Setting up pfsense openvpn client site-to-site disconnect notifications



  • Hello everyone,

    I want to setup notifications for openvpn client site-to-site, from pfsense, to send email notifications when it disconnect and connect again.

    I have read here people setting notifications for openvpn server, an tried with this pfsense with a openvpn client profile, but no luck.

    There is already notifications setup and running in this pfsense.

    What I have made was:

    • Created /root/notify.sh with:
    #!/usr/local/bin/php -q
    <?php
    
            require_once("/etc/inc/notices.inc");
            notify_all_remote("VPN Connected");
    ?>
    
    • Gave permissions for execute in that file:
    chmod +x /root/notify.sh
    
    • And add the extra argument in openvpn client profile:
    client-disconnect /root/notify.sh
    

    After this openvpn client service stops working...

    Anyone knows if its possible to use this custom option with a openvpn cliente profile?


  • LAYER 8 Moderator

    @SipriusPT said in Setting up pfsense openvpn client site-to-site notifications:

    client-disconnect /root/notify.sh

    Not gonna nitpick, but it's a PHP script, not a shell script, so should be named .php when even the shebang on top says #!/usr/local/bin/php ;)

    After this openvpn client service stops working...

    Then how about posting your error log? OpenVPN voices it pretty clearly why it won't start?

    Also as you configured it as client-disconnect, the text should perhaps state "VPN disconnected".

    And as an afterthought, your script will vanish whenever you reinstall pfSense from scratch as "/root" isn't safe/backed up anywhere. I'd advise to create scripts in the appropriate directory tree (e.g. /usr/local/bin) and manage them via the filerpackage so you can control the content and security permissions of the file (0750). Also as a package, filer will get reinstalled and the config and content of your file is safely inside the config.xml structure.

    why it won't start: my OpenVPN on verbosity 3 says it pretty easy:

    Jul 20 15:44:23	openvpn	83247	Use --help for more information.
    Jul 20 15:44:23	openvpn	83247	Options error: Please correct this error.
    Jul 20 15:44:23	openvpn	83247	Options error: --client-disconnect script fails with '/usr/local/bin/vpn-stats.phps': No such file or directory (errno=2)
    Jul 20 15:44:23	openvpn	83247	Multiple --client-disconnect scripts defined. The previously configured script is overridden.
    Jul 20 15:44:23	openvpn	74208	SIGTERM[hard,] received, process exiting
    

    Oops, added a "s" to "php" ending. My mistake :)

    So why doesn't it start in your setup? What does the log tell you?



  • @JeGr said in Setting up pfsense openvpn client site-to-site notifications:

    @SipriusPT said in Setting up pfsense openvpn client site-to-site notifications:

    client-disconnect /root/notify.sh

    Not gonna nitpick, but it's a PHP script, not a shell script, so should be named .php when even the shebang on top says #!/usr/local/bin/php ;)

    I know that very well, it doesnt make sense, but it was what have worked for others. Please check here:

    https://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/31

    Also as you configured it as client-disconnect, the text should perhaps state "VPN disconnected".

    Ah yes, my mistake copy pasting, I will give you feedback after trying it.

    Wow, thanks a lot for let me know about filer package!


  • LAYER 8 Moderator

    @SipriusPT said in Setting up pfsense openvpn client site-to-site notifications:

    Wow, thanks a lot for let me know about filer package!

    My pleasure, I experimented on client-connect and client-disconnect myself and it now is running without problems (but I don't overwrite client-connect, only on disconnect). But be advised that pfSense has a default script it runs on (dis)connect that will be omitted if you set up your own.

    My own script is managed by the filer package, 0750 permission and in /usr/local/bin/xyz.php. Included in the OVPN server configuration the server starts without problem. So if your server won't start up, it has to be some syntax error, that's why I requested log files :)



  • @JeGr said in Setting up pfsense openvpn client site-to-site notifications:

    My own script is managed by the filer package, 0750 permission and in /usr/local/bin/xyz.php. Included in the OVPN server configuration the server starts without problem. So if your server won't start up, it has to be some syntax error, that's why I requested log files :)

    I am getting at System > General, the following error:

    Jul 20 16:49:25	check_reload_status		Reloading filter
    Jul 20 16:49:25	php-fpm		OpenVPN failed to start
    Jul 20 16:49:25	php-fpm		/status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/client3.conf'' returned exit code '1', the output was ''
    

    In filer I have:

    1c9f9af2-aacf-4f5d-9a0f-8f4b41b24137-image.png

    And in Custom options I have in that profile:

    cc9b30b2-9daa-43b4-b5b6-e047ac213a6a-image.png


  • LAYER 8 Moderator

    Execute should be "do not execute" in filer. You don't want that to automatically run after a save/sync command but in your openvpn config :)

    Jul 20 16:49:25 php-fpm /status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/client3.conf'' returned exit code '1', the output was ''

    Aaaah! You are trying to run "client-disconnect" command lines for a CLIENT VPN? That's not possible, the OVPN Hooks client-connect and -disconnect only work with OVPN Servers, not clients! :)


  • LAYER 8 Moderator

    Addendum: you could try running your script with the up, up-restart etc hooks. Perhaps that also needs script-security 2 to be enabled, I'm a bit vague on that :) But if it does, it will say so in the logs.

    The up trigger keyword in your client config should run your script with info like

    <scriptname> OpenVPN 1 1500 1553 <IP> <mask> init
    

    You don't have the same sort of variables at your disposal as on the server side though. Check

    https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4

    for the exact ones :) (search for bytes_received for examples)


Log in to reply