Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN no authenticated log generated

    Scheduled Pinned Locked Moved OpenVPN
    31 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      biggsy @noplan
      last edited by

      @noplan said:

      does it really make sense to do scripting in core pfS files ?

      No, it's not ideal to modify the core files. However, did you see the note in 9085 about conflicting scripts?

      Putting client-connect and client-disconnect entries in Custom options caused /usr/local/sbin/openvpn.attributes.sh to be overridden. (I wonder if users of the solution in the other topic are seeing that.)

      As openvpn.attributes.sh appears to be cleaning up pf table entries on client-disconnect, it didn't seem wise to override it. Adding the two logger lines to it seemed to be the safer, if not the cleanest, way.

      noplanN 1 Reply Last reply Reply Quote 0
      • noplanN
        noplan @Gertjan
        last edited by

        @Gertjan
        how can they (.sh scripts) can make me coffee .... /me pretty interested ;)
        but for real dyin from coffee overdose not the best way to leave this world ...

        GertjanG 1 Reply Last reply Reply Quote 0
        • noplanN
          noplan @biggsy
          last edited by

          @biggsy

          help me out, still early mornin here,
          i get the concern at client-connect (point taken)
          i dont get it at client-disconnect

          so addin the logger lines to the scripts (connect and disconnect) will be a task for today.

          i'll keep u posted on this one.

          B 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @noplan
            last edited by

            @noplan said in OpenVPN no authenticated log generated:

            how can they (.sh scripts) can make me coffee .... /me pretty interested ;)

            Scripts build cars, fly planes and launch nukes.
            And coffee should be a problem ?

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            noplanN 1 Reply Last reply Reply Quote 1
            • B
              biggsy @noplan
              last edited by biggsy

              @noplan said in OpenVPN no authenticated log generated:

              @biggsy

              help me out, still early mornin here,
              i get the concern at client-connect (point taken)
              i dont get it at client-disconnect

              I'm just saying that the solution offered in the other topic (using user-written client-connect and client-disconnect scripts in Custom options) will conflict with and prevent the openvpn.attributes.sh script from running.

              Because openvpn.attributes.sh uses pfctl to kill state entries when a client disconnects, I think it's better to just add in the logger calls and let the rest of the script do its thing.

              By modifying openvpn.attributes.sh, though, you are changing one of the core pfSense files.

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by Gertjan

                These lines :

                ...
                client-connect /usr/local/sbin/openvpn.attributes.sh
                client-disconnect /usr/local/sbin/openvpn.attributes.sh
                ...
                are placed into the openvpn server config file when one of these LAST two options are chosen (User Auth ...) :

                Each pfSense OpenVPN server instance has a config file here : /var/etc/openvpn/.....

                9972a5bc-f1fd-46f1-918e-348aafd0c061-image.png

                So, when User names and passwords are used, "/usr/local/sbin/openvpn.attributes.sh" is used with the client-connect and client-disconnect commands.

                In that case, adding client-connect and client-disconnect commands in the "Custom options" box has consequences and or side effects. Which ones ? Dono, up to you to find out.

                So, when you want to use client-connect and client-disconnect commands (with your own scripts) in the Custom options box, you should not chose to use User/password auth, just SSL/TLS.

                Btw : had to look up in the manual, the one that explains it all ;)

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 1
                • B
                  biggsy
                  last edited by biggsy

                  Thanks for that @Gertjan. By "the manual" I assume you mean the code.

                  I've only ever used the last two options and didn't realize that openvpn.attributes.sh wasn't used in the top three.

                  Hmmm...
                  I think I can see why it wouldn't apply to Peer to Peer but I'm now wondering why it wouldn't apply to Remote Access (SSL/TLS)

                  Got it!

                  1 Reply Last reply Reply Quote 0
                  • noplanN
                    noplan @Gertjan
                    last edited by

                    @Gertjan
                    allrigth gotYa ! no my coffeeMachine is not gettin a network connection NO WAY !
                    plenty of IoT Crap here ;)

                    1 Reply Last reply Reply Quote 0
                    • noplanN
                      noplan
                      last edited by

                      so what you are tellin us is that usin those parameters in this script
                      are modifying core pfSense files and causing problems with pfcl and state entries when a client disconnects ??

                      #!/usr/local/bin/php -q
                      <?php
                      	require_once("/etc/inc/notices.inc");
                      	$local_connect_value = " \n user_name: " . getenv('common_name') . " \n vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') ." connected from " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a');
                      	if ( strrchr (__FILE__ , 'disconnect') ) {
                      	$local_connect_value .= ", \n duration : " . round(((getenv('time_duration'))/3600),2) . "  hours, or " . round(((getenv('time_duration'))/60),2) . "  minutes, or " . getenv('time_duration') . "  seconds,\n upload from vpn-client (received) : " . round(((getenv('bytes_received'))/1048576),2) . " MB, \n download to vpn-client (send) : " . round(((getenv('bytes_sent'))/1048576),2) ." MB. \n DISCONNECTED.";
                      	}
                      	notify_all_remote($local_connect_value);
                      ?>
                      

                      the script is called in openVPN Server under
                      ceee1e18-d6a4-4878-b4f7-f8e3d7ad509e-grafik.png

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @noplan
                        last edited by Gertjan

                        @noplan said in OpenVPN no authenticated log generated:

                        you are tellin us

                        No, I should tell myself ...

                        Multiple plugin modules can be cascaded, and modules can be used in tandem with scripts. The modules will be called by OpenVPN in the order that they are declared in the config file. If both a plugin and script are configured for the same callback, the script will be called last. If the return code of the module/script controls an authentication function (such as tls-verify, auth-user-pass-verify, or client-connect), then every module and script must return success (0) in order for the connection to be authenticated.
                        

                        So, multiple client-connect and client-disconnect scripts can co-exist in the openvpn server config file (I really thought I was reading : not possible).
                        Think about exiting your scripts with a null value, and all should be fine. Like exit 0;

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • noplanN
                          noplan
                          last edited by

                          @Gertjan said in OpenVPN no authenticated log generated:

                          --> Like exit 0

                          so the next piece to the puzzle ! send me an e-mail script for openVPN

                          thanks for helpin me out with info

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.