SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004186: VPN firewall "username" rules not applied when changing IP - MantisBT Endian Bugtracker
Endian Issue Tracker

Please see now our new Bugtracker system: JIRA

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004186Endian FirewallFirewall (iptables)public2011-10-13 14:402015-07-29 09:17
Assigned To 
PlatformOSOS Version
Product Version2.4.1 
Target VersionFixed in Version 
Summary0004186: VPN firewall "username" rules not applied when changing IP
DescriptionIf we have a user (connected as VPN Client) on our OpenVPN called i.e "bob" and make a rule with restrictions based on the username, if bob IP's changes the rules (firewall restrictions) are not anymore applied for him.

Somehow, the openvpn should realize this change and reupdate the iptables rules in order to block the new IP...


The best way to do this in my opinion and to make a permanent fix for this is instead of restricting the IP should restrict the MAC Address with ebtables.
Additional InformationThis can be reproduced changing the client IP manually.
Attached Files

- Relationships

-  Notes
lorenzo-endian (manager)
2011-10-14 13:01

Hey ardit!

the problem is that, at least on my pc, all the time I disconnect and reconnect the vpn, my tap interface has a different mac address, so we cannot use the MAC address as a solution. :(

Thanks a lot

ardit-endian (developer)
2011-10-14 15:20

Hi lo,

yep was a quick thought, I forgot about the tap interface in the middle of the hole thing.
luca-endian (developer)
2011-11-17 14:37

tap interface by default in openvpn has a random mac address.
This behaviour can be changed if needed and mac address can be statically defined.
peter-endian (administrator)
2011-11-17 14:51

what do you mean by bob's ip changes? if he manually changes the ip-address assigned by the openvpn server?

then yes.. this will happen.

otherwise,,. firewall scripts will resolve the assigned ip addresses for each openvpn username, whenever the scripts are started.
if you start the firewall scripts, manually.. does this solve the problem?
could it be that the firewalls somehow are not triggered anymore when a user connects to the openvpn server?
luca-endian (developer)
2011-11-17 15:08

I think iptables rules are changed automatically when a client connects/disconnects..
Can you change the ip provided by openvpn?
ardit-endian (developer)
2011-11-17 15:12

with bob it's meant the VPN user connected to our VPN, if he changes his IP manually than can browse without restrictions in the VPN network.
Anonymous (viewer)
2015-07-29 09:17


- Issue History
Date Modified Username Field Change
2011-10-13 14:40 ardit-endian New Issue
2011-10-13 14:40 ardit-endian Tag Attached: purple
2011-10-13 14:42 ardit-endian Description Updated
2011-10-13 15:58 ardit-endian Summary VPN firewall "username" rules not applied when changin IP => VPN firewall "username" rules not applied when changing IP
2011-10-14 13:01 lorenzo-endian Note Added: 0007496
2011-10-14 15:20 ardit-endian Note Added: 0007497
2011-11-17 14:37 luca-endian Note Added: 0007540
2011-11-17 14:51 peter-endian Note Added: 0007541
2011-11-17 15:08 luca-endian Note Added: 0007545
2011-11-17 15:12 ardit-endian Note Added: 0007546
2015-07-29 09:17 Anonymous Note Added: 0008555
2015-07-29 09:17 Anonymous Status new => closed
2015-07-29 09:17 Anonymous Resolution open => fixed

Copyright © 2005-2008 Endian, SRL. All rights reserved.

Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker