Link to home
Start Free TrialLog in
Avatar of itnifl
itniflFlag for Norway

asked on

OpenVPN client-disconnect command

I was thinking of using the client-disconnect command in the servers configuration file to run a script when the client disconnects. It is supposed to close firewall openings that are opened for the client when he connects to the system. The firewall openings depend on the clients IP address. Is it possible to pass the disconnecting clients IP address to the script when the client disconnects? If I can not, then this solution does not work for me.
Avatar of Qlemo
Qlemo
Flag of Germany image

Yes, client-disconnect and client-connect are using the same parameters and environment variables. The following vars are of interest:
ifconfig_pool_local_ip        (server address, important if /28 networks are used)
ifconfig_pool_netmask
ifconfig_pool_remote_ip    (client IP)
If you use static IPs (ifconfig directives), you will have to use the env vars without the pool_ part.
Important: The client-disconnect script is only run if the client-connect script has been called with success. If you have none, you need to write a dummy script to be called at connect time.
Avatar of itnifl

ASKER

I let my client-connect script exit with 0 always and write 1:$1 2:$2 3:$3 4:$4 5:$5 6:$6 to /tmp/openvpn.status as the only action. I get openvpn_cc_[random string].tmp as the first argument, but I can't find the file anywhere. I guess it is deleted already after connection. The other arguments are empty.

I do the same with the client-disconnect script, but it only gets run when I restart or take down the VPN daemon. So I am doing something wring here?

How do I use "ifconfig_pool_remote_ip" correctly and what explains the behaviour I have just described?
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of itnifl

ASKER

The client-disconnect script seems to only run when the server daemon restarts or is stopped. Sorry, I was not precise enough. When I restart the client connection or disconnect the client, nothing happens.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of itnifl

ASKER

Yes I am using UDP. The setting: explicit-exit-notify in the client config let the client-disconnect command work correctly. $ifconfig_pool_remote_ip works fine in my script. Thanks! Great! =)