HEADS UP: Updated OpenVPN Client Export package 1.2.5 for Heartbleed fix

jimp

I updated the OpenVPN Client Export package to 1.2.5 and it should show up any time now. The only change is an updated windows installer, 2.3.3-I001 which includes (among other fixes) a new OpenSSL library.

On WINDOWS clients make sure that you UNINSTALL both the client and the tap drivers (for good measure) from any Windows system before installing the updated client obtained from the export package. If you run the new exported Windows client installer on top of an existing install it will likely skip the actual client install and only copy the config files, leaving the client vulnerable.

If your client settings did not change you can also reinstall the client from OpenVPN directly if you wish.

For more information on how Heartbleed affects OpenVPN, see https://community.openvpn.net/openvpn/wiki/heartbleed

Short story: If your server uses a TLS Authentication Key in combination with certificates, your exposure is limited, provided all of your clients are trustworthy. Be wary of public VPN services until they are patched.

kejianshi

Yeah - I'm not too sure if I have a perfect grasp of the problem for pfsense current stable release becausue alot of people are talking like its the end of the world for pfsense, but my thinking was that only the openvpn client export would need fixing?

I checked my current stable pfsense and got this:

$ openssl version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: date not available
platform: FreeBSD-amd64
options:  bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc
OPENSSLDIR: "/etc/ssl"

Doesn't seem to be the effected versions.

Not sure if I'm missing something obvious.  I have been know to make mistakes now and again.

jimp

There are other threads discussing that, this is just for the client export.

In short: There is also OpenSSL 1.0.1 under /usr/local/ and that is used for OpenVPN and others and that is vulnerable. It's not the end of the world unless you have things configured insecurely to begin with.

kejianshi

Ah - So it is the end of the world after all.
Thanks.

Jbmeth007

Tried to install the 1.2.5 package

pbi_add: Invalid file for usercheck!
of zip-3.0-amd64.pbi p7zip-9.20.1-amd64 failed!

Installation aborted.Removing package…

phil.davis

Must be just an issue with the 64-bit version.
OpenVPN Client Export 1.2.5 has installed fine on my 32-bit pfSense 2.1.2-RELEASE

kejianshi

I guess it wasn't the end of the world…  :o

I just hope someone didn't save 2+ years of the entire world's web traffic on a fat HDD to play back at their whim...

Noooooooooo biggie...    :-\

jimp

@Jbmeth007:

Tried to install the 1.2.5 package

pbi_add: Invalid file for usercheck!
of zip-3.0-amd64.pbi p7zip-9.20.1-amd64 failed!

Installation aborted.Removing package…

We're aware of that and working on a fix, I'll bump the version again once it's confirmed. It happened to one of mine on a 32-bit install also. Not certain why it's inconsistent but we have a potential fix in the works.

vitek

Is there a way to filter so no older versions of the clients are able to connect to the server?

jimp

Not that I'm aware of, at least not easily.

You might have one of the openvpn scripts that runs on connect dump all of $_ENV somewhere to see if the client version is passed to the server. If so a check could be coded in.

jimp

OK I'm not sure why/how but that usercheck error isn't actually from the PBI installing wrong or a problem with the PBI, it's something about the local filesystem still having some files left over from p7zip somehow.

This cleared it up for me (from the shell):

fetch https://files.pfsense.org/packages/8/All/p7zip-9.20.1-i386.pbi
rm -rf /var/db/pbi/installed/p7zip-9.20.1-i386/
pbi_add -f --no-checksig p7zip-9.20.1-i386.pbi

If you're on amd64:

fetch https://files.pfsense.org/packages/amd64/8/All/p7zip-9.20.1-amd64.pbi
rm -rf /var/db/pbi/installed/p7zip-9.20.1-amd64/
pbi_add -f --no-checksig p7zip-9.20.1-amd64.pbi

And then I could reinstall the package from the GUI OK.

Jbmeth007

Interesting, i see the theory in this.

I'll try when i am local and let you know the outcome.

pdrass

This isn't working for me.  I've tried your solution but it's just not working.  From the command line is says success but from the GUI this is the result:

---

:1
Beginning package installation for OpenVPN Client Export Utility .
Downloading package configuration file… done.
Saving updated package information... done.
Downloading OpenVPN Client Export Utility and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/8/All/zip-3.0-i386.pbi ...  [ repository]
(extracting)

Downloading https://files.pfsense.org/packages/8/All/p7zip-9.20.1-i386.pbi …  [ repository]
(extracting)
Loading package configuration… done.
Configuring package components...
Additional files... openvpn-client-export.tgz failed.
Removing package...
Starting package deletion for zip-3.0-i386...done.
Starting package deletion for p7zip-9.20.1-i386...done.
Removing OpenVPN Client Export Utility components...
Tabs items... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
done.
Failed to install package.

Installation halted.

---

:2

Shell:

I have to first use this command:  /etc/rc.conf_mount_rw

• Puts it into read / write otherwise I get a "read only" error.

---

/etc/rc.conf_mount_rw

fetch https://files.pfsense.org/packages/8/All/p7zip-9.20.1-i386.pbi
p7zip-9.20.1-i386.pbi                        100% of  965 kB  436 kBps

rm -rf /var/db/pbi/installed/p7zip-9.20.1-i386/

pbi_add -f –no-checksig p7zip-9.20.1-i386.pbi
Verifying Checksum...OK
Extracting to: /usr/pbi/p7zip-i386
Installed: p7zip-9.20.1

---

:3

I then go back to the GUI:

System > Packages > OpenVPN Client Export Utility > + > Confirm >

Scroll back up to ":1" in this post.

…Failed to install package.

Installation halted.

---

Sigh…no OpenVPN  :(

jimp

You're getting a different error than others.

