Openvpn - Business hours

Blade_Ander

Hi guys!

Is possible to create a schedules to connect the VPN using OpenVPN?

For example, I permit that my users connect the VPN between 8:00AM to 6:00OPM, after that, they can't connect more.

Thank you.

droeders

You should be able to accomplish this using firewall rule schedules.  See here for a start:

https://doc.pfsense.org/index.php/Firewall_Rule_Schedules

conor

Firewall schedules would work but it would block all inbound connections.  But for anyone wondering if there is another way you could also use the Openvpn tls-verify script, have your script check the time and give a go no go etc. The advantage to this approach is for where you yourself still want to be able to connect, but block all others.

Blade_Ander

Conor, do you have an example how I create this script?

Thank you!

conor

The tls-verify command in OpenVPN calls a script that you specify. The exit code of the script is what OpenVpn is looking for exit 0 is a success and exit 1 is a failure. Exit 0 Openvpn proceeds with the connection.

pfSense already uses tls-verify script so you need to add your code into that WARNING - upgrades will wipe out your changes. So keep a backup for after future upgrades.
pfSense script is located here:/usr/local/sbin/ovpn_auth_verify

Below is a sample script for checking the time, if time is between 9am and 5.30pm it exits with success. You would need to merge this into the pfSense script.

#!/bin/sh
prodStartTime="090000"
prodEndTime="173000"

currentTime=date +"%H%M%S"
echo $prodStartTime
echo $prodEndTime
echo $currentTime

if [ $currentTime -ge $prodStartTime ];
then
        if [ $currentTime -le $prodEndTime ];
        then
                exit 0
        else
                exit 1
        fi
else
exit 0
fi

Blade_Ander

Excellent Conor!

In my case I have many users that using Openvpn. I need create this "rule" with based hourly only for some users.

Do you know how can I create a script with users or Tunnel Network?

Thank you again.

Pippin

client-connect script would be suited for that.

conor

Yep the client-connect script sounds ideal, need to test it on test unit to see what variables you can see will revert back.