openVPN notification (for some vpn-user only) maybe via Client Specific Overrides
-
as earlier discussed and solved in a working way
see posts here (notification send via mail when vpn-user connect / disconnect)Link: email-notification-openvpn-client-connect-common-name
I put my clients in categries like these
management (trusted) sysops (trusted) employees (trusted ;) contractors (notification needed)THE GOAL:
notifications only to be send if (untrusted or notification needed) are loggin in.copying the scripts call for disconnect.sh & disconnect.sh (scripts see this post link:)
to the advanced section in Client Specific Overrides is not workin and results in this error
Options error: option 'client-disconnect' cannot be used in this contextany hints are welcome
thx #stayhealthy -
@noplan said in openVPN notification (for some vpn-user only) maybe via Client Specific Overrides:
copying the scripts call for disconnect.sh & disconnect.sh (scripts see this post link:)
to the advanced section in Client Specific Overrides is not workin and results in this error
Options error: option 'client-disconnect' cannot be used in this contextbecause the "Client Specific Overrides" are used to build the Client Specific OpenVPN client program.
Not the server.
The scripts run on the OpenVPN server, not the client.
OpenVPN server config commands like "client-connect" have no meaning for the OpenVPN client program.
Or, as said, "not in this context".What should (could ... I didn't try anything) be done is :
You've put your clients in specific categories.
Using pfSense ?
If so, these clienst and categories are stored in the pfSense config file.You will have to write a shell script or PHP script that takes the variables that are used by OpenVPN server, and compare the fields - see OpenVPN for doc, it exports a lot of info - and compare it with your client/category lists. This means you have to pars the config file with the same script.
Send out a notification if a "contractors" type of user connects to VPN.In short : some scripting required ;)
-
damm true! thanks a lot! that makes sense @ "Client Specific Overrides"
yess 100% usin pfSense here!lets go ...
-
Step 1
yes, the vpn-clients are grouped by (based on IPs provided by Client Specific Overrides and ruled by Alias on the Firewall) so that only valid IPs are allowed by the Firewall (if CSO failes no one can access ;) -
Step 2
get the information on pfsense for the "client/category contractor-lists" worst case create a the file contractor-list by hand -
Step 3
make a the compare something like that "if user is listed in contractor-list then send notification else ignore" in the existing connect.sh or disconnec.sh and call them on the openVpn Server with client-disconnect /root/disconnect.sh
anything better solved ?
or any hints ...
if anyone is faster than me scritping this feel free to post it here, i'll try my best to be faster than you ;) or to ship over some coffee from europe :) -
-
the untrusted IPs to find in
contractor-list.txtthe script should look something like that ... called by the openVPN Server
client-disconnect /root/contractor_disconnect.sh#!/usr/local/bin/php -q <?php require_once('/etc/inc/notices.inc'); $name= getenv('ifconfig_pool_remote_ip'); $fp = fopen('contractor-list.txt','r'); if($fp) { while (!feof($fp)) { $line = fgets($fp, 100); if($name==str_replace('\n','','$line')) { $local_connect_value = " \n user_name: " . getenv('common_name') . " \n vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') ." connected from " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a'); if ( strrchr (__FILE__ , 'disconnect') ) { $local_connect_value .= ", \n duration : " . round(((getenv('time_duration'))/3600),2) . " hours, or " . round(((getenv('time_duration'))/60),2) . " minutes, or " . getenv('time_duration') . " seconds,\n upload from vpn-client (received) : " . round(((getenv('bytes_received'))/1048576),2) . " MB, \n download to vpn-client (send) : " . round(((getenv('bytes_sent'))/1048576),2) ." MB. \n DISCONNECTED.";} notify_all_remote($local_connect_value); } } } fclose($fp); ?>but something is bot workin
so back to square one !
