Email Notification - OpenVPN Client Connect (Common Name)

boggie1688

Anyone's scripts just stop working?

I noticed sometime after August these scripts stopped working on my pfsense box. Not sure what is going on.

Gertjan

@boggie1688
There is a boatload of info present - above, to debug.
Can you say more as :

@boggie1688 said in Email Notification - OpenVPN Client Connect (Common Name):

scripts stopped

boggie1688

@gertjan said in Email Notification - OpenVPN Client Connect (Common Name):

@boggie1688
There is a boatload of info present - above, to debug.
Can you say more as :

@boggie1688 said in Email Notification - OpenVPN Client Connect (Common Name):

scripts stopped

Not sure where to start.

I've been using the same script for year or two and suddenly I stopped getting emails when I connect or disconnect. I haven't changed the scripts so I'm not entirely sure what would cause the lack of emails.

Given I changed nothing, I wondering if anyone experienced the same.

Gertjan

@boggie1688

I haven't used what's being described here for a long time, as I'm the only one using my VPN access, and I already know when I am connected when I'm connected ;)

But :

I've added the third, "client-connect" line to the VPN server custom config :

I've created a file called /root/vpn.sh :

#!/usr/local/bin/php -q
<?php
	require_once("/etc/inc/notices.inc");
	$local_connect_value = " user_name: " . getenv('common_name') . " vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') . " from: " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a');
	if ( strrchr (__FILE__ , 'disconnect') ) {
	$local_connect_value .= ", duration : " . getenv('time_duration') . " seconds, received : " . getenv('bytes_received') . " bytes, send : " . getenv('bytes_sent') ." bytes. DISCONNECTED.";
	}
	notify_all_remote($local_connect_value);
?>

and made it executable :

chmod +x /root/vpn.sh

Now, when I connect, I see in the system log :

and I received the mail ....

As you said, nothing changed ;)

That is ..... there is something 'bad' going on.
I've changed the VPN server settings, so I had a look at the VPN server (re) startup log.
( never change settings without looking at the logs afterswards - and if you don't
And there was a warning :

This means that my client-connect overrides another client-connect !! So pfSense is also using the "client-connect" VPN server config command.
Let's check the OpenVPN server config file : /var/etc/openvpn/config.ovpn :

...
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
...
client-connect /root/vpn.sh

that's bad indeed.
I've removed my custom config line

client-connect /root/vpn.sh

as something tells me its better that :

client-connect /usr/local/sbin/openvpn.attributes.sh

is used as pfSense 'needs' it to work, to do what it has to do.

So, for now, forget about using "client-connect" in the custom config to have it call your own script (to send a mail or whatever).
It will 'break' other functionality.

When I look at /usr/local/sbin/openvpn.attributes.sh, I can see stuff is done with certs, and subsequent files like /usr/local/sbin/openvpn.connect_async.sh does session stuff, and also logs :

Sending a mail would mean we have to "patch" this (these) files.

boggie1688

@gertjan

Thanks for the detailed reply.

I very much appreciate it.

I've never checked the system logs, so I learned something new today.

JeGr

@gertjan said in Email Notification - OpenVPN Client Connect (Common Name):

/usr/local/sbin/openvpn.attributes.sh

You are right with this @Gertjan

The script actually triggers another one depending on either being called at connect or disconnect:
/usr/bin/nohup /usr/local/sbin/openvpn.connect_async.sh

And that one is no small script! I digged through it for a bit and found it handles things like logging in syslog (e.g. calls logger to log the conn/disconn into openvpns logs) but it also does a bit of householding tasks.
At disconnect it kills the states of the VPN client was previously using so another caller getting that IP wouldn't have states already attached (multiple pfctl -k / -K calls).
But even more serious, it also seems to handle the connection limit setting or duplicate connections. So in overriding the script with a custom logging, you perhaps disable various features that you configured in the VPN server beforehand.

So all in all I wouldn't recommend replacing the client-(dis)connect scripts with own versions.

What would perhaps be possible is writing a quick patch for the caller-script /usr/local/sbin/openvpn.attributes.sh where the async script is called and insert another script (e.g. like @Gertjan /root/vpn.sh) into there. But that would have to be checked for, as the script calls various function via the OpenVPN "deferred" connection method and handles the deferring in the async script.

