Time Based VPN Access

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
nomykhan
OpenVpn Newbie
Posts: 3
Joined: Wed Jul 05, 2017 10:52 am

Time Based VPN Access

Post by nomykhan » Thu Jul 06, 2017 6:45 am

Hi

I am currenly using local user database.
I have a scenario where i need to give access to my users for a particular time e.g
User 1: fomr 1st July 2017 to 1st Aug 2017 ( 12 am to 11:59 pm)
User 2: from 1st July 2017 to 8th July 2017 ( 12 am to 11:59 pm)

etc

How can i achieve this scenario?

if not possible in openvpn any thrid party radius/ldap solution that can achieve it?

rsenio
OpenVPN Power User
Posts: 91
Joined: Tue Nov 29, 2011 9:34 pm

Re: Time Based VPN Access

Post by rsenio » Fri Jul 07, 2017 1:48 pm

If you have a Windows server, setup Network Policy Server and use the time of day restrictions. Configure OpenVPN AS to Authenticate via radius to your server.

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Time Based VPN Access

Post by novaflash » Sat Jul 08, 2017 11:54 am

Or you could set up an iptables rule that blocks access, and run a cronjob to lift this rule whenever you want to allow access. Crude. But effective. Or do the same thing to the openvpn access server service itself, just stop the whole thing when you don't want it on, then start it again when you do want it on. Or if you want to do it per user, use post-auth script to evaluate what time it is and based on that deny access.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

nomykhan
OpenVpn Newbie
Posts: 3
Joined: Wed Jul 05, 2017 10:52 am

Re: Time Based VPN Access

Post by nomykhan » Thu Jul 13, 2017 5:38 am

rsenio wrote:If you have a Windows server, setup Network Policy Server and use the time of day restrictions. Configure OpenVPN AS to Authenticate via radius to your server.
thanks.
I deployed and it worked . thanks for the suggestion.
I used AD account restrictions to expire the account at a certain date.

I could not find any option of activating an account at a particular time. How can you do it via NPS?

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Time Based VPN Access

Post by chilinux » Fri Jul 14, 2017 11:21 pm

In the NPS application, select the NPS server and expand Policies and the right click on Connection Request Policy and select New. Then choose a policy name and click next, you can then specify multiple conditions for the policy including which User Name and Day/Time Restrictions apply.

It should be noted that NPS will only enforce when authentication is permitted, already authenticated sessions will not end during the restricted time window using this method.

It might be better to set up a pair of cron jobs where the first one uses sacli to set the user's prop_deny to true and also uses sacli to issue a DisconnectUser. The second cron job could then turn the prop_deny back to false.

So if user "consultant" is only allowed to work 9 to 5 on Monday through Friday, setup the following:

--- /usr/local/bin/consultantdeny.bash ---
#!/bin/bash
/usr/local/openvpn_as/scripts/sacli --user consultant --key prop_deny --value true UserPropPut
/usr/local/openvpn_as/scripts/sacli -u consultant DisconnectUser

--- /usr/local/bin/consultantallow.bash ---
#!/bin/bash
/usr/local/openvpn_as/scripts/sacli --user consultant --key prop_deny --value false

Then run crontab -e and set:
0 9 * * 1-5 /usr/local/bin/consultantallow.bash
0 17 * * 1-5 /usr/local/bin/consultantdeny.bash

More information on the format of the crontab can be found by running: man 5 crontab

Post Reply