Kill OVPN client connection

Pippin

Just an idea,
What if login into OpenVPN`s management interface using telnet/netcat and kill client there…

Gil

I can execute a shell command via SSH but;
How do I kill an individual client on a particular openvpn service?

Pippin

Currently no access to PFSense box but first find the line in the server config file

management IPaddress Port

Then in SSH do

nc IPaddress Port

Can use telnet too, then nc=telnet
You will see like:

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info

Type help and also look here:
https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html

Gil

I'm guessing I will need to edit the server config file to include this.
Current file has : "management /var/etc/openvpn/server2.sock unix"

Can I edit it in pfSense ; or just directly?

Pippin

Could try with connecting to socket:

nc -uU /var/etc/openvpn/server2.sock

or

socat - UNIX-CONNECT:/var/etc/openvpn/server2.sock

Also see –management in manual:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Gil

OK, so I have done as suggested:

Via ssh:

nc -w 20 -U /var/etc/openvpn/server2.sock
kill xxx (cn)

Result:
SUCCESS: common name 'xxx' found, 1 client (s) killed

That functions, but (of course) - still not via the web interface.

I have tested the web interface (kill openvpn) on my central server and also on client machines (SG-1000 & APU)
and all exhibit the same error message.

Gil

I am still at a loss as to why I get an error message from the gui.
Are there any tests I should run, or config changes to further investigate?

peter808

@Gil:

I get an error:

An error occurred. (-1)

when I attempt to kill an OpenVPN client connection on my APU server box status screen.
This never used to happen prior to 2.4.0 upgrade.

Same here on 2.4.2. Also no errors in logs.

Tried with Chrome, Safari and Edge via Web-gui.

Pippin

@Gil:

OK, so I have done as suggested:

Via ssh:

nc -w 20 -U /var/etc/openvpn/server2.sock
kill xxx (cn)

Result:
SUCCESS: common name 'xxx' found, 1 client (s) killed

That functions, but (of course) - still not via the web interface.

I have tested the web interface (kill openvpn) on my central server and also on client machines (SG-1000 & APU)
and all exhibit the same error message.

From the result I would think it`s not an OpenVPN issue…

Gil

Thanks Pippin.
Generic googling tells me (-1) errors often relate to hardware.
My errors occur on all my devices APU and SG-1000.

Gil

I should also mention; all my devices run a bridge for a tap openvpn.
peter808 : Are you similar?

Gil

I have an OpenWRT OpenVPN connection that also gives the same error on my pfSense Server

GoldFish

@peter808:

Same here on 2.4.2. Also no errors in logs.

Tried with Chrome, Safari and Edge via Web-gui.

Same here

Steve_B

The "Error occurred" pop-up on the dashboard is caused by a race condition where the widget is requesting status from a resource that no longer exists. Annoying no doubt but it should not affect functionality.

Fixed in the next snapshot

Gil

Thanks Steve_B .
I take it that the fix will not only stop the error popup, but also execute the kill OpenVPN command?

Gil

Small clip of the GUI behaviour

error.gif_thumb

Coopercentral

Hello,

I am receiving this same error message as well. I am running OpenVPN Remote-Access on pfSense 2.4.2. I am connected through my LAN, not through VPN. When also receive "An error occurred (-1)" when attempting to kill a connection. Tried on both the widget at Status -> OpenVPN. Also tried on IE and Chrome.

Coopercentral

I did some tinkering on the "openvpn.inc" page, and found I was receiving "ERROR: Common Name (client IP) not found". When I changed the client IP to the username field, then I was able to kill the client. I am guessing this is the case because I use user certificates in which the username is the CN. Not sure if this is the case for the original poster.

Gil

@Coopercentral:

I use user certificates in which the username is the CN. Not sure if this is the case for the original poster.

I also have matching CN & User Name

@Coopercentral:

When I changed the client IP to the username field, then I was able to kill the client

Are you saying this is an IP address? Or simply some other text to identify a user?

Coopercentral

@Gil:

Are you saying this is an IP address? Or simply some other text to identify a user?

There is a function on the file "openvpn.inc" called openvpn_kill_client(). It creates a TCP socket to the management port on the server, and then issues the command "kill {client IP}". When you click the "X" to kill a client on the OpenVPN widget or Status page, it is passing the user's public IP that they are using to connect to the VPN. I did some debugging and was receiving that Common Name does not exist. I knew that Common Name was the "username", as I enforce user certificates, which use the username as the Common Name field. So, for my case (and most likely yours), if we pass the username field instead of their public IP, it could kill the VPN connections.