Bug #9108
closedOpenVPN client without "explicit-exit-notify" does not trigger client-disconnect portion of /usr/local/sbin/openvpn.attributes.sh
0%
Description
In relation to Feature Request #9805, to avoid overriding the default client-connect/client-disconnect script I relocated my logger calls from my own scripts to the appropriate places in /usr/local/sbin/openvpn.attributes.sh
I have verified that, without explicit-exit-notify in the client configuration file, the client-disconnect portion of openvpn.attributes.sh is not executed. With explicit-exit-notify in place it will be executed.
This doesn't seem to have any impact on disconnection but it looks like the client-disconnect portion of the script is concerned with flushing the states from pf.
My version of openvpn.attributes.sh:
if [ "$script_type" = "client-connect" ]; then
logger -t openvpn "User '${common_name}' at ${trusted_ip} connected on tunnel IP ${ifconfig_local}."
if [ -f /tmp/$common_name ]; then
/bin/cat /tmp/$common_name > $1
/bin/rm /tmp/$common_name
fi
elif [ "$script_type" = "client-disconnect" ]; then
logger -t openvpn "User '${common_name}' at ${trusted_ip} disconnected on tunnel IP ${ifconfig_local}. Session duration ${time_duration} seconds. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes"
command="/sbin/pfctl -a 'openvpn/$common_name' -F rules"
eval $command
/sbin/pfctl -k $ifconfig_pool_remote_ip
/sbin/pfctl -K $ifconfig_pool_remote_ip
fi
exit 0
Updated by Phil Biggs about 6 years ago
Sorry, forgot the pre tags:
#!/bin/sh # # openvpn.attributes.sh # # part of pfSense (https://www.pfsense.org) # Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate) # All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. if [ "$script_type" = "client-connect" ]; then logger -t openvpn "User '${common_name}' at ${trusted_ip} connected on tunnel IP ${ifconfig_local}." if [ -f /tmp/$common_name ]; then /bin/cat /tmp/$common_name > $1 /bin/rm /tmp/$common_name fi elif [ "$script_type" = "client-disconnect" ]; then logger -t openvpn "User '${common_name}' at ${trusted_ip} disconnected on tunnel IP ${ifconfig_local}. Session duration ${time_duration} seconds. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes" command="/sbin/pfctl -a 'openvpn/$common_name' -F rules" eval $command /sbin/pfctl -k $ifconfig_pool_remote_ip /sbin/pfctl -K $ifconfig_pool_remote_ip fi exit 0
Updated by Joshua Sign about 6 years ago
I just test your logger lines, it is really fun to get the result :
Dec 15 15:01:17 openvpn User 'admin' at xx.xx.xx.xx disconnected on tunnel IP 192.168.3.1. Session duration 121 seconds. Server sent 5257892 bytes, rcvd 264893 bytes Dec 15 14:59:17 openvpn User 'admin' at xx.xx.xx.xx connected on tunnel IP 192.168.3.1.
Maybe the values can became really unfriendly to read for a human if they are very big : "Session duration xxx seconds" and "Server sent xxx bytes, rcvd xxx bytes"
I will test it for some days.
Updated by Joshua Sign about 6 years ago
And just for information : OpenVPN client without "explicit-exit-notify" TRIG the client-disconnect portion of /usr/local/sbin/openvpn.attributes.sh when inactivity timeout is detected
But it is trigged only after inactivity timeout is detected :
Dec 15 15:17:10 openvpn 25717 admin/xx.xx.xx.xx:55113 [admin] Inactivity timeout (--ping-restart), restarting
Updated by Pippin MMD about 6 years ago
See also here:
https://redmine.pfsense.org/issues/9085
Updated by Phil Biggs about 6 years ago
See my comment under https://redmine.pfsense.org/issues/9085. (Not 9805, sorry.)
I agree that the numbers could be hard to read. I hadn't had time to learn how to format them properly.
