Page MenuHomeVyOS Platform
Create Task
Maniphest T4644

Check bind port before assign vpn sstp
Closed, ResolvedPublicBUG
Actions

Description

Check that the bind vpn sstp (default 443) port is not bound to another service
We have done a similar check for http api and openconnect T4597`

To reproduce ad service HTTP commit and then add sstp:

set service https api gql
set service https api keys id KID key 'foo'
set service https api socket
commit

Ports:

vyos@r14# sudo netstat -tulpn | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6347/nginx: master  
tcp6       0      0 :::443                  :::*                    LISTEN      6347/nginx: master  
[edit]
vyos@r14#

Add sstp and recheck ports (expecting service accel-pppd but we see nginx)

set vpn sstp authentication local-users username test password 'test'
set vpn sstp authentication mode 'local'
set vpn sstp client-ip-pool subnet '192.168.170.0/24'
set vpn sstp gateway-address '192.0.2.1'
set vpn sstp ssl ca-certificate 'ca-ocserv'
set vpn sstp ssl certificate 'srv-ocserv'
commit


vyos@r14# sudo netstat -tulpn | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6347/nginx: master  
tcp6       0      0 :::443                  :::*                    LISTEN      6347/nginx: master  
[edit]
vyos@r14#

So we should check that port is not bonded to another service before commit. as expecting service for sstp accel-pppd

vyos@r14# sudo netstat -tulpn | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      7174/accel-pppd     
[edit]
vyos@r14#

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202208220217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

Viacheslav created this task.Aug 25 2022, 9:32 AM
Viacheslav changed the task status from Open to In progress.Aug 25 2022, 10:25 AM
Viacheslav claimed this task.

PR https://github.com/vyos/vyos-1x/pull/1496

vyos@r14# commit
[ vpn sstp ]
"tcp" port "443" is used by another service

[[vpn sstp]] failed
Commit failed
[edit]
vyos@r14# 
[edit]
vyos@r14# sudo netstat -tulpn | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      9834/nginx: master  
tcp6       0      0 :::443                  :::*                    LISTEN      9834/nginx: master  
[edit]
vyos@r14#
Viacheslav closed this task as Resolved.Aug 31 2022, 5:52 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.