Setting up pfsense openvpn client site-to-site disconnect notifications
-
Hello everyone,
I want to setup notifications for openvpn client site-to-site, from pfsense, to send email notifications when it disconnect and connect again.
I have read here people setting notifications for openvpn server, an tried with this pfsense with a openvpn client profile, but no luck.
There is already notifications setup and running in this pfsense.
What I have made was:
- Created /root/notify.sh with:
#!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); notify_all_remote("VPN Connected"); ?>
- Gave permissions for execute in that file:
chmod +x /root/notify.sh
- And add the extra argument in openvpn client profile:
client-disconnect /root/notify.sh
After this openvpn client service stops working...
Anyone knows if its possible to use this custom option with a openvpn cliente profile?
-
@SipriusPT said in Setting up pfsense openvpn client site-to-site notifications:
client-disconnect /root/notify.sh
Not gonna nitpick, but it's a PHP script, not a shell script, so should be named .php when even the shebang on top says #!/usr/local/bin/php ;)
After this openvpn client service stops working...
Then how about posting your error log? OpenVPN voices it pretty clearly why it won't start?
Also as you configured it as client-disconnect, the text should perhaps state "VPN disconnected".
And as an afterthought, your script will vanish whenever you reinstall pfSense from scratch as "/root" isn't safe/backed up anywhere. I'd advise to create scripts in the appropriate directory tree (e.g. /usr/local/bin) and manage them via the
filer
package so you can control the content and security permissions of the file (0750). Also as a package,filer
will get reinstalled and the config and content of your file is safely inside the config.xml structure.why it won't start: my OpenVPN on verbosity 3 says it pretty easy:
Jul 20 15:44:23 openvpn 83247 Use --help for more information. Jul 20 15:44:23 openvpn 83247 Options error: Please correct this error. Jul 20 15:44:23 openvpn 83247 Options error: --client-disconnect script fails with '/usr/local/bin/vpn-stats.phps': No such file or directory (errno=2) Jul 20 15:44:23 openvpn 83247 Multiple --client-disconnect scripts defined. The previously configured script is overridden. Jul 20 15:44:23 openvpn 74208 SIGTERM[hard,] received, process exiting
Oops, added a "s" to "php" ending. My mistake :)
So why doesn't it start in your setup? What does the log tell you?
-
@JeGr said in Setting up pfsense openvpn client site-to-site notifications:
@SipriusPT said in Setting up pfsense openvpn client site-to-site notifications:
client-disconnect /root/notify.sh
Not gonna nitpick, but it's a PHP script, not a shell script, so should be named .php when even the shebang on top says #!/usr/local/bin/php ;)
I know that very well, it doesnt make sense, but it was what have worked for others. Please check here:
https://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/31
Also as you configured it as client-disconnect, the text should perhaps state "VPN disconnected".
Ah yes, my mistake copy pasting, I will give you feedback after trying it.
Wow, thanks a lot for let me know about filer package!
-
@SipriusPT said in Setting up pfsense openvpn client site-to-site notifications:
Wow, thanks a lot for let me know about filer package!
My pleasure, I experimented on client-connect and client-disconnect myself and it now is running without problems (but I don't overwrite client-connect, only on disconnect). But be advised that pfSense has a default script it runs on (dis)connect that will be omitted if you set up your own.
My own script is managed by the filer package, 0750 permission and in /usr/local/bin/xyz.php. Included in the OVPN server configuration the server starts without problem. So if your server won't start up, it has to be some syntax error, that's why I requested log files :)
-
@JeGr said in Setting up pfsense openvpn client site-to-site notifications:
My own script is managed by the filer package, 0750 permission and in /usr/local/bin/xyz.php. Included in the OVPN server configuration the server starts without problem. So if your server won't start up, it has to be some syntax error, that's why I requested log files :)
I am getting at System > General, the following error:
Jul 20 16:49:25 check_reload_status Reloading filter Jul 20 16:49:25 php-fpm OpenVPN failed to start Jul 20 16:49:25 php-fpm /status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/client3.conf'' returned exit code '1', the output was ''
In filer I have:
And in Custom options I have in that profile:
-
Execute should be "do not execute" in filer. You don't want that to automatically run after a save/sync command but in your openvpn config :)
Jul 20 16:49:25 php-fpm /status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/client3.conf'' returned exit code '1', the output was ''
Aaaah! You are trying to run "client-disconnect" command lines for a CLIENT VPN? That's not possible, the OVPN Hooks client-connect and -disconnect only work with OVPN Servers, not clients! :)
-
Addendum: you could try running your script with the
up
,up-restart
etc hooks. Perhaps that also needsscript-security 2
to be enabled, I'm a bit vague on that :) But if it does, it will say so in the logs.The
up
trigger keyword in your client config should run your script with info like<scriptname> OpenVPN 1 1500 1553 <IP> <mask> init
You don't have the same sort of variables at your disposal as on the server side though. Check
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4
for the exact ones :) (search for
bytes_received
for examples)