Project

General

Profile

Actions

Feature #12416

closed

Support OpenVPN ``client-kill`` to terminate remote clients instead of clearing their session

Added by Viktor Gurov 8 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

Killing a user remote access vpn session from the firewall through the pfsense GUI only works temporarily.
Less then a minute later the VPN will auto connect it self again.

The problem is that openvpn_kill_client() uses the `kill` command, which terminate the client only on the server side.
To terminate the openvpn client on the remote side, the `client-kill {CID} HALT` command must be used:

Test:

# nc -U /var/etc/openvpn/server2/sock
>INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
client-kill 8 HALT
SUCCESS: client-kill command succeeded

client side result:

2021-10-01 09:16:47 SIGTERM[soft,exit-with-notification] received, process exiting

see also https://openvpn.net/community-resources/management-interface/
and list of messages: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/forward.c#L212


Related issues

Related to Regression #12817: PHP error when terminating OpenVPN sessions via the dashboard widgetResolvedViktor Gurov

Actions
Actions #2

Updated by Jim Pingle 8 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to CE-Next
  • Plus Target Version set to Plus-Next
Actions #3

Updated by Kris Phillips 8 months ago

Customer in internal ticket 96721 tested this. Their results seem to be that this patch breaks the OpenVPN client kill function entirely.

Actions #4

Updated by Viktor Gurov 8 months ago

Kris Phillips wrote in #note-3:

Customer in internal ticket 96721 tested this. Their results seem to be that this patch breaks the OpenVPN client kill function entirely.

They were using an old patch.
Current fix works as expected.

Just one small fix for cases where client_id=0:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/413

Actions #5

Updated by Max Leighton 8 months ago

They were able to test that patch and confirmed it was working as expected.

Actions #6

Updated by Viktor Gurov 7 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #7

Updated by Danilo Zrenjanin 7 months ago

  • Status changed from Feedback to Resolved

Tested on the:

2.6.0-DEVELOPMENT (amd64)
built on Sat Oct 16 05:24:35 UTC 2021
FreeBSD 12.2-STABLE

Client gets "SIGTERM[soft,exit-with-notification] received, process exiting".

It works! Ticket resolved.

Actions #8

Updated by Jim Pingle 7 months ago

  • Tracker changed from Bug to Feature
  • Subject changed from Killed remote openvpn client reconnects after a while to Support OpenVPN ``client-kill`` to terminate remote clients instead of clearing their session
  • Status changed from Resolved to Pull Request Review
  • Target version changed from CE-Next to 2.6.0
  • Plus Target Version changed from Plus-Next to 22.01
  • Affected Version deleted (2.5.2)

The last fix PR hasn't been merged yet.

Actions #9

Updated by Viktor Gurov 7 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #10

Updated by Danilo Zrenjanin 5 months ago

  • Status changed from Feedback to Resolved

Tested again. This time against:

2.6.0-BETA (amd64)
built on Thu Dec 16 06:22:38 UTC 2021
FreeBSD 12.3-STABLE

Everything works fine. Ticket resolved.

Actions #11

Updated by Viktor Gurov 3 months ago

  • Related to Regression #12817: PHP error when terminating OpenVPN sessions via the dashboard widget added
Actions

Also available in: Atom PDF