Additional files... openvpn-client-export.tgz failed.

In that step, it's trying to fetch https://files.pfsense.org/packages/openvpn-client-export/openvpn-client-export.tgz

The file is there and downloads OK for me. If it doesn't for you, there could be something else blocking it (proxy, IDS/IPS, etc). It is a compressed file that contains windows executables and some IDS signatures would match that.

pdrass

I saw your same answer on another post and I just can't believe that.  So, what I did was MANUALLY make the calls and this is where I'm at - the packages are fetched.  I suspect it's having a difficult time actually extracting the packages where they go.

---

[2.1.2-RELEASE][root@pfs1.somedomain.local]/root(5): mount -o rw /dev/ufs/pfsense0

[2.1.2-RELEASE][root@pfs1.somedomain.local]/root(7): cd tmp

[2.1.2-RELEASE][root@pfs1.somedomain.local]/root/tmp(8): ls
apkg_iperf-2.0.5-i386.pbi  apkg_zip-3.0-i386.pbi
apkg_p7zip-9.20.1-i386.pbi

[2.1.2-RELEASE][root@pfs1.somedomain.local]/root/tmp(9): fetch https://files.pfsense.org/packages/openvpn-client-export/openvpn-client-export.tgz
openvpn-client-export.tgz                    100% of 3778 kB  438 kBps

[2.1.2-RELEASE][root@pfs1.somedomain.local]/root/tmp(10): ls
apkg_iperf-2.0.5-i386.pbi  apkg_zip-3.0-i386.pbi
apkg_p7zip-9.20.1-i386.pbi openvpn-client-export.tgz

---

So, now that we've established no proxies or antivirus scanners upstream are blocking anything what now?

Can I install it manually?

• By the way, I'm on the embedded 32 bit version on an ALIX board with 3 ports wan,lan, opt.  Not sure it matters BUT I saw a post that one user posted saying not all packages on the web ui can be installed on embedded boxes:

https://forum.pfsense.org/index.php?topic=12995.0

Is that possibly my problem?  Do I need to trick the system into thinking it's not the embedded version then flip it back after the install?

• Note:  32 bit ALIX board install here
  ** Note:  I imported the config from a PC, I'm going to setup a brand new ALIX, same everything but a fresh install, re-setup manually with NO import.  I think the import dirtied up the config even though other packages like iperf seem to install, openvpn-export-utility doesn't seem to be installing, probably because it does more complex things than iperf eh?

I'll update the post with my results.

robi

@pdrass:

• By the way, I'm on the embedded 32 bit version on an ALIX board with 3 ports wan,lan, opt.  Not sure it matters BUT I saw a post that one user posted saying not all packages on the web ui can be installed on embedded boxes:

https://forum.pfsense.org/index.php?topic=12995.0

Is that possibly my problem?  Do I need to trick the system into thinking it's not the embedded version then flip it back after the install?

Can't  be. The OpenVPN Client Export package installs perfectly on NanoBSD boxes. I have several of them.
Do you have enough free disk space?

phil.davis

• By the way, I'm on the embedded 32 bit version on an ALIX board with 3 ports wan,lan, opt.  Not sure it matters BUT I saw a post that one user posted saying not all packages on the web ui can be installed on embedded boxes:

https://forum.pfsense.org/index.php?topic=12995.0

Is that possibly my problem?  Do I need to trick the system into thinking it's not the embedded version then flip it back after the install?

OpenVPN Client Export Utility is a properly supported package on nanoBSD "embedded". There should be no need to trick the system into anything here. In fact, the available packages list on nanoBSD webGUI already has the unsupported packages filtered out.

Sorry, I have no clue what is the cause of your problem - I have installed this package on at least 4 32 bit Alix system running 2.1.2 with no trouble.

jimp

Is the file correct?

SHA256 (openvpn-client-export.tgz) = 288fe93bf33c596019b1dddf5400e49a8018457328ad0530df3a2a924a52fda1

If so, then it may be a disk space issue or similar. I have yet to see it fail on any other installation.

pdrass

FYI - my problem was fixed by doing a clean install.  I would think the backup and restore function in PFSense would be hardware agnostic but there must be something in there that's hardware specific thus taking the settings from a full intel pc to an alix board something was lost in translation.  Whatever it was broke the package installation for openvpn.

Weird, good thing I had a spare system on me ;-)

breusshe

@jimp:

If you're on amd64:

fetch https://files.pfsense.org/packages/8/All/p7zip-9.20.1-amd64.pbi
rm -rf /var/db/pbi/installed/p7zip-9.20.1-amd64/
pbi_add -f --no-checksig p7zip-9.20.1-amd64.pbi

Need to update the amd64 instructions because the fetch path was not correct:

fetch https://files.pfsense.org/packages/amd64/8/All/p7zip-9.20.1-amd64.pbi
rm -rf /var/db/pbi/installed/p7zip-9.20.1-amd64/
pbi_add -f --no-checksig p7zip-9.20.1-amd64.pbi

I've used the above steps on my amd64 setup and they work once the URL path in the fetch command is corrected.

–
Brett Ussher

jimp

Thanks. I fixed my earlier post.

The URLs were right on the doc wiki though:
https://doc.pfsense.org/index.php/Pbi_add:_Invalid_file_for_usercheck

Jamerson

I've updated my current version, now it shows 1.2.8 !
but the post is about 1.2.5 is between the time been a new release?

thank you

jimp

It's actually 1.2.9 now. Any version 1.2.5 or later is fine for this issue.

Jamerson

@jimp:

It's actually 1.2.9 now. Any version 1.2.5 or later is fine for this issue.

I've noticed this too :) updated and all is working great
you guys are the best