Setting up pfsense openvpn client site-to-site disconnect notifications

SipriusPT · Jul 20, 2020, 6:41 PM

Hello everyone,

I want to setup notifications for openvpn client site-to-site, from pfsense, to send email notifications when it disconnect and connect again.

I have read here people setting notifications for openvpn server, an tried with this pfsense with a openvpn client profile, but no luck.

There is already notifications setup and running in this pfsense.

What I have made was:

Created /root/notify.sh with:

#!/usr/local/bin/php -q
<?php

        require_once("/etc/inc/notices.inc");
        notify_all_remote("VPN Connected");
?>

Gave permissions for execute in that file:

chmod +x /root/notify.sh

And add the extra argument in openvpn client profile:

client-disconnect /root/notify.sh

After this openvpn client service stops working...

Anyone knows if its possible to use this custom option with a openvpn cliente profile?

JeGr · Jul 20, 2020, 1:45 PM

@SipriusPT said in Setting up pfsense openvpn client site-to-site notifications:

client-disconnect /root/notify.sh

Not gonna nitpick, but it's a PHP script, not a shell script, so should be named .php when even the shebang on top says #!/usr/local/bin/php ;)

After this openvpn client service stops working...

Then how about posting your error log? OpenVPN voices it pretty clearly why it won't start?

Also as you configured it as client-disconnect, the text should perhaps state "VPN disconnected".

And as an afterthought, your script will vanish whenever you reinstall pfSense from scratch as "/root" isn't safe/backed up anywhere. I'd advise to create scripts in the appropriate directory tree (e.g. /usr/local/bin) and manage them via the filerpackage so you can control the content and security permissions of the file (0750). Also as a package, filer will get reinstalled and the config and content of your file is safely inside the config.xml structure.

why it won't start: my OpenVPN on verbosity 3 says it pretty easy:

Jul 20 15:44:23	openvpn	83247	Use --help for more information.
Jul 20 15:44:23	openvpn	83247	Options error: Please correct this error.
Jul 20 15:44:23	openvpn	83247	Options error: --client-disconnect script fails with '/usr/local/bin/vpn-stats.phps': No such file or directory (errno=2)
Jul 20 15:44:23	openvpn	83247	Multiple --client-disconnect scripts defined. The previously configured script is overridden.
Jul 20 15:44:23	openvpn	74208	SIGTERM[hard,] received, process exiting

Oops, added a "s" to "php" ending. My mistake :)

So why doesn't it start in your setup? What does the log tell you?

SipriusPT · Jul 20, 2020, 3:38 PM

@JeGr said in Setting up pfsense openvpn client site-to-site notifications:

@SipriusPT said in Setting up pfsense openvpn client site-to-site notifications:

client-disconnect /root/notify.sh

Not gonna nitpick, but it's a PHP script, not a shell script, so should be named .php when even the shebang on top says #!/usr/local/bin/php ;)

I know that very well, it doesnt make sense, but it was what have worked for others. Please check here:

https://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/31

Also as you configured it as client-disconnect, the text should perhaps state "VPN disconnected".

Ah yes, my mistake copy pasting, I will give you feedback after trying it.

Wow, thanks a lot for let me know about filer package!

JeGr · Jul 20, 2020, 3:42 PM

@SipriusPT said in Setting up pfsense openvpn client site-to-site notifications:

Wow, thanks a lot for let me know about filer package!

My pleasure, I experimented on client-connect and client-disconnect myself and it now is running without problems (but I don't overwrite client-connect, only on disconnect). But be advised that pfSense has a default script it runs on (dis)connect that will be omitted if you set up your own.

My own script is managed by the filer package, 0750 permission and in /usr/local/bin/xyz.php. Included in the OVPN server configuration the server starts without problem. So if your server won't start up, it has to be some syntax error, that's why I requested log files :)

SipriusPT · Jul 20, 2020, 3:54 PM

@JeGr said in Setting up pfsense openvpn client site-to-site notifications:

My own script is managed by the filer package, 0750 permission and in /usr/local/bin/xyz.php. Included in the OVPN server configuration the server starts without problem. So if your server won't start up, it has to be some syntax error, that's why I requested log files :)

I am getting at System > General, the following error:

Jul 20 16:49:25	check_reload_status		Reloading filter
Jul 20 16:49:25	php-fpm		OpenVPN failed to start
Jul 20 16:49:25	php-fpm		/status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/client3.conf'' returned exit code '1', the output was ''

In filer I have:

And in Custom options I have in that profile:

JeGr · Jul 20, 2020, 4:05 PM

Execute should be "do not execute" in filer. You don't want that to automatically run after a save/sync command but in your openvpn config :)

Jul 20 16:49:25 php-fpm /status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/client3.conf'' returned exit code '1', the output was ''

Aaaah! You are trying to run "client-disconnect" command lines for a CLIENT VPN? That's not possible, the OVPN Hooks client-connect and -disconnect only work with OVPN Servers, not clients! :)

JeGr · Jul 20, 2020, 4:15 PM

Addendum: you could try running your script with the up, up-restart etc hooks. Perhaps that also needs script-security 2 to be enabled, I'm a bit vague on that :) But if it does, it will say so in the logs.

The up trigger keyword in your client config should run your script with info like

<scriptname> OpenVPN 1 1500 1553 <IP> <mask> init

You don't have the same sort of variables at your disposal as on the server side though. Check

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4

for the exact ones :) (search for bytes_received for examples)