Kill OVPN client connection


  • Rebel Alliance

    I get an error:

    An error occurred. (-1)

    when I attempt to kill an OpenVPN client connection on my APU server box status screen.
    This never used to happen prior to 2.4.0 upgrade.


  • Rebel Alliance Developer Netgate

    It seems to work for me here, is it still broken for you on 2.4.1?

    What is the exact mode of the server?

    Where exactly do you see that error message? On the page, in a javascript alert box, in a log, or somewhere else?

    Any errors in the logs?


  • Rebel Alliance

    I should qualify this. It fails when Remote Access into web page.

    Possibly to stop you from inadvertently disconnecting your own Remote Access VPN Tunnel.
    However, I cannot kill another OpenVPN connection.

    V2.4.2

    I don't see any errors in the logs. Is there somewhere in particular I should look?


  • Rebel Alliance

    There is a message in the OpenVPN Log:

    Nov 29 12:47:21 openvpn 93516 MANAGEMENT: CMD 'kill 123.209.110.10'

    Not really an error messgae though


  • Rebel Alliance

    Error message occurs on webpage.
    Snap shot of error message attached.



  • Rebel Alliance Developer Netgate

    @Gil:

    Nov 29 12:47:21 openvpn 93516 MANAGEMENT: CMD 'kill 123.209.110.10'

    That's just OpenVPN logging the kill action sent from the GUI, if your log verb level is high enough to show those messages, they are purely informative.

    @Gil:

    Error message occurs on webpage.
    Snap shot of error message attached.

    Looks like that happened on the dashboard. Does the same thing happen on the dashboard and on Status > OpenVPN?

    What browser is that? It's working for me on the dashboard and Status > OpenVPN and it works in both Firefox and Chrome (latest version of either one).


  • Rebel Alliance

    Browser was Chrome : BUT only when remotely connected via another OpenVPN tunnel.


  • Rebel Alliance

    Also on Android  Dolphin  via OpenVPN


  • Rebel Alliance

    Sorry for the multiple replies; I realised I didn't answer your other question:
    Yes the same error message appears under Status / OpenVPN.

    I find I have to restart the service if I want to manually disconnect a connection.

    Browser Latest version of Chrome: Version 63.0.3239.84 (Official Build) (64-bit).


  • Rebel Alliance Developer Netgate

    I can't seem to reproduce that here at all. And it definitely doesn't make sense that it only happens when you connect over some other VPN.

    Unless you are killing your own VPN connection, which would mean the web server couldn't respond back to you which could result in an AJAX error. But that doesn't make sense if restarting the service fixes it.

    From the logs it appears to be taking the correct action, however. It's possible it's an error in OpenVPN itself and not a bug in pfSense.



  • Just an idea,
    What if login into OpenVPN`s management interface using telnet/netcat and kill client there…


  • Rebel Alliance

    I can execute a shell command via SSH but;
    How do I kill an individual client on a particular openvpn service?



  • Currently no access to PFSense box but first find the line in the server config file

    management IPaddress Port
    

    Then in SSH do

    nc IPaddress Port
    

    Can use telnet too, then nc=telnet
    You will see like:

    >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
    

    Type help and also look here:
    https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html


  • Rebel Alliance

    I'm guessing I will need to edit the server config file to include this.
    Current file has : "management /var/etc/openvpn/server2.sock unix"

    Can I edit it in pfSense ; or just directly?



  • Could try with connecting to socket:

    nc -uU /var/etc/openvpn/server2.sock
    

    or

    socat - UNIX-CONNECT:/var/etc/openvpn/server2.sock
    
    

    Also see –management in manual:
    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage


  • Rebel Alliance

    OK, so I have done as suggested:

    Via ssh:

    nc -w 20 -U /var/etc/openvpn/server2.sock
    kill xxx (cn)

    Result:
    SUCCESS: common name 'xxx' found, 1 client (s) killed

    That functions, but (of course) - still not via the web interface.

    I have tested the web interface (kill openvpn) on my central server and also on client machines (SG-1000 & APU)
    and all exhibit the same error message.


  • Rebel Alliance

    I am still at a loss as to why I get an error message from the gui.
    Are there any tests I should run, or config changes to further investigate?



  • @Gil:

    I get an error:

    An error occurred. (-1)

    when I attempt to kill an OpenVPN client connection on my APU server box status screen.
    This never used to happen prior to 2.4.0 upgrade.

    Same here on 2.4.2. Also no errors in logs.

    Tried with Chrome, Safari and Edge via Web-gui.



  • @Gil:

    OK, so I have done as suggested:

    Via ssh:

    nc -w 20 -U /var/etc/openvpn/server2.sock
    kill xxx (cn)

    Result:
    SUCCESS: common name 'xxx' found, 1 client (s) killed

    That functions, but (of course) - still not via the web interface.

    I have tested the web interface (kill openvpn) on my central server and also on client machines (SG-1000 & APU)
    and all exhibit the same error message.

    From the result I would think it`s not an OpenVPN issue…


  • Rebel Alliance

    Thanks Pippin.
    Generic googling tells me (-1) errors often relate to hardware.
    My errors occur on all my devices APU and SG-1000.


  • Rebel Alliance

    I should also mention; all my devices run a bridge for a tap openvpn.
    peter808 : Are you similar?


  • Rebel Alliance

    I have an OpenWRT OpenVPN connection that also gives the same error on my pfSense Server



  • @peter808:

    Same here on 2.4.2. Also no errors in logs.

    Tried with Chrome, Safari and Edge via Web-gui.

