OpenVPN no authenticated log generated

biggsy · Apr 1, 2020, 1:06 AM

does it really make sense to do scripting in core pfS files ?

No, it's not ideal to modify the core files. However, did you see the note in 9085 about conflicting scripts?

Putting client-connect and client-disconnect entries in Custom options caused /usr/local/sbin/openvpn.attributes.sh to be overridden. (I wonder if users of the solution in the other topic are seeing that.)

As openvpn.attributes.sh appears to be cleaning up pf table entries on client-disconnect, it didn't seem wise to override it. Adding the two logger lines to it seemed to be the safer, if not the cleanest, way.

noplan · Apr 1, 2020, 5:48 AM

@Gertjan
how can they (.sh scripts) can make me coffee .... /me pretty interested ;)
but for real dyin from coffee overdose not the best way to leave this world ...

noplan · Apr 1, 2020, 5:52 AM

@biggsy

help me out, still early mornin here,
i get the concern at client-connect (point taken)
i dont get it at client-disconnect

so addin the logger lines to the scripts (connect and disconnect) will be a task for today.

i'll keep u posted on this one.

Gertjan · Apr 1, 2020, 6:08 AM

@noplan said in OpenVPN no authenticated log generated:

how can they (.sh scripts) can make me coffee .... /me pretty interested ;)

Scripts build cars, fly planes and launch nukes.
And coffee should be a problem ?

biggsy · Apr 1, 2020, 6:30 AM

@noplan said in OpenVPN no authenticated log generated:

@biggsy

help me out, still early mornin here,
i get the concern at client-connect (point taken)
i dont get it at client-disconnect

I'm just saying that the solution offered in the other topic (using user-written client-connect and client-disconnect scripts in Custom options) will conflict with and prevent the openvpn.attributes.sh script from running.

Because openvpn.attributes.sh uses pfctl to kill state entries when a client disconnects, I think it's better to just add in the logger calls and let the rest of the script do its thing.

By modifying openvpn.attributes.sh, though, you are changing one of the core pfSense files.

Gertjan · Apr 1, 2020, 7:12 AM

These lines :

...
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
...
are placed into the openvpn server config file when one of these LAST two options are chosen (User Auth ...) :

Each pfSense OpenVPN server instance has a config file here : /var/etc/openvpn/.....

So, when User names and passwords are used, "/usr/local/sbin/openvpn.attributes.sh" is used with the client-connect and client-disconnect commands.

In that case, adding client-connect and client-disconnect commands in the "Custom options" box has consequences and or side effects. Which ones ? Dono, up to you to find out.

So, when you want to use client-connect and client-disconnect commands (with your own scripts) in the Custom options box, you should not chose to use User/password auth, just SSL/TLS.

Btw : had to look up in the manual, the one that explains it all ;)

biggsy · Apr 1, 2020, 7:47 AM

Thanks for that @Gertjan. By "the manual" I assume you mean the code.

I've only ever used the last two options and didn't realize that openvpn.attributes.sh wasn't used in the top three.

Hmmm...
~~I think I can see why it wouldn't apply to Peer to Peer but I'm now wondering why it wouldn't apply to Remote Access (SSL/TLS)~~

Got it!

noplan · Apr 1, 2020, 12:48 PM

@Gertjan
allrigth gotYa ! no my coffeeMachine is not gettin a network connection NO WAY !
plenty of IoT Crap here ;)

noplan · Apr 1, 2020, 1:21 PM

so what you are tellin us is that usin those parameters in this script
are modifying core pfSense files and causing problems with pfcl and state entries when a client disconnects ??

#!/usr/local/bin/php -q
<?php
	require_once("/etc/inc/notices.inc");
	$local_connect_value = " \n user_name: " . getenv('common_name') . " \n vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') ." connected from " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a');
	if ( strrchr (__FILE__ , 'disconnect') ) {
	$local_connect_value .= ", \n duration : " . round(((getenv('time_duration'))/3600),2) . "  hours, or " . round(((getenv('time_duration'))/60),2) . "  minutes, or " . getenv('time_duration') . "  seconds,\n upload from vpn-client (received) : " . round(((getenv('bytes_received'))/1048576),2) . " MB, \n download to vpn-client (send) : " . round(((getenv('bytes_sent'))/1048576),2) ." MB. \n DISCONNECTED.";
	}
	notify_all_remote($local_connect_value);
?>

the script is called in openVPN Server under

Gertjan · Apr 1, 2020, 3:20 PM

@noplan said in OpenVPN no authenticated log generated:

you are tellin us

No, I should tell myself ...

Multiple plugin modules can be cascaded, and modules can be used in tandem with scripts. The modules will be called by OpenVPN in the order that they are declared in the config file. If both a plugin and script are configured for the same callback, the script will be called last. If the return code of the module/script controls an authentication function (such as tls-verify, auth-user-pass-verify, or client-connect), then every module and script must return success (0) in order for the connection to be authenticated.

So, multiple client-connect and client-disconnect scripts can co-exist in the openvpn server config file (I really thought I was reading : not possible).
Think about exiting your scripts with a null value, and all should be fine. Like exit 0;

noplan · Apr 1, 2020, 5:27 PM

@Gertjan said in OpenVPN no authenticated log generated:

--> Like exit 0

so the next piece to the puzzle ! send me an e-mail script for openVPN

thanks for helpin me out with info