HEADS UP: Updated OpenVPN Client Export package 1.2.5 for Heartbleed fix


  • Rebel Alliance Developer Netgate

    I updated the OpenVPN Client Export package to 1.2.5 and it should show up any time now. The only change is an updated windows installer, 2.3.3-I001 which includes (among other fixes) a new OpenSSL library.

    On WINDOWS clients make sure that you UNINSTALL both the client and the tap drivers (for good measure) from any Windows system before installing the updated client obtained from the export package. If you run the new exported Windows client installer on top of an existing install it will likely skip the actual client install and only copy the config files, leaving the client vulnerable.

    If your client settings did not change you can also reinstall the client from OpenVPN directly if you wish.

    For more information on how Heartbleed affects OpenVPN, see https://community.openvpn.net/openvpn/wiki/heartbleed

    Short story: If your server uses a TLS Authentication Key in combination with certificates, your exposure is limited, provided all of your clients are trustworthy. Be wary of public VPN services until they are patched.



  • Yeah - I'm not too sure if I have a perfect grasp of the problem for pfsense current stable release becausue alot of people are talking like its the end of the world for pfsense, but my thinking was that only the openvpn client export would need fixing?

    I checked my current stable pfsense and got this:

    $ openssl version -a
    OpenSSL 0.9.8y 5 Feb 2013
    built on: date not available
    platform: FreeBSD-amd64
    options:  bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) blowfish(idx)
    compiler: cc
    OPENSSLDIR: "/etc/ssl"

    Doesn't seem to be the effected versions.

    Not sure if I'm missing something obvious.  I have been know to make mistakes now and again.


  • Rebel Alliance Developer Netgate

    There are other threads discussing that, this is just for the client export.

    In short: There is also OpenSSL 1.0.1 under /usr/local/ and that is used for OpenVPN and others and that is vulnerable. It's not the end of the world unless you have things configured insecurely to begin with.



  • Ah - So it is the end of the world after all.
    Thanks.



  • Tried to install the 1.2.5 package

    pbi_add: Invalid file for usercheck!
    of zip-3.0-amd64.pbi p7zip-9.20.1-amd64 failed!

    Installation aborted.Removing package…



  • Must be just an issue with the 64-bit version.
    OpenVPN Client Export 1.2.5 has installed fine on my 32-bit pfSense 2.1.2-RELEASE



  • I guess it wasn't the end of the world…  :o

    I just hope someone didn't save 2+ years of the entire world's web traffic on a fat HDD to play back at their whim...

    Noooooooooo biggie...    :-\


  • Rebel Alliance Developer Netgate

    @Jbmeth007:

    Tried to install the 1.2.5 package

    pbi_add: Invalid file for usercheck!
    of zip-3.0-amd64.pbi p7zip-9.20.1-amd64 failed!

    Installation aborted.Removing package…

    We're aware of that and working on a fix, I'll bump the version again once it's confirmed. It happened to one of mine on a 32-bit install also. Not certain why it's inconsistent but we have a potential fix in the works.



  • Is there a way to filter so no older versions of the clients are able to connect to the server?


  • Rebel Alliance Developer Netgate

    Not that I'm aware of, at least not easily.

    You might have one of the openvpn scripts that runs on connect dump all of $_ENV somewhere to see if the client version is passed to the server. If so a check could be coded in.


  • Rebel Alliance Developer Netgate

    OK I'm not sure why/how but that usercheck error isn't actually from the PBI installing wrong or a problem with the PBI, it's something about the local filesystem still having some files left over from p7zip somehow.

    This cleared it up for me (from the shell):

    fetch https://files.pfsense.org/packages/8/All/p7zip-9.20.1-i386.pbi
    rm -rf /var/db/pbi/installed/p7zip-9.20.1-i386/
    pbi_add -f --no-checksig p7zip-9.20.1-i386.pbi
    

    If you're on amd64:

    fetch https://files.pfsense.org/packages/amd64/8/All/p7zip-9.20.1-amd64.pbi
    rm -rf /var/db/pbi/installed/p7zip-9.20.1-amd64/
    pbi_add -f --no-checksig p7zip-9.20.1-amd64.pbi
    

    And then I could reinstall the package from the GUI OK.



