Email Notification - OpenVPN Client Connect (Common Name)
-
Our OpenVPN is using Radius Server synced with Windows Active Directory Domain server for logon. Is there any way this email notification will work in such a scenario?
because currently we only get the following information, username field is blank
-
"user_name" ?
"vpn_client_ip" ?Show the script you are using.
See the example "connect.sh" file above.
The scripts file is called with a bunch of pre defined environment variable set.
Ask Google how to print all the environment variables when it starts. Normally, if known, a variable like "common_name" should contain the name. -
my connect.sh is exactly what you mentioned in the post above 1646309481558
i just changed the name from notify.sh to connect.sh and left disconnect.sh as is.
/root/connect.sh file:
#!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); $local_connect_value = " user_name: " . getenv('common_name') . " vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') . " on " . date('F j, Y, g:i a'); log_error("About to send a mail : Connecting"); notify_all_remote($local_connect_value); ?>/root/disconnect.sh file:
#!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); $local_connect_value .= ", during : " . getenv('time_duration') . " seconds, received : " . getenv('bytes_received') . " bytes, send : " . getenv('bytes_sent') ." bytes. DISCONNRECTED."; log_error("About to send a mail : Disconnecting"); notify_all_remote($local_connect_value); ?> -
A aasimenator referenced this topic on
-
Looks ok.
What happens - I think - is that when LDAP is used, the common_name environment isn't set as it isn't known. So getenv('common_name') return 'nothing' or an empty string.I've never used LDAP, so I can't be sure.
edit : again : have all the env variables printed, and see what's in there.
-
@gertjan said in Email Notification - OpenVPN Client Connect (Common Name):
have all the env variables printed, and see what's in there.
How do you do that?
-
I created a small test file /root/test.php :
#!/usr/local/bin/php -q <?php print_r(getenv(), $output); echo $output; ?>Now (made it executable) :
./test.phpworks for me.
Array ( [SSH_CLIENT] => 192.168.1.2 59841 22 [LOGNAME] => root [MAIL] => /var/mail/root [PATH] => /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin [PWD] => /root [TERM] => xterm [SSH_TTY] => /dev/pts/0 [USER] => root [HOME] => /root [SSH_CONNECTION] => 192.168.1.2 59841 192.168.1.1 22 [SHELL] => /bin/sh [BLOCKSIZE] => K [HOSTTYPE] => FreeBSD [VENDOR] => amd [OSTYPE] => FreeBSD [MACHTYPE] => x86_64 [SHLVL] => 1 [GROUP] => wheel [HOST] => pfsense.munetwork.net [REMOTEHOST] => 192.168.1.2 [CLICOLOR] => true [LSCOLORS] => exfxcxdxbxegedabagacad )This was just a test - my script file
Add $output to the $local_connect_value string, and have it mailed to you.
Or log it :#!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); $local_connect_value = " user_name: " . getenv('common_name') . " vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') . " on " . date('F j, Y, g:i a'); print_r(getenv(), $output); log_error($output); log_error("About to send a mail : Connecting"); notify_all_remote($local_connect_value); ?> -
@gertjan
after changing the connect.sh file to your updated example i am not getting any new information in the email.
And this is what i see in the status of the VPN connection
-
@aasimenator said in Email Notification - OpenVPN Client Connect (Common Name):
i am not getting any new information in the email.
Because the variable $output was send to the local log, the most important screens in pfSense are the logs.
At the same place you will also have this line : Status > System Logs > System > GeneralAbout to send a mail : ConnectingThat's what
log_error("About to send a mail : Connecting");is all about.
It logs an 'error' which is actually just an incontinent text message.to the logs.Same thing for the variables your looking for : check the logs.
The output string $output can be added to $local_connect_value string, why not.
-
@gertjan
No information in the logs near the Connecting message -
There it is :
Never the less : nothing.
Unbelievable but I had to Google it up.Change
print_r(getenv(), $output);to
$output = print_r(getenv(), true);I've tested it.
It shows a lot of info.
One of them is the :
-
@gertjan Thank you so much for that. It seems to have worked and I could get all the information needed to get the data out in an email.
The only difference when using LDAP / Radius server in the getenv was changing ('common_name') to ('username')
In hindsight, I think maybe having the following option enabled in the OpenVPN config might have done the trick.
I do have a follow-up question, is there any way we can format the email better? e.g. newlines instead of everything in 1 line, I already tried \n or \r\n and even /n but none of them seem to work.
-
@aasimenator said in Email Notification - OpenVPN Client Connect (Common Name):
is there any way we can format the email better?
The small script file, see above, used by OpenVPN on a 'connect' event is written using PHP.
You can also use bash / sh / python / lua / or any high level copiled C or whatever ......Use any language you like.
-
Anyone's scripts just stop working?
I noticed sometime after August these scripts stopped working on my pfsense box. Not sure what is going on.
-
@boggie1688
There is a boatload of info present - above, to debug.
Can you say more as :@boggie1688 said in Email Notification - OpenVPN Client Connect (Common Name):
scripts stopped
-
@gertjan said in Email Notification - OpenVPN Client Connect (Common Name):
@boggie1688
There is a boatload of info present - above, to debug.
Can you say more as :@boggie1688 said in Email Notification - OpenVPN Client Connect (Common Name):
scripts stopped
Not sure where to start.
I've been using the same script for year or two and suddenly I stopped getting emails when I connect or disconnect. I haven't changed the scripts so I'm not entirely sure what would cause the lack of emails.
