SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004186: VPN firewall "username" rules not applied when changing IP - MantisBT
MantisBT - Endian Firewall
View Issue Details
0004186Endian FirewallFirewall (iptables)public2011-10-13 14:402015-07-29 09:17
ardit-endian 
 
normalmajoralways
closedfixed 
2.4.1 
 
0004186: VPN firewall "username" rules not applied when changing IP
If we have a user (connected as VPN Client) on our OpenVPN called i.e "bob" and make a rule with restrictions based on the username, if bob IP's changes the rules (firewall restrictions) are not anymore applied for him.

Somehow, the openvpn should realize this change and reupdate the iptables rules in order to block the new IP...

OR

The best way to do this in my opinion and to make a permanent fix for this is instead of restricting the IP should restrict the MAC Address with ebtables.
This can be reproduced changing the client IP manually.
purple
Issue History
2011-10-13 14:40ardit-endianNew Issue
2011-10-13 14:40ardit-endianTag Attached: purple
2011-10-13 14:42ardit-endianDescription Updated
2011-10-13 15:58ardit-endianSummaryVPN firewall "username" rules not applied when changin IP => VPN firewall "username" rules not applied when changing IP
2011-10-14 13:01lorenzo-endianNote Added: 0007496
2011-10-14 15:20ardit-endianNote Added: 0007497
2011-11-17 14:37luca-endianNote Added: 0007540
2011-11-17 14:51peter-endianNote Added: 0007541
2011-11-17 15:08luca-endianNote Added: 0007545
2011-11-17 15:12ardit-endianNote Added: 0007546
2015-07-29 09:17AnonymousNote Added: 0008555
2015-07-29 09:17AnonymousStatusnew => closed
2015-07-29 09:17AnonymousResolutionopen => fixed

Notes
(0007496)
lorenzo-endian   
2011-10-14 13:01   
Hey ardit!

the problem is that, at least on my pc, all the time I disconnect and reconnect the vpn, my tap interface has a different mac address, so we cannot use the MAC address as a solution. :(

Thanks a lot

Lo
(0007497)
ardit-endian   
2011-10-14 15:20   
Hi lo,

yep was a quick thought, I forgot about the tap interface in the middle of the hole thing.
(0007540)
luca-endian   
2011-11-17 14:37   
tap interface by default in openvpn has a random mac address.
This behaviour can be changed if needed and mac address can be statically defined.
(0007541)
peter-endian   
2011-11-17 14:51   
what do you mean by bob's ip changes? if he manually changes the ip-address assigned by the openvpn server?

then yes.. this will happen.


otherwise,,. firewall scripts will resolve the assigned ip addresses for each openvpn username, whenever the scripts are started.
if you start the firewall scripts, manually.. does this solve the problem?
could it be that the firewalls somehow are not triggered anymore when a user connects to the openvpn server?
(0007545)
luca-endian   
2011-11-17 15:08   
I think iptables rules are changed automatically when a client connects/disconnects..
Can you change the ip provided by openvpn?
(0007546)
ardit-endian   
2011-11-17 15:12   
with bob it's meant the VPN user connected to our VPN, if he changes his IP manually than can browse without restrictions in the VPN network.
(0008555)
Anonymous   
2015-07-29 09:17   
a