  • Interesting, i see the theory in this.

    I'll try when i am local and let you know the outcome.



  • This isn't working for me.  I've tried your solution but it's just not working.  From the command line is says success but from the GUI this is the result:


    :1
    Beginning package installation for OpenVPN Client Export Utility .
    Downloading package configuration file… done.
    Saving updated package information... done.
    Downloading OpenVPN Client Export Utility and its dependencies...
    Checking for package installation...
    Downloading https://files.pfsense.org/packages/8/All/zip-3.0-i386.pbi ...  [ repository]
    (extracting)

    Downloading https://files.pfsense.org/packages/8/All/p7zip-9.20.1-i386.pbi …  [ repository]
    (extracting)
    Loading package configuration… done.
    Configuring package components...
    Additional files... openvpn-client-export.tgz failed.
    Removing package...
    Starting package deletion for zip-3.0-i386...done.
    Starting package deletion for p7zip-9.20.1-i386...done.
    Removing OpenVPN Client Export Utility components...
    Tabs items... done.
    Loading package instructions...
    Deinstall commands... done.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    done.
    Failed to install package.

    Installation halted.


    :2

    Shell:

    I have to first use this command:  /etc/rc.conf_mount_rw

    • Puts it into read / write otherwise I get a "read only" error.

    /etc/rc.conf_mount_rw

    fetch https://files.pfsense.org/packages/8/All/p7zip-9.20.1-i386.pbi
    p7zip-9.20.1-i386.pbi                        100% of  965 kB  436 kBps

    rm -rf /var/db/pbi/installed/p7zip-9.20.1-i386/

    pbi_add -f –no-checksig p7zip-9.20.1-i386.pbi
    Verifying Checksum...OK
    Extracting to: /usr/pbi/p7zip-i386
    Installed: p7zip-9.20.1


    :3

    I then go back to the GUI:

    System > Packages > OpenVPN Client Export Utility > + > Confirm >

    Scroll back up to ":1" in this post.

    …Failed to install package.

    Installation halted.


    Sigh…no OpenVPN  :(


  • Rebel Alliance Developer Netgate

    You're getting a different error than others.

    Additional files... openvpn-client-export.tgz failed.
    

    In that step, it's trying to fetch https://files.pfsense.org/packages/openvpn-client-export/openvpn-client-export.tgz

    The file is there and downloads OK for me. If it doesn't for you, there could be something else blocking it (proxy, IDS/IPS, etc). It is a compressed file that contains windows executables and some IDS signatures would match that.



  • I saw your same answer on another post and I just can't believe that.  So, what I did was MANUALLY make the calls and this is where I'm at - the packages are fetched.  I suspect it's having a difficult time actually extracting the packages where they go.


    [2.1.2-RELEASE][root@pfs1.somedomain.local]/root(5): mount -o rw /dev/ufs/pfsense0

    [2.1.2-RELEASE][root@pfs1.somedomain.local]/root(7): cd tmp

    [2.1.2-RELEASE][root@pfs1.somedomain.local]/root/tmp(8): ls
    apkg_iperf-2.0.5-i386.pbi  apkg_zip-3.0-i386.pbi
    apkg_p7zip-9.20.1-i386.pbi

    [2.1.2-RELEASE][root@pfs1.somedomain.local]/root/tmp(9): fetch https://files.pfsense.org/packages/openvpn-client-export/openvpn-client-export.tgz
    openvpn-client-export.tgz                    100% of 3778 kB  438 kBps

    [2.1.2-RELEASE][root@pfs1.somedomain.local]/root/tmp(10): ls
    apkg_iperf-2.0.5-i386.pbi  apkg_zip-3.0-i386.pbi
    apkg_p7zip-9.20.1-i386.pbi openvpn-client-export.tgz


    So, now that we've established no proxies or antivirus scanners upstream are blocking anything what now?

    Can I install it manually?