    Same here


  • Developer Netgate

    The "Error occurred" pop-up on the dashboard is caused by a race condition where the widget is requesting status from a resource that no longer exists. Annoying no doubt but it should not affect functionality.

    Fixed in the next snapshot


  • Rebel Alliance

    Thanks Steve_B .
    I take it that the fix will not only stop the error popup, but also execute the kill OpenVPN command?


  • Rebel Alliance

    Small clip of the GUI behaviour




  • Hello,

    I am receiving this same error message as well.  I am running OpenVPN Remote-Access on pfSense 2.4.2.  I am connected through my LAN, not through VPN.  When also receive "An error occurred (-1)" when attempting to kill a connection.  Tried on both the widget at Status -> OpenVPN.  Also tried on IE and Chrome.



  • I did some tinkering on the "openvpn.inc" page, and found I was receiving "ERROR: Common Name (client IP) not found".  When I changed the client IP to the username field, then I was able to kill the client.  I am guessing this is the case because I use user certificates in which the username is the CN.  Not sure if this is the case for the original poster.


  • Rebel Alliance

    @Coopercentral:

    I use user certificates in which the username is the CN.  Not sure if this is the case for the original poster.

    I also have matching CN & User Name

    @Coopercentral:

    When I changed the client IP to the username field, then I was able to kill the client

    Are you saying this is an IP address? Or simply some other text to identify a user?



  • @Gil:

    Are you saying this is an IP address? Or simply some other text to identify a user?

    There is a function on the file "openvpn.inc" called openvpn_kill_client().  It creates a TCP socket to the management port on the server, and then issues the command "kill {client IP}".  When you click the "X" to kill a client on the OpenVPN widget or Status page, it is passing the user's public IP that they are using to connect to the VPN.  I did some debugging and was receiving that Common Name does not exist.  I knew that Common Name was the "username", as I enforce user certificates, which use the username as the Common Name field.  So, for my case (and most likely yours), if we pass the username field instead of their public IP, it could kill the VPN connections.


  • Rebel Alliance

    Nice piece of debugging.

    Is there something that the developers should note regarding this?



  • Will this bug be fixed in the next updates of pfSense?


  • Rebel Alliance

    Update to 2.4.3; the error message no longer occurs - but the OVPN Connection does not get killed.
    Still a bug


  • Rebel Alliance

    @Steve_B:

    The "Error occurred" pop-up on the dashboard is caused by a race condition where the widget is requesting status from a resource that no longer exists. Annoying no doubt but it should not affect functionality.

    Fixed in the next snapshot

    The error message is "fixed", but the ability to kill the OpenVPN Connection remains non-functional.



  • I tried killing a remote client that forgot to disconnect. The GUI appears to kill the connection but according to the logs, the client automatically logs back in.
    I don't think it matters but, I'm not having luck with killing the connection via SSH. The kill command with common name or source IP:port both give me the following message,
    kill: Arguments should be jobs or process id's.

    My bigger concern is that I added this user's certificate to a revocation list, killed the connection via GUI and it's still reconnecting. I hope I'm doing something wrong.

    Edit: My certificate revocation is working. I just forgot to add it to the list to the actual OpenVPN server setting.


  • Rebel Alliance

    @Raffi.:

    I tried killing a remote client that forgot to disconnect. The GUI appears to kill the connection but according to the logs, the client automatically logs back in.

    I'd suggest checking your client settings; does it contain "resolv-retry infinite" - The client will reconnect automatically.



  • @Gil:

    @Raffi.:

    I tried killing a remote client that forgot to disconnect. The GUI appears to kill the connection but according to the logs, the client automatically logs back in.

    I'd suggest checking your client settings; does it contain "resolv-retry infinite" - The client will reconnect automatically.

    Thanks Gil, I do see that in the client config. Can I address this on the server side rather than having to reissue new client configs? Also, how would I fix it? Would it be an advanced configuration option of "resolv-retry 0"?


  • Rebel Alliance

    @Raffi.:

    Thanks Gil, I do see that in the client config. Can I address this on the server side rather than having to reissue new client configs? Also, how would I fix it? Would it be an advanced configuration option of "resolv-retry 0"?

    I've not tried it because I always want the VPN connected. The 0 would indicate 0 seconds to be the time period that the client continues connection attempts.
    Keep in mind that a remote client may not be contactable after this period; AND you will also need a means of establishing the VPN at some point.
    If you have access to the client router, why not enable and disable the VPN client directly as needed?



  • I don't think the resolv-retry option is the answer in my case. According to the OpenVPN manual, it seems like that is a option is for resolving the hostname.
    Here is the section on the option.

    –resolv-retry n
    If hostname resolve fails for --remote, retry resolve for n seconds before failing.
    Set n to "infinite" to retry indefinitely.

    By default, --resolv-retry infinite is enabled. You can disable by setting n=0.

    I don't think I have a hostname resolution issue. The client connects to the server via IP address in my case so I don't believe it has anything to do with hostname resolution.

    I know there must be an option for this on the OpenVPN server side I can configure which would be pushed to all clients. I just don't know what that option is or how to set it up properly.



  • The client needs to stop the connection by itself.
    There is no function/directive/command on server side that i know of to stop a client from auto reconnecting.
    The kill command`s purpose is for reconnecting a client whose client specific override was modified.
    You could however revoke the client certificate and then kill the connection after which the client can no longer reconnect.

    The commercial version OpenVPN Access Server can shut the client down based on total transfered bytes over time but that`s not any help off course.