Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    openVPN notification (for some vpn-user only) maybe via Client Specific Overrides

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 447 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • noplanN
      noplan
      last edited by

      as earlier discussed and solved in a working way
      see posts here (notification send via mail when vpn-user connect / disconnect)

      Link: email-notification-openvpn-client-connect-common-name

      I put my clients in categries like these

      management (trusted)
sysops (trusted)
employees (trusted ;)
contractors (notification needed)

      THE GOAL:
      notifications only to be send if (untrusted or notification needed) are loggin in.

      copying the scripts call for disconnect.sh & disconnect.sh (scripts see this post link:)
      to the advanced section in Client Specific Overrides is not workin and results in this error
      Options error: option 'client-disconnect' cannot be used in this context

      any hints are welcome
      thx #stayhealthy

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @noplan
        last edited by Gertjan

        @noplan said in openVPN notification (for some vpn-user only) maybe via Client Specific Overrides:

        copying the scripts call for disconnect.sh & disconnect.sh (scripts see this post link:)
        to the advanced section in Client Specific Overrides is not workin and results in this error
        Options error: option 'client-disconnect' cannot be used in this context

        because the "Client Specific Overrides" are used to build the Client Specific OpenVPN client program.
        Not the server.
        The scripts run on the OpenVPN server, not the client.
        OpenVPN server config commands like "client-connect" have no meaning for the OpenVPN client program.
        Or, as said, "not in this context".

        What should (could ... I didn't try anything) be done is :
        You've put your clients in specific categories.
        Using pfSense ?
        If so, these clienst and categories are stored in the pfSense config file.

        You will have to write a shell script or PHP script that takes the variables that are used by OpenVPN server, and compare the fields - see OpenVPN for doc, it exports a lot of info - and compare it with your client/category lists. This means you have to pars the config file with the same script.
        Send out a notification if a "contractors" type of user connects to VPN.

        In short : some scripting required ;)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • noplanN
          noplan
          last edited by

          damm true! thanks a lot! that makes sense @ "Client Specific Overrides"
          yess 100% usin pfSense here!

          lets go ...

          • Step 1
            yes, the vpn-clients are grouped by (based on IPs provided by Client Specific Overrides and ruled by Alias on the Firewall) so that only valid IPs are allowed by the Firewall (if CSO failes no one can access ;)

          • Step 2
            get the information on pfsense for the "client/category contractor-lists" worst case create a the file contractor-list by hand

          • Step 3
            make a the compare something like that "if user is listed in contractor-list then send notification else ignore" in the existing connect.sh or disconnec.sh and call them on the openVpn Server with client-disconnect /root/disconnect.sh

          anything better solved ?
          or any hints ...
          if anyone is faster than me scritping this feel free to post it here, i'll try my best to be faster than you ;) or to ship over some coffee from europe :)

          1 Reply Last reply Reply Quote 0
          • noplanN
            noplan
            last edited by

            the untrusted IPs to find in

            contractor-list.txt

            the script should look something like that ... called by the openVPN Server

            client-disconnect /root/contractor_disconnect.sh

            #!/usr/local/bin/php -q
<?php
require_once('/etc/inc/notices.inc');
	$name= getenv('ifconfig_pool_remote_ip');
	$fp = fopen('contractor-list.txt','r');
     if($fp)
     {
      while (!feof($fp))
      {
         $line = fgets($fp, 100);
         if($name==str_replace('\n','','$line'))
         {
	$local_connect_value = " \n user_name: " . getenv('common_name') . " \n vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') ." connected from " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a');
	if ( strrchr (__FILE__ , 'disconnect') ) {
	$local_connect_value .= ", \n duration : " . round(((getenv('time_duration'))/3600),2) . "  hours, or " . round(((getenv('time_duration'))/60),2) . "  minutes, or " . getenv('time_duration') . "  seconds,\n upload from vpn-client (received) : " . round(((getenv('bytes_received'))/1048576),2) . " MB, \n download to vpn-client (send) : " . round(((getenv('bytes_sent'))/1048576),2) ." MB. \n DISCONNECTED.";}
	notify_all_remote($local_connect_value);
          }
}
}
     fclose($fp);

?>

            but something is bot workin
            so back to square one !

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.