• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

openVPN notification (for some vpn-user only) maybe via Client Specific Overrides

Scheduled Pinned Locked Moved OpenVPN
4 Posts 2 Posters 455 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    noplan
    last edited by Mar 24, 2020, 7:33 AM

    as earlier discussed and solved in a working way
    see posts here (notification send via mail when vpn-user connect / disconnect)

    Link: email-notification-openvpn-client-connect-common-name

    I put my clients in categries like these

    management (trusted)
    sysops (trusted)
    employees (trusted ;)
    contractors (notification needed)
    

    THE GOAL:
    notifications only to be send if (untrusted or notification needed) are loggin in.

    copying the scripts call for disconnect.sh & disconnect.sh (scripts see this post link:)
    to the advanced section in Client Specific Overrides is not workin and results in this error
    Options error: option 'client-disconnect' cannot be used in this context

    any hints are welcome
    thx #stayhealthy

    G 1 Reply Last reply Mar 24, 2020, 10:09 AM Reply Quote 0
    • G
      Gertjan @noplan
      last edited by Gertjan Mar 24, 2020, 10:11 AM Mar 24, 2020, 10:09 AM

      @noplan said in openVPN notification (for some vpn-user only) maybe via Client Specific Overrides:

      copying the scripts call for disconnect.sh & disconnect.sh (scripts see this post link:)
      to the advanced section in Client Specific Overrides is not workin and results in this error
      Options error: option 'client-disconnect' cannot be used in this context

      because the "Client Specific Overrides" are used to build the Client Specific OpenVPN client program.
      Not the server.
      The scripts run on the OpenVPN server, not the client.
      OpenVPN server config commands like "client-connect" have no meaning for the OpenVPN client program.
      Or, as said, "not in this context".

      What should (could ... I didn't try anything) be done is :
      You've put your clients in specific categories.
      Using pfSense ?
      If so, these clienst and categories are stored in the pfSense config file.

      You will have to write a shell script or PHP script that takes the variables that are used by OpenVPN server, and compare the fields - see OpenVPN for doc, it exports a lot of info - and compare it with your client/category lists. This means you have to pars the config file with the same script.
      Send out a notification if a "contractors" type of user connects to VPN.

      In short : some scripting required ;)

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • N
        noplan
        last edited by Mar 25, 2020, 1:53 PM

        damm true! thanks a lot! that makes sense @ "Client Specific Overrides"
        yess 100% usin pfSense here!

        lets go ...

        • Step 1
          yes, the vpn-clients are grouped by (based on IPs provided by Client Specific Overrides and ruled by Alias on the Firewall) so that only valid IPs are allowed by the Firewall (if CSO failes no one can access ;)

        • Step 2
          get the information on pfsense for the "client/category contractor-lists" worst case create a the file contractor-list by hand

        • Step 3
          make a the compare something like that "if user is listed in contractor-list then send notification else ignore" in the existing connect.sh or disconnec.sh and call them on the openVpn Server with client-disconnect /root/disconnect.sh

        anything better solved ?
        or any hints ...
        if anyone is faster than me scritping this feel free to post it here, i'll try my best to be faster than you ;) or to ship over some coffee from europe :)

        1 Reply Last reply Reply Quote 0
        • N
          noplan
          last edited by Mar 25, 2020, 10:00 PM

          the untrusted IPs to find in

          contractor-list.txt
          

          the script should look something like that ... called by the openVPN Server

          client-disconnect /root/contractor_disconnect.sh
          
          #!/usr/local/bin/php -q
          <?php
          require_once('/etc/inc/notices.inc');
          	$name= getenv('ifconfig_pool_remote_ip');
          	$fp = fopen('contractor-list.txt','r');
               if($fp)
               {
                while (!feof($fp))
                {
                   $line = fgets($fp, 100);
                   if($name==str_replace('\n','','$line'))
                   {
          	$local_connect_value = " \n user_name: " . getenv('common_name') . " \n vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') ." connected from " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a');
          	if ( strrchr (__FILE__ , 'disconnect') ) {
          	$local_connect_value .= ", \n duration : " . round(((getenv('time_duration'))/3600),2) . "  hours, or " . round(((getenv('time_duration'))/60),2) . "  minutes, or " . getenv('time_duration') . "  seconds,\n upload from vpn-client (received) : " . round(((getenv('bytes_received'))/1048576),2) . " MB, \n download to vpn-client (send) : " . round(((getenv('bytes_sent'))/1048576),2) ." MB. \n DISCONNECTED.";}
          	notify_all_remote($local_connect_value);
                    }
          }
          }
               fclose($fp);
          
          ?>
          
          

          but something is bot workin
          so back to square one !

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received