr 19, 2018, 2:18 PM

    I've been testing radius with cisco-avpairs to install custom per-user firewall rules under openvpn. This almost work well, with the exception of aforementioned script that fails to expand common name of the user being authenticated, which in turn ends with pfctl trying to install per-user rules at 'openvpn/' key instead of 'openvpn/<user>'.

    The logs always show something like:

    Apr 19 16:06:41 	openvpn 		user 'msl' authenticated
    Apr 19 16:06:41 	openvpn 		/openvpn.auth-user.php: The command '/sbin/pfctl -a 'openvpn/' -f /tmp/ovpn_2060''.rules' returned exit code '1', the output was 'pfctl: pfctl_rules' 
    

    Block near the top of the file that is responsible for setting up $common_name seems do be doing noting. The non-working expansion is from mwexec command:

    if (!empty($rules)) {
            $pid = posix_getpid();
            @file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
            mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f {$g['tmp_path']}/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
            @unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");
    }
    
    

    This is happening in version 2.4.3 (community edition). FWIW, the firewall rules seem to be correctly translated from avpairs into pf dialect.</user>

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Apr 20, 2018, 2:36 PM

      Hmm, the username from openvpn should be in one of the environment vars it's checking. Open a bug report at https://redmine.pfsense.org/ and we'll take a look at it to see why it isn't getting the username as expected.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received