[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3873
  • Last Modified:

OpenVPN client-disconnect command

I was thinking of using the client-disconnect command in the servers configuration file to run a script when the client disconnects. It is supposed to close firewall openings that are opened for the client when he connects to the system. The firewall openings depend on the clients IP address. Is it possible to pass the disconnecting clients IP address to the script when the client disconnects? If I can not, then this solution does not work for me.
0
itnifl
Asked:
itnifl
  • 3
  • 3
2 Solutions
 
QlemoDeveloperCommented:
Yes, client-disconnect and client-connect are using the same parameters and environment variables. The following vars are of interest:
ifconfig_pool_local_ip        (server address, important if /28 networks are used)
ifconfig_pool_netmask
ifconfig_pool_remote_ip    (client IP)
If you use static IPs (ifconfig directives), you will have to use the env vars without the pool_ part.
Important: The client-disconnect script is only run if the client-connect script has been called with success. If you have none, you need to write a dummy script to be called at connect time.
0
 
itniflAuthor Commented:
I let my client-connect script exit with 0 always and write 1:$1 2:$2 3:$3 4:$4 5:$5 6:$6 to /tmp/openvpn.status as the only action. I get openvpn_cc_[random string].tmp as the first argument, but I can't find the file anywhere. I guess it is deleted already after connection. The other arguments are empty.

I do the same with the client-disconnect script, but it only gets run when I restart or take down the VPN daemon. So I am doing something wring here?

How do I use "ifconfig_pool_remote_ip" correctly and what explains the behaviour I have just described?
0
 
QlemoDeveloperCommented:
If you read the online manual thoroughly, it is pretty much clear (for me) what is provided:
  • the commandline parameter $1 is a temporary file, which has to be created by the script, and contains OpenVPN options to set. E.g. you can push routes, request for a login etc., just by putting the same commands in that temp file as you would in a OpenVPN config file. As long as you do not want to change anything in OpenVPN depending on the IP address, you will not need that file.
  • the environment vars $ifconfig_pool_remote_ip aso. contain the values you want to read.
The client-disconnect script should be run as soon as the connection is terminated regularily, or even restarted (but I do not know which signal exactly, I assume all). That is exactly what you do when you shutdown or restart the (client) daemon.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
itniflAuthor Commented:
The client-disconnect script seems to only run when the server daemon restarts or is stopped. Sorry, I was not precise enough. When I restart the client connection or disconnect the client, nothing happens.
0
 
QlemoDeveloperCommented:
I have to admit I never used client-(dis)connect, so the man page might be missing a requirement.

Are you using OpenVPN in TCP mode or UDP? If latter, you need to have  explicit-exit-notify in your client config, and/or ping/ping-restart (which will require you to wait for the timeout to happen for triggering the disconnect script).
0
 
itniflAuthor Commented:
Yes I am using UDP. The setting: explicit-exit-notify in the client config let the client-disconnect command work correctly. $ifconfig_pool_remote_ip works fine in my script. Thanks! Great! =)
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now