OpenVPN client-disconnect command

I was thinking of using the client-disconnect command in the servers configuration file to run a script when the client disconnects. It is supposed to close firewall openings that are opened for the client when he connects to the system. The firewall openings depend on the clients IP address. Is it possible to pass the disconnecting clients IP address to the script when the client disconnects? If I can not, then this solution does not work for me.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Yes, client-disconnect and client-connect are using the same parameters and environment variables. The following vars are of interest:
ifconfig_pool_local_ip        (server address, important if /28 networks are used)
ifconfig_pool_remote_ip    (client IP)
If you use static IPs (ifconfig directives), you will have to use the env vars without the pool_ part.
Important: The client-disconnect script is only run if the client-connect script has been called with success. If you have none, you need to write a dummy script to be called at connect time.
itniflAuthor Commented:
I let my client-connect script exit with 0 always and write 1:$1 2:$2 3:$3 4:$4 5:$5 6:$6 to /tmp/openvpn.status as the only action. I get openvpn_cc_[random string].tmp as the first argument, but I can't find the file anywhere. I guess it is deleted already after connection. The other arguments are empty.

I do the same with the client-disconnect script, but it only gets run when I restart or take down the VPN daemon. So I am doing something wring here?

How do I use "ifconfig_pool_remote_ip" correctly and what explains the behaviour I have just described?
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
If you read the online manual thoroughly, it is pretty much clear (for me) what is provided:
  • the commandline parameter $1 is a temporary file, which has to be created by the script, and contains OpenVPN options to set. E.g. you can push routes, request for a login etc., just by putting the same commands in that temp file as you would in a OpenVPN config file. As long as you do not want to change anything in OpenVPN depending on the IP address, you will not need that file.
  • the environment vars $ifconfig_pool_remote_ip aso. contain the values you want to read.
The client-disconnect script should be run as soon as the connection is terminated regularily, or even restarted (but I do not know which signal exactly, I assume all). That is exactly what you do when you shutdown or restart the (client) daemon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

itniflAuthor Commented:
The client-disconnect script seems to only run when the server daemon restarts or is stopped. Sorry, I was not precise enough. When I restart the client connection or disconnect the client, nothing happens.
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I have to admit I never used client-(dis)connect, so the man page might be missing a requirement.

Are you using OpenVPN in TCP mode or UDP? If latter, you need to have  explicit-exit-notify in your client config, and/or ping/ping-restart (which will require you to wait for the timeout to happen for triggering the disconnect script).
itniflAuthor Commented:
Yes I am using UDP. The setting: explicit-exit-notify in the client config let the client-disconnect command work correctly. $ifconfig_pool_remote_ip works fine in my script. Thanks! Great! =)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.