Updated by Phil Biggs about 6 years ago
Forgot to mention that I have changed my connect logger line to:
logger -4 -t openvpn "User '${common_name}' at ${trusted_ip} connected from tunnel IP ${ifconfig_pool_remote_ip}."
and the disconnect to:
logger -4 -t openvpn "User '${common_name}' at ${trusted_ip} disconnected from tunnel IP ${ifconfig_pool_remote_ip}. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes"
${ifconfig_local} wasn't the correct variable for my purposes.
Updated by Joshua Sign about 6 years ago
Thank you, i'll correct it.
I don't know where you find the "fucking manual" for these variables, if you got a link for that i would like to have it ;-)
If we need to format numbers, i'll find a way to do it.
I just wait my history grows and gives me more examples.
Updated by Jim Pingle about 6 years ago
I wouldn't use ${bytes_sent} bytes
or ${bytes_received} bytes
Run them through format_bytes() instead
As for TFM, it's all in the OpenVPN man page specifically the section labeled "Environmental Variables" near the end. If you search the page for "bytes_received" you'll skip right to it.
Updated by Joshua Sign about 6 years ago
Thank you very much Jim for your reply.
I can play with these variables now.
I'll post a feedback later about it and bytes format too.
Updated by Joshua Sign about 6 years ago
I just :
- add the format_byte to bytes values
- add the duration time
- change format to be like others "openvpn standard" log lines
For "duration friendly format" a format_duration function is needed,
so i create my own utils for that. :
<?php function format_duration($seconds){ $days = floor($seconds / 86400); $hours = floor($seconds % 86400 / 3600); $mins = floor($seconds / 60 % 60); $secs = floor($seconds % 60); $timeFormat = sprintf('%02d:%02d:%02d', $hours, $mins, $secs); return $days ? "${days}d, $timeFormat" : $timeFormat; } ?>
I also change $common_name for $username because sometimes it was printing my domain name and not the user.
Finaly :
b_sent=`php -r "require '/etc/inc/util.inc'; echo format_bytes(${bytes_sent});"` b_received=`php -r "require '/etc/inc/util.inc'; echo format_bytes(${bytes_received});"` t_duration=`php -r "require '/root/myutils.inc'; echo format_duration(${time_duration});"` logger -t openvpn "${username}/${trusted_ip}:${trusted_port} disconnected from ${ifconfig_pool_remote_ip}. Server sent ${b_sent}, rcvd ${b_received}. Duration ${t_duration}"
The connect logger is not necessary, because open vpn got similary one.
But, FYI, i use it only for debug purpose. Because i ever experinced some mtu problems, i just add the mtu_link value :
logger -t openvpn "${username}/${trusted_ip}:${trusted_port} connected on ${ifconfig_pool_remote_ip} with mtu ${link_mtu}."
The results looks good :
Dec 22 01:16:53 openvpn admin/xx.xx.xx.xx:52346 disconnected from 192.168.3.2. Server sent 15.40 MiB, rcvd 2.87 MiB. Duration 00:16:45 Dec 22 01:00:08 openvpn admin/xx.xx.xx.xx:52346 connected on 192.168.3.2 with mtu 1622.
Updated by Jim Pingle about 6 years ago
We already have a time conversion function :-)
Updated by Phil Biggs about 6 years ago
Thank you everyone.
I dropped the session duration out of my log records. It didn't seem to provide any added value over the syslog timestamps.
I've seen that domain name instead of username as well. Only the once, though, and I couldn't reproduce it.
The sent/rcvd number formatting is great. I was only thinking of injecting commas but, yes, very large numbers could still be hard to read. The MTU value could be useful for troubleshooting.
Perhaps this should be marked "Not a bug" and closed. Apologies for cluttering up Redmine. At least this is here for anyone that might want something similar.
Updated by Joshua Sign about 6 years ago
Hooo Thank you Jim !
I didn't know convert_seconds_to_dhms() exist, this is exactly what i was looking for.
(i really need to go deeper in the pfsense sources)
Phil Biggs wrote:
I dropped the session duration out of my log records. It didn't seem to provide any added value over the syslog timestamps.
I only add duration because i am a too lazy guy to calculate it from timestamps ;-)
We effectively should close this ticket, and maybe if this feature can help, it could be added later in a PR for a next realease.