Openvpn - Business hours



  • Hi guys!

    Is possible to create a schedules to connect the VPN using OpenVPN?

    For example, I permit that my users connect the VPN between 8:00AM to 6:00OPM, after that, they can't connect more.

    Thank you.



  • You should be able to accomplish this using firewall rule schedules.  See here for a start:

    https://doc.pfsense.org/index.php/Firewall_Rule_Schedules



  • Firewall schedules would work but it would block all inbound connections.  But for anyone wondering if there is another way you could also use the Openvpn tls-verify script, have your script check the time and give a go no go etc. The advantage to this approach is for where you yourself still want to be able to connect, but block all others.



  • Conor, do you have an example how I create this script?

    Thank you!



  • The tls-verify command in OpenVPN calls a script that you specify. The exit code of the script is what OpenVpn is looking for exit 0 is a success and exit 1 is a failure. Exit 0 Openvpn proceeds with the connection.

    pfSense already uses tls-verify script so you need to add your code into that WARNING - upgrades will wipe out your changes. So keep a backup for after future upgrades.
    pfSense script is located here:/usr/local/sbin/ovpn_auth_verify

    Below is a sample script for checking the time, if time is between 9am and 5.30pm it exits with success. You would need to merge this into the pfSense script.

    #!/bin/sh
    prodStartTime="090000"
    prodEndTime="173000"

    currentTime=date +"%H%M%S"
    echo $prodStartTime
    echo $prodEndTime
    echo $currentTime

    if [ $currentTime -ge $prodStartTime ];
    then
            if [ $currentTime -le $prodEndTime ];
            then
                    exit 0
            else
                    exit 1
            fi
    else
    exit 0
    fi



  • Excellent Conor!

    In my case I have many users that using Openvpn. I need create this "rule" with based hourly only for some users.

    Do you know how can I create a script with users or Tunnel Network?

    Thank you again.



  • client-connect script would be suited for that.



  • Yep the client-connect script sounds ideal, need to test it on test unit to see what variables you can see will revert back.


Log in to reply