Project

General

Profile

Feature #9085

OpenVPN connect/disconnect scripts

Added by Phil Biggs 5 months ago. Updated 3 months ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
10/31/2018
Due date:
% Done:

0%

Estimated time:

Description

I'm running pfSense 2.4.4 and the Windows openVPN 2.4.6 client.

I was trying to get the openVPN server to log useful connect and (more importantly) disconnect data by creating two shell scripts.
(I'm no scripting expert and /usr/local/www was just somewhere to put these for testing).

ovpn-connect.sh:

#!/bin/sh
logger -4 -t openvpn "User '${common_name}' at ${trusted_ip} autheticated. Tunnel IP ${ifconfig_local} opened." 
exit 0

and ovpn-disconnect.sh

#!/bin/sh
logger -4 -t openvpn "User '${common_name}' at ${trusted_ip} disconnected. Tunnel IP ${ifconfig_local} closed. Session duration(s):${time_duration}. Server bytes sent/rcvd: ${bytes_sent}/${bytes_received}" 
exit 0

I added the following to VPN>OpenVPN>Servers>Advanced Configuration>Custom options.

script-security 2;client-connect /usr/local/www/ovpn-connect.sh;client-disconnect /usr/local/www/ovpn-disconnect.sh;

All works as I hoped but, when starting the OpenVPN server, I noticed these error messages:

Multiple -client-disconnect scripts defined. The previously configured script is overridden
Multiple -client-connect scripts defined. The previously configured script is overridden

These errors don't seem to have any impact on connection or disconnection but I went looking to find the generated OpenVPN server config file - /var/etc/openvpn/server1.config The two lines being overridden by my scripts are:

client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh

However, I also noticed that the exported client config file doesn't contain "explicit-exit-notify".
I believe that without that option, a client-disconnect script won't be called.

a. To ensure execution of the default disconnect script, should "explicit-exit-notify" be added as a default config entry for exported clients ?

b. Could the expanded connect and disconnect information be added as a default for logging?

History

#1 Updated by Pippin MMD 4 months ago

[quote]I believe that without that option, a client-disconnect script won't be called.[/quote]
After the time-out determined by keepalive 10 60 it should run.

#2 Updated by Phil Biggs 3 months ago

I think you're correct but I guess I didn't wait long enough for the keepalive timer to expire.

In testing this, it looked like my Windows client had to stop responding before the timer expired.

So, just waiting for keepalive to expire does seem to create a log record but it can be quite some time after a client has deliberately disconnected and no explicit-exit-notify is in place.

#3 Updated by Pippin MMD 3 months ago

The default for pfS is keepalive 10 60 on server side and will be automatically pushed to clients.

Please see "--keepalive interval timeout" in OpenVPN manual 2.4:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Also available in: Atom PDF