Project

General

Profile

Actions

Feature #12416

open

Support OpenVPN ``client-kill`` to terminate remote clients instead of clearing their session

Added by Viktor Gurov 2 months ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

Killing a user remote access vpn session from the firewall through the pfsense GUI only works temporarily.
Less then a minute later the VPN will auto connect it self again.

The problem is that openvpn_kill_client() uses the `kill` command, which terminate the client only on the server side.
To terminate the openvpn client on the remote side, the `client-kill {CID} HALT` command must be used:

Test:

# nc -U /var/etc/openvpn/server2/sock
>INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
client-kill 8 HALT
SUCCESS: client-kill command succeeded

client side result:

2021-10-01 09:16:47 SIGTERM[soft,exit-with-notification] received, process exiting

see also https://openvpn.net/community-resources/management-interface/
and list of messages: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/forward.c#L212

Actions #2

Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to CE-Next
  • Plus Target Version set to Plus-Next
Actions #3

Updated by Kris Phillips about 2 months ago

Customer in internal ticket 96721 tested this. Their results seem to be that this patch breaks the OpenVPN client kill function entirely.

Actions #4

Updated by Viktor Gurov about 2 months ago

Kris Phillips wrote in #note-3:

Customer in internal ticket 96721 tested this. Their results seem to be that this patch breaks the OpenVPN client kill function entirely.

They were using an old patch.
Current fix works as expected.

Just one small fix for cases where client_id=0:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/413

Actions #5

Updated by Max Leighton about 2 months ago

They were able to test that patch and confirmed it was working as expected.

Actions #6

Updated by Viktor Gurov about 2 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #7

Updated by Danilo Zrenjanin about 2 months ago

  • Status changed from Feedback to Resolved

Tested on the:

2.6.0-DEVELOPMENT (amd64)
built on Sat Oct 16 05:24:35 UTC 2021
FreeBSD 12.2-STABLE

Client gets "SIGTERM[soft,exit-with-notification] received, process exiting".

It works! Ticket resolved.

Actions #8

Updated by Jim Pingle about 1 month ago

  • Tracker changed from Bug to Feature
  • Subject changed from Killed remote openvpn client reconnects after a while to Support OpenVPN ``client-kill`` to terminate remote clients instead of clearing their session
  • Status changed from Resolved to Pull Request Review
  • Target version changed from CE-Next to 2.6.0
  • Plus Target Version changed from Plus-Next to 22.01
  • Affected Version deleted (2.5.2)

The last fix PR hasn't been merged yet.

Actions #9

Updated by Viktor Gurov about 1 month ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions

Also available in: Atom PDF