Project

General

Profile

Bug #9108

OpenVPN client without "explicit-exit-notify" does not trigger client-disconnect portion of /usr/local/sbin/openvpn.attributes.sh

Added by Phil Biggs 2 months ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
11/12/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

In relation to Feature Request #9805, to avoid overriding the default client-connect/client-disconnect script I relocated my logger calls from my own scripts to the appropriate places in /usr/local/sbin/openvpn.attributes.sh

I have verified that, without explicit-exit-notify in the client configuration file, the client-disconnect portion of openvpn.attributes.sh is not executed. With explicit-exit-notify in place it will be executed.

This doesn't seem to have any impact on disconnection but it looks like the client-disconnect portion of the script is concerned with flushing the states from pf.

My version of openvpn.attributes.sh:

if [ "$script_type" = "client-connect" ]; then
logger -t openvpn "User '${common_name}' at ${trusted_ip} connected on tunnel IP ${ifconfig_local}."
if [ -f /tmp/$common_name ]; then
/bin/cat /tmp/$common_name > $1
/bin/rm /tmp/$common_name
fi
elif [ "$script_type" = "client-disconnect" ]; then
logger -t openvpn "User '${common_name}' at ${trusted_ip} disconnected on tunnel IP ${ifconfig_local}. Session duration ${time_duration} seconds. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes"
command="/sbin/pfctl -a 'openvpn/$common_name' -F rules"
eval $command
/sbin/pfctl -k $ifconfig_pool_remote_ip
/sbin/pfctl -K $ifconfig_pool_remote_ip
fi

exit 0

History

#1 Updated by Phil Biggs 2 months ago

Sorry, forgot the pre tags:

#!/bin/sh
#
# openvpn.attributes.sh
#
# part of pfSense (https://www.pfsense.org)
# Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate)
# All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

if [ "$script_type" = "client-connect" ]; then
    logger -t openvpn "User '${common_name}' at ${trusted_ip} connected on tunnel IP ${ifconfig_local}." 
    if [ -f /tmp/$common_name ]; then
        /bin/cat /tmp/$common_name > $1
        /bin/rm /tmp/$common_name
    fi
elif [ "$script_type" = "client-disconnect" ]; then
    logger -t openvpn "User '${common_name}' at ${trusted_ip} disconnected on tunnel IP ${ifconfig_local}. Session duration ${time_duration} seconds. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes" 
    command="/sbin/pfctl -a 'openvpn/$common_name' -F rules" 
    eval $command
    /sbin/pfctl -k $ifconfig_pool_remote_ip
    /sbin/pfctl -K $ifconfig_pool_remote_ip
fi

exit 0

#2 Updated by Joshua Sign about 1 month ago

I just test your logger lines, it is really fun to get the result :

Dec 15 15:01:17    openvpn        User 'admin' at xx.xx.xx.xx disconnected on tunnel IP 192.168.3.1. Session duration 121 seconds. Server sent 5257892 bytes, rcvd 264893 bytes
Dec 15 14:59:17    openvpn        User 'admin' at xx.xx.xx.xx connected on tunnel IP 192.168.3.1.

Maybe the values can became really unfriendly to read for a human if they are very big : "Session duration xxx seconds" and "Server sent xxx bytes, rcvd xxx bytes"
I will test it for some days.

#3 Updated by Joshua Sign about 1 month ago

And just for information : OpenVPN client without "explicit-exit-notify" TRIG the client-disconnect portion of /usr/local/sbin/openvpn.attributes.sh when inactivity timeout is detected

But it is trigged only after inactivity timeout is detected :

Dec 15 15:17:10    openvpn    25717    admin/xx.xx.xx.xx:55113 [admin] Inactivity timeout (--ping-restart), restarting

#5 Updated by Phil Biggs about 1 month ago

See my comment under https://redmine.pfsense.org/issues/9085. (Not 9805, sorry.)

I agree that the numbers could be hard to read. I hadn't had time to learn how to format them properly.

#6 Updated by Phil Biggs about 1 month ago

Forgot to mention that I have changed my connect logger line to:

logger -4 -t openvpn "User '${common_name}' at ${trusted_ip} connected from tunnel IP ${ifconfig_pool_remote_ip}." 

and the disconnect to:

logger -4 -t openvpn "User '${common_name}' at ${trusted_ip} disconnected from tunnel IP ${ifconfig_pool_remote_ip}. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes" 

${ifconfig_local} wasn't the correct variable for my purposes.

