This recipe will demonstrate how to set up a client-connect script that gets executed on the server side when a new client connects. Similarly, we can specify a client-disconnect
script that is executed when a client disconnects from the server. Client-connect and client-disconnect scripts can be used for several purposes:
In this recipe, we will use a client-connect script to disable client access to the client with a client2
certificate between 10 p.m. (or 22:00 hours) and 6 a.m. During other hours, a static IP is assigned to this client.
Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running Fedora 22 Linux and OpenVPN 2.3.10. The client was running Windows 7 64 bit and OpenVPN 2.3.10. Keep the server configuration file, basic-udp-server.conf
, from the Server-side routing recipe, from Chapter 2, Client-server IP-only Networks, at hand. For the client, keep the client configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe from Chapter 2, Client-server IP-only Networks, at hand.
basic-udp-server.conf
server configuration file:script-security 2 client-connect /etc/openvpn/cookbook/example5-2-connect.sh
example5-2-server.conf
.#!/bin/bash if [ "x$common_name" = "xclient2" ] then hour= /bin/date +"%H" if [ $hour -lt 6 -o $hour -gt 22 ] then echo "disable" > $1 else echo "ifconfig-push 10.200.0.200 255.255.255.0" fi fi
example5-2-connect.sh
.[root@server]# chmod 755 example5-2-connect.sh
[root@server]# openvpn --config example5-2-server.conf
us=70083 SENT CONTROL [openvpnserver]: 'PUSH_REQUEST' (status=1)
Also, the server log will more clearly state the reason for the connection refusal:
client2/192.168.3.22:57870 MULTI: client has been rejected due to 'disable' directive
When a client connects, the OpenVPN server executes the client-connect
script with several environment variable sets that are related to the client connecting. The script writes out two lines to the connect-specific configuration file, which is passed as the first and only parameter to the client-connect
script. This configuration file is then processed by the OpenVPN server as if it's a normal configuration file. The two possible lines that we use are disable
and ifconfig-push 10.200.0.200 255.255.255.0
.
The first option disables a client from connecting. The second option pushes a pre-defined IP to the client.
In this section, we focus on client-disconnect
and the many environment variables that are available to all OpenVPN scripts.
The client-connect
script used here did not check whether the IP address that was assigned using the ifconfig-push 10.200.0.200 255.255.255.0
command was actually available. If many clients connect to the server, then this IP address will also be assigned from the pool of IP addresses that is formed as a result of the server 10.200.0.0 255.255.255.0
statement.
When assigning static IP addresses to a client, it is best to assign them from a special subnet.
A client-disconnect
script can be specified using the following:
client-disconnect /etc/openvpn/cookbook/disconnect.sh
This script is executed when the client disconnects from the server. Be aware that when a client first disconnects and explicit-exit-notify
is not specified on the client side, then the OpenVPN server will first try to reconnect several times to the client. If a client does not respond after several attempts, then the client-disconnect
script will be executed. Depending on the server configuration, this might be several minutes after the client has actually disconnected. When using TCP connections, it is not needed to specify explicit-exit-notify
, as the client is disconnected immediately when the TCP connection stops.
There is a multitude of environment variables available inside a client-connect and client-disconnect script. It is very instructive to write a client-connect
script that does a little more than the following:
#!/bin.bash env >> /tmp/log
Also, similar to the up
and down
script, is the script_type
environment variable that contains the type of script as configured in the server configuration file. This gives the server administrator the option to write a single script for both client-connect
and client-disconnect
.
Note that an absolute path is used for the script. Relative paths are allowed, but especially for the OpenVPN server, it is more secure to use absolute paths. Assuming that the OpenVPN server is always started in the same directory is a bad security practice. An alternative is to use the following:
cd /etc/openvpn/cookcook client-connect example5-2-connect.sh
18.218.119.156