add a 'client-connect-complete'-type script event

This is where we can discuss what we would like to see added or changed in OpenVPN.
Post Reply
csrf
OpenVpn Newbie
Posts: 4
Joined: Tue Oct 15, 2019 9:02 pm

add a 'client-connect-complete'-type script event

Post by csrf » Wed Oct 16, 2019 11:48 pm

Based on my (quick&dirty) testing & a brief analysis of the source code, it appears that the 'client-connect' script event is triggered after connection / authentication, yet before the client is actually able to send&receive IP traffic. As far as I can tell, there is no specific event that is triggered when the client's connection is fully established & able to be accesible from the server.

In many cases, it would help to be able to initiate some scripted task when the client is finally accesible via the network/tunnel, such as connecting to the client via SSH and performing automated management. This doesn't appear to be possible using 'client-connect', as the client's network configuration hasn't been completed at the point in time when 'client-connect' is called, and the client remains in a sort of 'connection limbo' until the script returns.

As as test, I created a 'client-connect' script that tries to SSH into the client & pull some configuration information from the client. Yet, the script would hang & fail, as the client is not yet 'online' & able to be contacted via the network.

A simple way to achieve this would be via some type of 'client-connect-complete' script that fires when the client's data connection has been fully completed and the client is accessible via the network. Also, this maybe could be setup with some type of option(s) that stipulate whether this event should be fired only on initial connection with the server (after some long timeout period), and/or if it should fired after any subsequent re-connection (such as after a brief disconnect from the server).

However, if there's already a way to achieve this goal, please excuse my ignorance & inform me of the solution. I read through the manual, and didn't see anything specific to what I described above.

Thoughts?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7944
Joined: Fri Jun 03, 2016 1:17 pm

Re: add a 'client-connect-complete'-type script event

Post by TinCanTech » Thu Oct 17, 2019 12:04 am

The reason this is not possible is because it is considered to be a non-trivial security risk and will therefore not be implemented. You are not the first to ask ..

csrf
OpenVpn Newbie
Posts: 4
Joined: Tue Oct 15, 2019 9:02 pm

Re: add a 'client-connect-complete'-type script event

Post by csrf » Thu Oct 17, 2019 12:51 am

non-trivial security risk? how so? what makes a client any less secure over the network if a script runs on the server? There are no extra permissions/authorization being implicitly granted to the client. The OpenVPN server is simply performing an explicit notification that a client has finished connecting.

In fact, the same goal can probably be accomplished via a script that 1) periodically reads&parses the openvpn status and/or server log, 2) detects newly-connected clients, 3) gets their IP address & CN, 4) figures out if they need to be processed, 5) pings them/checks if they are actually online, and 6) proceeds to connect to them if necessary. However, this seems like an unnecessary hack when the server could simply call a script & achieve the same result.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7944
Joined: Fri Jun 03, 2016 1:17 pm

Re: add a 'client-connect-complete'-type script event

Post by TinCanTech » Thu Oct 17, 2019 12:42 pm

The developers have concluded that all scripts must be completed before the VPN will pass any data. If you disagree then you will need to convince them that there is good reason.

Post Reply