    • By the way, I'm on the embedded 32 bit version on an ALIX board with 3 ports wan,lan, opt.  Not sure it matters BUT I saw a post that one user posted saying not all packages on the web ui can be installed on embedded boxes:

    https://forum.pfsense.org/index.php?topic=12995.0

    Is that possibly my problem?  Do I need to trick the system into thinking it's not the embedded version then flip it back after the install?

    • Note:  32 bit ALIX board install here
      ** Note:  I imported the config from a PC, I'm going to setup a brand new ALIX, same everything but a fresh install, re-setup manually with NO import.  I think the import dirtied up the config even though other packages like iperf seem to install, openvpn-export-utility doesn't seem to be installing, probably because it does more complex things than iperf eh?

    I'll update the post with my results.



  • @pdrass:

    • By the way, I'm on the embedded 32 bit version on an ALIX board with 3 ports wan,lan, opt.  Not sure it matters BUT I saw a post that one user posted saying not all packages on the web ui can be installed on embedded boxes:

    https://forum.pfsense.org/index.php?topic=12995.0

    Is that possibly my problem?  Do I need to trick the system into thinking it's not the embedded version then flip it back after the install?

    Can't  be. The OpenVPN Client Export package installs perfectly on NanoBSD boxes. I have several of them.
    Do you have enough free disk space?



    • By the way, I'm on the embedded 32 bit version on an ALIX board with 3 ports wan,lan, opt.  Not sure it matters BUT I saw a post that one user posted saying not all packages on the web ui can be installed on embedded boxes:

    https://forum.pfsense.org/index.php?topic=12995.0

    Is that possibly my problem?  Do I need to trick the system into thinking it's not the embedded version then flip it back after the install?

    OpenVPN Client Export Utility is a properly supported package on nanoBSD "embedded". There should be no need to trick the system into anything here. In fact, the available packages list on nanoBSD webGUI already has the unsupported packages filtered out.

    Sorry, I have no clue what is the cause of your problem - I have installed this package on at least 4 32 bit Alix system running 2.1.2 with no trouble.


  • Rebel Alliance Developer Netgate

    Is the file correct?

    SHA256 (openvpn-client-export.tgz) = 288fe93bf33c596019b1dddf5400e49a8018457328ad0530df3a2a924a52fda1

    If so, then it may be a disk space issue or similar. I have yet to see it fail on any other installation.



  • FYI - my problem was fixed by doing a clean install.  I would think the backup and restore function in PFSense would be hardware agnostic but there must be something in there that's hardware specific thus taking the settings from a full intel pc to an alix board something was lost in translation.  Whatever it was broke the package installation for openvpn.

    Weird, good thing I had a spare system on me ;-)



  • @jimp:

    If you're on amd64:

    fetch https://files.pfsense.org/packages/8/All/p7zip-9.20.1-amd64.pbi
    rm -rf /var/db/pbi/installed/p7zip-9.20.1-amd64/
    pbi_add -f --no-checksig p7zip-9.20.1-amd64.pbi
    

    Need to update the amd64 instructions because the fetch path was not correct:

    fetch https://files.pfsense.org/packages/amd64/8/All/p7zip-9.20.1-amd64.pbi
    rm -rf /var/db/pbi/installed/p7zip-9.20.1-amd64/
    pbi_add -f --no-checksig p7zip-9.20.1-amd64.pbi
    

    I've used the above steps on my amd64 setup and they work once the URL path in the fetch command is corrected.


    Brett Ussher


  • Rebel Alliance Developer Netgate

    Thanks. I fixed my earlier post.

    The URLs were right on the doc wiki though:
    https://doc.pfsense.org/index.php/Pbi_add:_Invalid_file_for_usercheck



  • I've updated my current version, now it shows 1.2.8 !
    but the post is about 1.2.5 is between the time been a new release?

    thank you


  • Rebel Alliance Developer Netgate

    It's actually 1.2.9 now. Any version 1.2.5 or later is fine for this issue.



  • @jimp:

    It's actually 1.2.9 now. Any version 1.2.5 or later is fine for this issue.

    I've noticed this too :) updated and all is working great
    you guys are the best