Project

General

Profile

Actions

Bug #9108

closed

OpenVPN client without "explicit-exit-notify" does not trigger client-disconnect portion of /usr/local/sbin/openvpn.attributes.sh

Added by Phil Biggs over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
11/12/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

In relation to Feature Request #9805, to avoid overriding the default client-connect/client-disconnect script I relocated my logger calls from my own scripts to the appropriate places in /usr/local/sbin/openvpn.attributes.sh

I have verified that, without explicit-exit-notify in the client configuration file, the client-disconnect portion of openvpn.attributes.sh is not executed. With explicit-exit-notify in place it will be executed.

This doesn't seem to have any impact on disconnection but it looks like the client-disconnect portion of the script is concerned with flushing the states from pf.

My version of openvpn.attributes.sh:

if [ "$script_type" = "client-connect" ]; then
logger -t openvpn "User '${common_name}' at ${trusted_ip} connected on tunnel IP ${ifconfig_local}."
if [ -f /tmp/$common_name ]; then
/bin/cat /tmp/$common_name > $1
/bin/rm /tmp/$common_name
fi
elif [ "$script_type" = "client-disconnect" ]; then
logger -t openvpn "User '${common_name}' at ${trusted_ip} disconnected on tunnel IP ${ifconfig_local}. Session duration ${time_duration} seconds. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes"
command="/sbin/pfctl -a 'openvpn/$common_name' -F rules"
eval $command
/sbin/pfctl -k $ifconfig_pool_remote_ip
/sbin/pfctl -K $ifconfig_pool_remote_ip
fi

exit 0

Actions

Also available in: Atom PDF