Given I changed nothing, I wondering if anyone experienced the same.
-
I haven't used what's being described here for a long time, as I'm the only one using my VPN access, and I already know when I am connected when I'm connected ;)
But :
I've added the third, "client-connect" line to the VPN server custom config :
I've created a file called /root/vpn.sh :
#!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); $local_connect_value = " user_name: " . getenv('common_name') . " vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') . " from: " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a'); if ( strrchr (__FILE__ , 'disconnect') ) { $local_connect_value .= ", duration : " . getenv('time_duration') . " seconds, received : " . getenv('bytes_received') . " bytes, send : " . getenv('bytes_sent') ." bytes. DISCONNECTED."; } notify_all_remote($local_connect_value); ?>and made it executable :
chmod +x /root/vpn.shNow, when I connect, I see in the system log :
and I received the mail ....
As you said, nothing changed ;)
That is ..... there is something 'bad' going on.
I've changed the VPN server settings, so I had a look at the VPN server (re) startup log.
( never change settings without looking at the logs afterswards - and if you don't
And there was a warning :
This means that my client-connect overrides another client-connect !! So pfSense is also using the "client-connect" VPN server config command.
Let's check the OpenVPN server config file : /var/etc/openvpn/config.ovpn :... client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh ... client-connect /root/vpn.shthat's bad indeed.
I've removed my custom config lineclient-connect /root/vpn.shas something tells me its better that :
client-connect /usr/local/sbin/openvpn.attributes.shis used as pfSense 'needs' it to work, to do what it has to do.
So, for now, forget about using "client-connect" in the custom config to have it call your own script (to send a mail or whatever).
It will 'break' other functionality.When I look at /usr/local/sbin/openvpn.attributes.sh, I can see stuff is done with certs, and subsequent files like /usr/local/sbin/openvpn.connect_async.sh does session stuff, and also logs :
Sending a mail would mean we have to "patch" this (these) files.
-
Thanks for the detailed reply.
I very much appreciate it.
I've never checked the system logs, so I learned something new today.
-
@gertjan said in Email Notification - OpenVPN Client Connect (Common Name):
/usr/local/sbin/openvpn.attributes.sh
You are right with this @Gertjan
The script actually triggers another one depending on either being called at connect or disconnect:
/usr/bin/nohup /usr/local/sbin/openvpn.connect_async.shAnd that one is no small script! I digged through it for a bit and found it handles things like logging in syslog (e.g. calls logger to log the conn/disconn into openvpns logs) but it also does a bit of householding tasks.
At disconnect it kills the states of the VPN client was previously using so another caller getting that IP wouldn't have states already attached (multiplepfctl -k / -Kcalls).
But even more serious, it also seems to handle the connection limit setting or duplicate connections. So in overriding the script with a custom logging, you perhaps disable various features that you configured in the VPN server beforehand.So all in all I wouldn't recommend replacing the client-(dis)connect scripts with own versions.
What would perhaps be possible is writing a quick patch for the caller-script
/usr/local/sbin/openvpn.attributes.shwhere the async script is called and insert another script (e.g. like @Gertjan /root/vpn.sh) into there. But that would have to be checked for, as the script calls various function via the OpenVPN "deferred" connection method and handles the deferring in the async script.So I guess one could think about that one:
# Signal deferred handler if [ "${script_type}" = "client-connect" ]; then /bin/echo 2 > "${client_connect_deferred_file}" if [ -f /tmp/"${common_name}" ]; then /bin/cat /tmp/"${common_name}" > "${client_connect_config_file}" /bin/rm /tmp/"${common_name}" fi fi ### --> insert HERE <-- ### # Handle 'client-connect' and 'client-disconnect' /usr/bin/nohup /usr/local/sbin/openvpn.connect_async.sh > /dev/null & # Signal "deferred handler started OK" for client-connect exit 0and to insert a small block with a check wether it's called by connect or disconnect state. But that would have to be tested first.
Cheers
\jens -
We ought to get Netgate to insert some "Official hooks" for User initiated connect/disconnect
ie.if [ -x "/root/OpenVPN-User-Clientconnect.sh" ]; then if [ -x "/root/OpenVPN-User-Clientdisconnect.sh" ]; thenI'm using these scripts too , and haven't noticed the consequence , until Gertjan pointed it out
/Bingo
If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
@bingo600 said in Email Notification - OpenVPN Client Connect (Common Name):
We ought to get Netgate to insert some "Official hooks" for User initiated connect/disconnect
I saw Jimp answering a comparable question a couple of days ago : implementing a hook for a user created script file : he doesn't "like it", as such a script could run with root rights, thus control the entire system.
The situation right now isn't that bad : the admin that knows what he is doing :- Can patch a pfSense script file with a test "if /root/myopenvpnscript.sh" file exist, and "if it is executable" and if both are ok, call it. (you could build a diff patch for this to make live easier)
- Write their own /root/myopenvpnscript.sh
The user that can do both things will also know how to update, maintain, and re implement this functionality after a pfSense update.
Permitting lamda users to write their own script files ..... => scary.Look here, last message, what happens when people use home made script / config files , and people forget about it .... https://forum.netgate.com/topic/175234/recent-pppoe-issues-not-auto-reconnecting-for-some-reason-used-to/9?_=1666084459780
edit : just to be clear : I'm not against the idea, of course.