#7 Updated by Joshua Sign about 1 month ago

Thank you, i'll correct it.
I don't know where you find the "fucking manual" for these variables, if you got a link for that i would like to have it ;-)

If we need to format numbers, i'll find a way to do it.
I just wait my history grows and gives me more examples.

#8 Updated by Jim Pingle about 1 month ago

I wouldn't use ${bytes_sent} bytes or ${bytes_received} bytes

Run them through format_bytes() instead

As for TFM, it's all in the OpenVPN man page specifically the section labeled "Environmental Variables" near the end. If you search the page for "bytes_received" you'll skip right to it.

#9 Updated by Joshua Sign about 1 month ago

Thank you very much Jim for your reply.
I can play with these variables now.

I'll post a feedback later about it and bytes format too.

#10 Updated by Joshua Sign about 1 month ago

I just :
- add the format_byte to bytes values
- add the duration time
- change format to be like others "openvpn standard" log lines

For "duration friendly format" a format_duration function is needed,
so i create my own utils for that. :

<?php 

function format_duration($seconds){
        $days = floor($seconds / 86400);
        $hours = floor($seconds % 86400 / 3600);
        $mins = floor($seconds / 60 % 60);
        $secs = floor($seconds % 60);
        $timeFormat = sprintf('%02d:%02d:%02d', $hours, $mins, $secs);

        return $days ? "${days}d, $timeFormat" : $timeFormat;
}

?>

I also change $common_name for $username because sometimes it was printing my domain name and not the user.

Finaly :

        b_sent=`php -r "require '/etc/inc/util.inc'; echo format_bytes(${bytes_sent});"`
        b_received=`php -r "require '/etc/inc/util.inc'; echo format_bytes(${bytes_received});"`
        t_duration=`php -r "require '/root/myutils.inc'; echo format_duration(${time_duration});"`
        logger -t openvpn "${username}/${trusted_ip}:${trusted_port} disconnected from ${ifconfig_pool_remote_ip}. Server sent ${b_sent}, rcvd ${b_received}. Duration ${t_duration}" 

The connect logger is not necessary, because open vpn got similary one.
But, FYI, i use it only for debug purpose. Because i ever experinced some mtu problems, i just add the mtu_link value :

        logger -t openvpn "${username}/${trusted_ip}:${trusted_port} connected on ${ifconfig_pool_remote_ip} with mtu ${link_mtu}." 

The results looks good :

Dec 22 01:16:53    openvpn        admin/xx.xx.xx.xx:52346 disconnected from 192.168.3.2. Server sent 15.40 MiB, rcvd 2.87 MiB. Duration 00:16:45
Dec 22 01:00:08    openvpn        admin/xx.xx.xx.xx:52346 connected on 192.168.3.2 with mtu 1622.

#11 Updated by Jim Pingle about 1 month ago

We already have a time conversion function :-)

convert_seconds_to_dhms()

#12 Updated by Phil Biggs about 1 month ago

Thank you everyone.

I dropped the session duration out of my log records. It didn't seem to provide any added value over the syslog timestamps.

I've seen that domain name instead of username as well. Only the once, though, and I couldn't reproduce it.

The sent/rcvd number formatting is great. I was only thinking of injecting commas but, yes, very large numbers could still be hard to read. The MTU value could be useful for troubleshooting.

Perhaps this should be marked "Not a bug" and closed. Apologies for cluttering up Redmine. At least this is here for anyone that might want something similar.

#13 Updated by Joshua Sign about 1 month ago

Hooo Thank you Jim !
I didn't know convert_seconds_to_dhms() exist, this is exactly what i was looking for.
(i really need to go deeper in the pfsense sources)

Phil Biggs wrote:

I dropped the session duration out of my log records. It didn't seem to provide any added value over the syslog timestamps.

I only add duration because i am a too lazy guy to calculate it from timestamps ;-)

We effectively should close this ticket, and maybe if this feature can help, it could be added later in a PR for a next realease.

Also available in: Atom PDF