Very DANGEROUS BUG with OpenVPN wizard!



  • Guyz, today I've discovered a very dangerous bug (it opens firewall!) with OpenVPN wizard. Actually, OpenVPN wizard is to blame for a wrong firewall entry, but much more dangerous is pfSense behavior after that - it literally turned off the firewall completely. My environment:

    • pfSense 2.4.3-RELEASE (amd64), VMware appliance;

    • Installed packages: Lightsquid 3.0.6_4; Open-VM-Tools 10.1.0,1; openvpn-client-export 1.4.14; squid 0.4.43_1; squidGuard 1.16.4

    Key configuration (with steps):

    • Three OpenVPN clients configured for three shared-key OpenVPN site-to-site connections;

    • Configured port forwarding for ports 80 and 443 to some LAN server. The appropriate firewall rules created automatically;

    • OpenVPN wizard executed in order to configure a VPN server (on port 1194), for connecting external users.

    I've ended up with the following firewall rules:

    • No "Floating" rules;

    • Only automatically generated "WAN" rules: blocking private and bogon networks, rule created by OpenVPN wizard, allowing connection from any to 1194, and two automatic rules created automatically while port-forwarding described above is created;

    • There are few "LAN" rules, but they aren't important at all for this.

    When I've finished that, I've tried to access the website I've published by mentioned port-forwarding rules from the internet (from WAN). So, I've entered an address (i.e. http://www.site.com), and I've got a big surprise: not because my port-forwarding didn't worked, but because I've got pfSense administrative web UI! It was complaining about "possible DNS attack" because of a wrong URL address, but as soon as I've entered my WAN IP there (i.e. http://1.2.3.4) - I've got regular login page for the web UI!
    I've even tried by deleting all port-forwarding rules, and the accompanying firewall filtering rules, but even after that, and after rebooting the appliance, I was still able to access administrative web UI from WAN! Again, there were no any rules that would allow that: I've ended up with no "Floating" rules, and with only three "WAN" rules (blocking private and bogon networks, and any to 1194 created by OpenVPN wizard), so no rule could allow accessing the administrative web UI, yet I was able to access it. Conclusion is obvious: the firewall is turned off completely!
    Important thing to note is that I was getting an alarm with message like

    There were error(s) loading the rules: /tmp/rules.debug:155: unknown protocol udp4...
    

    Here's part of the line (from /tmp/rules.debug file) that was causing the message:

    pass  in  quick  on $WAN reply-to ( em0 1.2.3.1 ) inet proto udp4  from any to 1.2.3.4 tracker 1524482114 keep state  label "USER_RULE: OpenVPN VPN clients wizard"
    

    The fix was rather easy: I've opened the corresponding rule in web UI, and noticed that "Protocol" dropdown list contains "any". I've changed that to "UDP", saved the rule and applied the changes. After that alarm about error didn't fire anymore, and the corresponding line in /tmp/rules.debug file became:

    pass  in  quick  on $WAN reply-to ( em0 1.2.3.1 ) inet proto udp  from any to 1.2.3.4 port 1194 tracker 1524482114 keep state  label "USER_RULE: OpenVPN VPN clients wizard"
    
    

    After that everything started working as expected: I wasn't able to access the administrative web UI from WAN side, and port-forward (after I've recreated the rules) started working normally.

    The biggest issue here is that obviously pfSense firewall crashed completely (all traffic was passing freely) because of the error caused by OpenVPN, and this should not happen, of course.


  • Rebel Alliance Developer Netgate

    Known issue. Been fixed for a while. https://redmine.pfsense.org/issues/8391

    Easily fixed by editing the rule and fixing the protocol, then click save, then apply.