Using a client-connect script

This recipe will demonstrate how to set up a client-connect script that gets executed on the server side when a new client connects. Similarly, we can specify a client-disconnect script that is executed when a client disconnects from the server. Client-connect and client-disconnect scripts can be used for several purposes:

  • Extra authentication
  • Opening and closing firewall ports
  • Assigning specific IP address to special clients
  • Writing out connection-specific configuration lines for a client

In this recipe, we will use a client-connect script to disable client access to the client with a client2 certificate between 10 p.m. (or 22:00 hours) and 6 a.m. During other hours, a static IP is assigned to this client.

Getting ready

Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running Fedora 22 Linux and OpenVPN 2.3.10. The client was running Windows 7 64 bit and OpenVPN 2.3.10. Keep the server configuration file, basic-udp-server.conf, from the Server-side routing recipe, from Chapter 2Client-server IP-only Networks, at hand. For the client, keep the client configuration file, basic-udp-client.ovpn, from the Using an ifconfig-pool block recipe from Chapter 2Client-server IP-only Networks, at hand.

How to do it...

  1. Append the following lines to the basic-udp-server.conf server configuration file:
            script-security 2 
            client-connect    /etc/openvpn/cookbook/example5-2-connect.sh 
    
  2. Save it as example5-2-server.conf.
  3. Next, create the connect script:
            #!/bin/bash 
     
            if [ "x$common_name" = "xclient2" ] 
            then 
              hour= /bin/date +"%H" 
              if [ $hour -lt 6 -o $hour -gt 22 ] 
              then 
                echo "disable" > $1 
              else 
                echo "ifconfig-push 10.200.0.200 255.255.255.0" 
              fi 
            fi  
    
  4. Save this file as example5-2-connect.sh.
  5. Make sure that the script is executable:
    [root@server]# chmod 755 example5-2-connect.sh
    
  6. Start the server:
    [root@server]# openvpn --config example5-2-server.conf
    
  7. Start the OpenVPN client:
    How to do it...
  8. If the client is started after 6 am and before 10 p.m., the connection will be established successfully. Otherwise, the client log file will show lines similar to the following:
            us=70083 SENT CONTROL [openvpnserver]: 'PUSH_REQUEST' 
            (status=1) 
    

    Also, the server log will more clearly state the reason for the connection refusal:

             client2/192.168.3.22:57870 MULTI: client has been rejected due 
             to 'disable' directive 
    

How it works...

When a client connects, the OpenVPN server executes the client-connect script with several environment variable sets that are related to the client connecting. The script writes out two lines to the connect-specific configuration file, which is passed as the first and only parameter to the client-connect script. This configuration file is then processed by the OpenVPN server as if it's a normal configuration file. The two possible lines that we use are disable and ifconfig-push 10.200.0.200 255.255.255.0.

The first option disables a client from connecting. The second option pushes a pre-defined IP to the client.

There's more...

In this section, we focus on client-disconnect and the many environment variables that are available to all OpenVPN scripts.

Pitfall in using ifconfig-push

The client-connect script used here did not check whether the IP address that was assigned using the ifconfig-push 10.200.0.200 255.255.255.0 command was actually available. If many clients connect to the server, then this IP address will also be assigned from the pool of IP addresses that is formed as a result of the server 10.200.0.0 255.255.255.0 statement.

When assigning static IP addresses to a client, it is best to assign them from a special subnet.

The client-disconnect scripts

A client-disconnect script can be specified using the following:

client-disconnect /etc/openvpn/cookbook/disconnect.sh 

This script is executed when the client disconnects from the server. Be aware that when a client first disconnects and explicit-exit-notify is not specified on the client side, then the OpenVPN server will first try to reconnect several times to the client. If a client does not respond after several attempts, then the client-disconnect script will be executed. Depending on the server configuration, this might be several minutes after the client has actually disconnected. When using TCP connections, it is not needed to specify explicit-exit-notify, as the client is disconnected immediately when the TCP connection stops.

Environment variables

There is a multitude of environment variables available inside a client-connect and client-disconnect script. It is very instructive to write a client-connect script that does a little more than the following:

#!/bin.bash 
env >> /tmp/log 

Also, similar to the up and down script, is the script_type environment variable that contains the type of script as configured in the server configuration file. This gives the server administrator the option to write a single script for both client-connect and client-disconnect.

Absolute paths

Note that an absolute path is used for the script. Relative paths are allowed, but especially for the OpenVPN server, it is more secure to use absolute paths. Assuming that the OpenVPN server is always started in the same directory is a bad security practice. An alternative is to use the following:

cd /etc/openvpn/cookcook
client-connect example5-2-connect.sh 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.119.156