So I guess one could think about that one:

# Signal deferred handler
if [ "${script_type}" = "client-connect" ]; then
        /bin/echo 2 > "${client_connect_deferred_file}"
        if [ -f /tmp/"${common_name}" ]; then
                /bin/cat /tmp/"${common_name}" > "${client_connect_config_file}"
                /bin/rm /tmp/"${common_name}"
        fi
fi

###
--> insert HERE <--
###

# Handle 'client-connect' and 'client-disconnect'
/usr/bin/nohup /usr/local/sbin/openvpn.connect_async.sh > /dev/null &

# Signal "deferred handler started OK" for client-connect
exit 0

and to insert a small block with a check wether it's called by connect or disconnect state. But that would have to be tested first.

Cheers
\jens

bingo600

We ought to get Netgate to insert some "Official hooks" for User initiated connect/disconnect
ie.

if [ -x "/root/OpenVPN-User-Clientconnect.sh" ]; then

if [ -x "/root/OpenVPN-User-Clientdisconnect.sh" ]; then

I'm using these scripts too , and haven't noticed the consequence , until Gertjan pointed it out

/Bingo

Gertjan

@bingo600 said in Email Notification - OpenVPN Client Connect (Common Name):

We ought to get Netgate to insert some "Official hooks" for User initiated connect/disconnect

I saw Jimp answering a comparable question a couple of days ago : implementing a hook for a user created script file : he doesn't "like it", as such a script could run with root rights, thus control the entire system.
The situation right now isn't that bad : the admin that knows what he is doing :

1. Can patch a pfSense script file with a test "if /root/myopenvpnscript.sh" file exist, and "if it is executable" and if both are ok, call it. (you could build a diff patch for this to make live easier)
2. Write their own /root/myopenvpnscript.sh

The user that can do both things will also know how to update, maintain, and re implement this functionality after a pfSense update.
Permitting lamda users to write their own script files ..... => scary.

Look here, last message, what happens when people use home made script / config files , and people forget about it .... https://forum.netgate.com/topic/175234/recent-pppoe-issues-not-auto-reconnecting-for-some-reason-used-to/9?_=1666084459780

edit : just to be clear : I'm not against the idea, of course.

JeGr

@gertjan said in Email Notification - OpenVPN Client Connect (Common Name):

Can patch a pfSense script file with a test "if /root/myopenvpnscript.sh" file exist, and "if it is executable" and if both are ok, call it. (you could build a diff patch for this to make live easier)

System Patches can do that just fine, indeed :)

@gertjan said in Email Notification - OpenVPN Client Connect (Common Name):

Write their own /root/myopenvpnscript.sh

Filer package can take care of that, so that it survives a re-install or (perhaps even) an upgrade.

But I feel Jimp here, that it would introduce an attack vector that Netgate can't control. I wouldn't be opposed to patching that ourselves as it's my own responsibility if something goes awry not shipped by Netgate so no one can blame them.

Cheers
\jens

boggie1688

I use freeradius to auth the users for OpenVPN. Is it possible to have freeradius alert me when a user is correctly authorized?

Eating breakfast and just wondering. I'll try to research this later.

Gertjan

@boggie1688

That's what this thread is all about.

makq

Hi all,
I do not know much about pfsense command line.
Wondering if someone can help me step by step ?
Do I need command line access to the router or I can use the web access to the router ?
Can I use the command prompt section ?
So I have to create 2 executable files name notify.sh and disconnect.sh ? How I am going to create these files ?
I think I got the part to set the permissions. How can I set the permissions ? by using Execute Shell Command section on the web ?
What will be in those two files ?
So same code in both files ?

@Armstrong said in Email Notification - OpenVPN Client Connect (Common Name):

#!/usr/local/bin/php -q
<?php
require_once("/etc/inc/notices.inc");
$local_connect_value = " user_name: " . getenv('common_name') . " vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') . " from: " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a');
if ( strrchr (FILE , 'disconnect') ) {
$local_connect_value .= ", duration : " . getenv('time_duration') . " seconds, received : " . getenv('bytes_received') . " bytes, send : " . getenv('bytes_sent') ." bytes. DISCONNECTED.";
}
notify_all_remote($local_connect_value);
?>

Am I coping from <?php or from #!/user ?
If it is from <?php then what I have to do with first line #!/usr/local/bin/php -q

Is it possible some one can help me step by step and also tell me which part of the webconfigurator I need to use to do all this please ?