OpenVPN no authenticated log generated
-
True - but there was some discussion that others might find interesting or useful.
-
hey all
does it really make sense to do scripting in core pfS files ?
i dont think so.
if you want to receive emails when vpn-clients log in or out
use the method described in this posthttps://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/26
as far as some others are concerned if you read the post from top to bottom
you can use a nice working tooltruely mentioned
as @Gertjan mentioned you or someone can aff logger to the script to get more information into the logthe main question still remains
does it really make sense to do scripting in core pfS files ? -
@noplan said:
does it really make sense to do scripting in core pfS files ?
No, it's not ideal to modify the core files. However, did you see the note in 9085 about conflicting scripts?
Putting client-connect and client-disconnect entries in Custom options caused /usr/local/sbin/openvpn.attributes.sh to be overridden. (I wonder if users of the solution in the other topic are seeing that.)
As openvpn.attributes.sh appears to be cleaning up pf table entries on client-disconnect, it didn't seem wise to override it. Adding the two logger lines to it seemed to be the safer, if not the cleanest, way.
-
@Gertjan
how can they (.sh scripts) can make me coffee .... /me pretty interested ;)
but for real dyin from coffee overdose not the best way to leave this world ... -
help me out, still early mornin here,
i get the concern at client-connect (point taken)
i dont get it at client-disconnectso addin the logger lines to the scripts (connect and disconnect) will be a task for today.
i'll keep u posted on this one.
-
@noplan said in OpenVPN no authenticated log generated:
how can they (.sh scripts) can make me coffee .... /me pretty interested ;)
Scripts build cars, fly planes and launch nukes.
And coffee should be a problem ?No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@noplan said in OpenVPN no authenticated log generated:
help me out, still early mornin here,
i get the concern at client-connect (point taken)
i dont get it at client-disconnectI'm just saying that the solution offered in the other topic (using user-written client-connect and client-disconnect scripts in Custom options) will conflict with and prevent the openvpn.attributes.sh script from running.
Because openvpn.attributes.sh uses pfctl to kill state entries when a client disconnects, I think it's better to just add in the logger calls and let the rest of the script do its thing.
By modifying openvpn.attributes.sh, though, you are changing one of the core pfSense files.
-
These lines :
...
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
...
are placed into the openvpn server config file when one of these LAST two options are chosen (User Auth ...) :Each pfSense OpenVPN server instance has a config file here : /var/etc/openvpn/.....
So, when User names and passwords are used, "/usr/local/sbin/openvpn.attributes.sh" is used with the client-connect and client-disconnect commands.
In that case, adding client-connect and client-disconnect commands in the "Custom options" box has consequences and or side effects. Which ones ? Dono, up to you to find out.
So, when you want to use client-connect and client-disconnect commands (with your own scripts) in the Custom options box, you should not chose to use User/password auth, just SSL/TLS.
Btw : had to look up in the manual, the one that explains it all ;)
-
Thanks for that @Gertjan. By "the manual" I assume you mean the code.
I've only ever used the last two options and didn't realize that openvpn.attributes.sh wasn't used in the top three.
Hmmm...
I think I can see why it wouldn't apply to Peer to Peer but I'm now wondering why it wouldn't apply to Remote Access (SSL/TLS)Got it!
-
@Gertjan
allrigth gotYa ! no my coffeeMachine is not gettin a network connection NO WAY !
plenty of IoT Crap here ;) -
so what you are tellin us is that usin those parameters in this script
are modifying core pfSense files and causing problems with pfcl and state entries when a client disconnects ??#!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); $local_connect_value = " \n user_name: " . getenv('common_name') . " \n vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') ." connected from " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a'); if ( strrchr (__FILE__ , 'disconnect') ) { $local_connect_value .= ", \n duration : " . round(((getenv('time_duration'))/3600),2) . " hours, or " . round(((getenv('time_duration'))/60),2) . " minutes, or " . getenv('time_duration') . " seconds,\n upload from vpn-client (received) : " . round(((getenv('bytes_received'))/1048576),2) . " MB, \n download to vpn-client (send) : " . round(((getenv('bytes_sent'))/1048576),2) ." MB. \n DISCONNECTED."; } notify_all_remote($local_connect_value); ?>the script is called in openVPN Server under
-
@noplan said in OpenVPN no authenticated log generated:
you are tellin us
No, I should tell myself ...
Multiple plugin modules can be cascaded, and modules can be used in tandem with scripts. The modules will be called by OpenVPN in the order that they are declared in the config file. If both a plugin and script are configured for the same callback, the script will be called last. If the return code of the module/script controls an authentication function (such as tls-verify, auth-user-pass-verify, or client-connect), then every module and script must return success (0) in order for the connection to be authenticated.So, multiple client-connect and client-disconnect scripts can co-exist in the openvpn server config file (I really thought I was reading : not possible).
Think about exiting your scripts with a null value, and all should be fine. Like exit 0; -
@Gertjan said in OpenVPN no authenticated log generated:
--> Like exit 0
so the next piece to the puzzle ! send me an e-mail script for openVPN
thanks for helpin me out with info
