The client-disconnect script is executed but the client is still connected

How to customize and extend your OpenVPN installation.
ali.bize
OpenVpn Newbie
Posts: 2
Joined: Thu May 11, 2017 3:08 am

The client-disconnect script is executed but the client is still connected

Postby ali.bize » Thu May 11, 2017 3:35 am

Hi everyone,

I've set up an OpenVPN server using UDP and added client-connect and client-disconnect scripts to store the connected users with their assigned ips in a database. The problem is that in the server log, sometimes I see that the client-disconnect script is called because of an inactivity timeout (I'm using keepalive option on the server) but if I check the status in the management interface, I can see that the client is still connected and I can even reach the client through the VPN.
Is it possible that the client is disconnected and reconnected and only the client-disconnect script is called instead of calling also the client-connect script?

I don't have the conf files right now. I can post them later.
I've increased the verbosity level and see this in the server log:

Code: Select all

Wed May 10 20:03:50 2017 us=156879 F4:4D:30:61:F2:6D/172.16.11.85:56991 RECEIVED PING PACKET
Wed May 10 20:03:50 2017 us=156890 F4:4D:30:61:F2:6D/172.16.11.85:56991 TLS: tls_pre_encrypt: key_id=0
Wed May 10 20:03:50 2017 us=156907 F4:4D:30:61:F2:6D/172.16.11.85:56991 SENT PING
Wed May 10 20:03:50 2017 us=156926 F4:4D:30:61:F2:6D/172.16.11.85:56991 UDPv4 WRITE [53] to [AF_INET]172.16.11.85:56991: P_DATA_V1 kid=0 DATA len=52
Wed May 10 20:03:50 2017 us=276194 F4:4D:30:61:F2:6D/172.16.11.85:54164 [F4:4D:30:61:F2:6D] Inactivity timeout (--ping-restart), restarting
Wed May 10 20:03:50 2017 us=276247 F4:4D:30:61:F2:6D/172.16.11.85:54164 SIGUSR1[soft,ping-restart] received, client-instance restarting
Wed May 10 20:03:50 2017 us=276256 MULTI: multi_close_instance called
Wed May 10 20:03:50 UTC 2017: Probe F4:4D:30:61:F2:6D disconnecting    (this is printed by my client-disconnect script)
Wed May 10 20:03:50 2017 us=452321 PID packet_id_free
Wed May 10 20:03:50 2017 us=452469 PID packet_id_free
Wed May 10 20:03:50 2017 us=452484 PID packet_id_free
Wed May 10 20:03:50 2017 us=452494 PID packet_id_free
Wed May 10 20:03:50 2017 us=452525 PID packet_id_free
Wed May 10 20:03:50 2017 us=452535 PID packet_id_free
Wed May 10 20:03:50 2017 us=452545 PID packet_id_free
Wed May 10 20:03:50 2017 us=452555 PID packet_id_free
Wed May 10 20:03:50 2017 us=452568 PID packet_id_free
Wed May 10 20:03:54 2017 us=525763 MULTI: REAP range 144 -> 160
Wed May 10 20:03:55 2017 us=221680 MULTI: REAP range 160 -> 176
Wed May 10 20:03:55 2017 us=221751 GET INST BY REAL: 172.16.11.85:56991 [succeeded]
Wed May 10 20:03:55 2017 us=221770 F4:4D:30:61:F2:6D/172.16.11.85:56991 UDPv4 READ [53] from [AF_INET]172.16.11.85:56991: P_DATA_V1 kid=0 DATA len=52
Wed May 10 20:03:55 2017 us=221787 F4:4D:30:61:F2:6D/172.16.11.85:56991 TLS: tls_pre_decrypt, key_id=0, IP=[AF_INET]172.16.11.85:56991
Wed May 10 20:03:55 2017 us=221840 F4:4D:30:61:F2:6D/172.16.11.85:56991 PID_TEST [0] [SSL-0] [5>>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:76 0:77 t=1494446635[0] r=[0,64,15,0,1] sl=[52,64,64,528]
Wed May 10 20:03:55 2017 us=221848 F4:4D:30:61:F2:6D/172.16.11.85:56991 RECEIVED PING PACKET


However, nothing changes in the client log file when this happens. It seems that the client doesn't even realize about this.

Thanks!

ali.bize
OpenVpn Newbie
Posts: 2
Joined: Thu May 11, 2017 3:08 am

Re: The client-disconnect script is executed but the client is still connected

Postby ali.bize » Thu May 11, 2017 12:40 pm

Here is my server conf:

Code: Select all

server 10.123.0.0 255.255.0.0
verb 7
key /etc/openvpn/pki/private/VPN.SERVERNAME.COM.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/VPN.SERVERNAME.COM.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
duplicate-cn
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

### Route Configurations Below
route 10.123.0.0 255.255.0.0
push "route 10.1.0.0 255.255.0.0"

### Extra Configurations Below
client-cert-not-required
username-as-common-name
auth-user-pass-verify authenticate.sh via-env
log-append /var/log/openvpn/openvpn.log
script-security 3

client-connect connect.sh
client-disconnect disconnect.sh


And my client conf:

Code: Select all

client
nobind
dev tun
key-direction 1
remote-cert-tls server

remote [IP] [PORT] udp

<ca>
</ca>

<tls-auth>
</tls-auth>

auth-user-pass pass.txt


Return to “Scripting and Customizations”

Who is online

Users browsing this forum: No registered users and 1 guest