pfSense » pfSense Packages

Sorry, forgot the pre tags:

#!/bin/sh
#
# openvpn.attributes.sh
#
# part of pfSense (https://www.pfsense.org)
# Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate)
# All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

if [ "$script_type" = "client-connect" ]; then
    logger -t openvpn "User '${common_name}' at ${trusted_ip} connected on tunnel IP ${ifconfig_local}." 
    if [ -f /tmp/$common_name ]; then
        /bin/cat /tmp/$common_name > $1
        /bin/rm /tmp/$common_name
    fi
elif [ "$script_type" = "client-disconnect" ]; then
    logger -t openvpn "User '${common_name}' at ${trusted_ip} disconnected on tunnel IP ${ifconfig_local}. Session duration ${time_duration} seconds. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes" 
    command="/sbin/pfctl -a 'openvpn/$common_name' -F rules" 
    eval $command
    /sbin/pfctl -k $ifconfig_pool_remote_ip
    /sbin/pfctl -K $ifconfig_pool_remote_ip
fi

exit 0

I just test your logger lines, it is really fun to get the result :

Dec 15 15:01:17    openvpn        User 'admin' at xx.xx.xx.xx disconnected on tunnel IP 192.168.3.1. Session duration 121 seconds. Server sent 5257892 bytes, rcvd 264893 bytes
Dec 15 14:59:17    openvpn        User 'admin' at xx.xx.xx.xx connected on tunnel IP 192.168.3.1.

Maybe the values can became really unfriendly to read for a human if they are very big : "Session duration xxx seconds" and "Server sent xxx bytes, rcvd xxx bytes"
I will test it for some days.

And just for information : OpenVPN client without "explicit-exit-notify" TRIG the client-disconnect portion of /usr/local/sbin/openvpn.attributes.sh when inactivity timeout is detected

But it is trigged only after inactivity timeout is detected :

Dec 15 15:17:10    openvpn    25717    admin/xx.xx.xx.xx:55113 [admin] Inactivity timeout (--ping-restart), restarting

See also here:
https://redmine.pfsense.org/issues/9085

See my comment under https://redmine.pfsense.org/issues/9085. (Not 9805, sorry.)

I agree that the numbers could be hard to read. I hadn't had time to learn how to format them properly.

Forgot to mention that I have changed my connect logger line to:

logger -4 -t openvpn "User '${common_name}' at ${trusted_ip} connected from tunnel IP ${ifconfig_pool_remote_ip}." 

and the disconnect to:

logger -4 -t openvpn "User '${common_name}' at ${trusted_ip} disconnected from tunnel IP ${ifconfig_pool_remote_ip}. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes" 

Thank you, i'll correct it.
I don't know where you find the "fucking manual" for these variables, if you got a link for that i would like to have it ;-)

If we need to format numbers, i'll find a way to do it.
I just wait my history grows and gives me more examples.

I wouldn't use ${bytes_sent} bytes or ${bytes_received} bytes

Run them through format_bytes() instead

As for TFM, it's all in the OpenVPN man page specifically the section labeled "Environmental Variables" near the end. If you search the page for "bytes_received" you'll skip right to it.

Thank you very much Jim for your reply.
I can play with these variables now.

I'll post a feedback later about it and bytes format too.

I just :
- add the format_byte to bytes values
- add the duration time
- change format to be like others "openvpn standard" log lines

For "duration friendly format" a format_duration function is needed,
so i create my own utils for that. :

<?php 

function format_duration($seconds){
        $days = floor($seconds / 86400);
        $hours = floor($seconds % 86400 / 3600);
        $mins = floor($seconds / 60 % 60);
        $secs = floor($seconds % 60);
        $timeFormat = sprintf('%02d:%02d:%02d', $hours, $mins, $secs);

        return $days ? "${days}d, $timeFormat" : $timeFormat;
}

?>

I also change $common_name for $username because sometimes it was printing my domain name and not the user.

Finaly :

        b_sent=`php -r "require '/etc/inc/util.inc'; echo format_bytes(${bytes_sent});"`
        b_received=`php -r "require '/etc/inc/util.inc'; echo format_bytes(${bytes_received});"`
        t_duration=`php -r "require '/root/myutils.inc'; echo format_duration(${time_duration});"`
        logger -t openvpn "${username}/${trusted_ip}:${trusted_port} disconnected from ${ifconfig_pool_remote_ip}. Server sent ${b_sent}, rcvd ${b_received}. Duration ${t_duration}" 

The connect logger is not necessary, because open vpn got similary one.
But, FYI, i use it only for debug purpose. Because i ever experinced some mtu problems, i just add the mtu_link value :

        logger -t openvpn "${username}/${trusted_ip}:${trusted_port} connected on ${ifconfig_pool_remote_ip} with mtu ${link_mtu}." 

The results looks good :

Dec 22 01:16:53    openvpn        admin/xx.xx.xx.xx:52346 disconnected from 192.168.3.2. Server sent 15.40 MiB, rcvd 2.87 MiB. Duration 00:16:45
Dec 22 01:00:08    openvpn        admin/xx.xx.xx.xx:52346 connected on 192.168.3.2 with mtu 1622.

We already have a time conversion function :-)

convert_seconds_to_dhms()

Thank you everyone.

I dropped the session duration out of my log records. It didn't seem to provide any added value over the syslog timestamps.

I've seen that domain name instead of username as well. Only the once, though, and I couldn't reproduce it.

The sent/rcvd number formatting is great. I was only thinking of injecting commas but, yes, very large numbers could still be hard to read. The MTU value could be useful for troubleshooting.

Perhaps this should be marked "Not a bug" and closed. Apologies for cluttering up Redmine. At least this is here for anyone that might want something similar.

Hooo Thank you Jim !
I didn't know convert_seconds_to_dhms() exist, this is exactly what i was looking for.
(i really need to go deeper in the pfsense sources)

Phil Biggs wrote:

I dropped the session duration out of my log records. It didn't seem to provide any added value over the syslog timestamps.

I only add duration because i am a too lazy guy to calculate it from timestamps ;-)

We effectively should close this ticket, and maybe if this feature can help, it could be added later in a PR for a next realease.