How to use Deferred client-connect

How to customize and extend your OpenVPN installation.
Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

How to use Deferred client-connect

Post by Marc05 » Sun Sep 26, 2021 2:43 pm

New in OpenVPN 2.5 is "Deferred client-connect":
https://github.com/OpenVPN/openvpn/blob ... hanges.rst
The --client-connect option and the connect plugin API allow asynchronous/deferred return of the configuration file in the same way as the auth-plugin.
It sounded as if current implementations of client-connect would be able to take advantage of this async functionality, but that is not the case. I'm wondering if there's any examples or documentation on this. From what I can tell, it seems as if a new plugin has to be built and used:
https://github.com/OpenVPN/openvpn/tree ... le-plugins

User avatar
TinCanTech
Forum Team
Posts: 9752
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to use Deferred client-connect

Post by TinCanTech » Sun Sep 26, 2021 4:13 pm


Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Sun Sep 26, 2021 6:05 pm

Thank you!

If I understand correctly, then it would look something like this:

Code: Select all

if client-connect
   run $script in background
   echo 2 >> ${client_connect_deferred_file} # deferred
   exit 0
 
within $script:
   # do async stuff
   echo 1 >> ${client_connect_deferred_file} #success; client connects
   exit
Is that right?

User avatar
TinCanTech
Forum Team
Posts: 9752
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to use Deferred client-connect

Post by TinCanTech » Sun Sep 26, 2021 6:57 pm

Read it again. a bit more carefully.

Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Sun Sep 26, 2021 7:52 pm

I've read it a handful of times.

Is it that I'm missing something with "client_connect_config_file"? My reasons for not using it are it says "(optional, if per-session configuration is desired)" and I'm not entirely sure what configuration I would write to it.

Or perhaps you're referring to an issue with this line "echo 1 >> ${client_connect_deferred_file} #success; client connects", which I included because it said ""when finished, write the a 1 to this file".

Or maybe is none of those!

User avatar
TinCanTech
Forum Team
Posts: 9752
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to use Deferred client-connect

Post by TinCanTech » Sun Sep 26, 2021 8:07 pm

Your first script above would probably work, Have you tested it yet ?

Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Sun Sep 26, 2021 8:40 pm

Yeah it works. Granted there's a lot of error handling that needs to be done with the pseudocode, but that's why it's not actual code lol.

User avatar
TinCanTech
Forum Team
Posts: 9752
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to use Deferred client-connect

Post by TinCanTech » Sun Sep 26, 2021 10:54 pm

If you are in the mood for experimenting the try this:
https://github.com/TinCanTech/easy-tls

Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Sat Oct 09, 2021 6:30 pm

Thanks @TinCanTech!

There's something odd I've noticed; note that the server is using duplicate-cn.

Currently, the client-connect script will run some code which client-disconnect is supposed to undo. For the sake of discussion, let's say client-connect does:

Code: Select all

touch /tmp/${username}_${trusted_port}.lock
# code to check for active client connections for this user and remove any lock files that don't match up.
and client-disconnect does:

Code: Select all

rm -f /tmp/${username}_${trusted_port}.lock
The issue is that sometimes the .lock file isn't removed meaning the client-disconnect script was not called. The extra code in client-connect to remove the lock files helps, but it doesn't solve the scenario in which old user sessions have yet to time out (hence considered active and file not removed); this scenario is supposed to be dealt with client-disconnect which presumable gets run after the timeout.

This happens rarely (a few weeks has passed before it happened), but it's happened more than a handful of times now. Any thoughts on this?

User avatar
TinCanTech
Forum Team
Posts: 9752
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to use Deferred client-connect

Post by TinCanTech » Sat Oct 09, 2021 7:31 pm


Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Sat Oct 09, 2021 8:17 pm

I must admit, I had lost hope of figuring it out. Nice job with the troubleshooting there.

User avatar
TinCanTech
Forum Team
Posts: 9752
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to use Deferred client-connect

Post by TinCanTech » Sat Oct 09, 2021 10:01 pm

I have been preparing a work around, which I intend to release soon:
https://github.com/TinCanTech/easy-tls

Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Sun Oct 10, 2021 5:56 pm

Trying to understand the issue to have a workaround myself. It seems the issue isn't that the client-disconnect script doesn't get called, but rather with environment variables. From what I can tell, there is no issue with the username variable - correct? If so, I'm not clear on why the client-disconnect script doesn't work.

Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Tue Oct 12, 2021 12:11 am

Hmm, not able to edit the post.

I saw the commit there and it looks like you are falling back to using username if common_name fails. So if client-disconnect is indeed being called fine (but with sometimes incorrect env variables), then I'm not sure how I could be hitting that bug.

User avatar
TinCanTech
Forum Team
Posts: 9752
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to use Deferred client-connect

Post by TinCanTech » Tue Oct 12, 2021 12:18 am

Your script is triggering a known variant.

Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Tue Oct 12, 2021 1:23 am

Would you mind expanding on how? I read through the reports and I don't see the username variable being affected. The script I'm using only relies on $username, e.g.:
if [ -n "${username}" ]; then
# etc

User avatar
TinCanTech
Forum Team
Posts: 9752
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to use Deferred client-connect

Post by TinCanTech » Tue Oct 12, 2021 2:18 am

Marc05 wrote:
Tue Oct 12, 2021 1:23 am
The script I'm using only relies on $username, e.g.:
if [ -n "${username}" ]; then
# etc
Marc05 wrote:
Sat Oct 09, 2021 6:30 pm
touch /tmp/${username}_${trusted_port}.lock
# code to check for active client connections for this user and remove any lock files that don't match up.
TinCanTech wrote:
Tue Oct 12, 2021 12:18 am
Your script is triggering a known variant
Marc05 wrote:
Tue Oct 12, 2021 1:23 am
Would you mind expanding on how?
It's complicated ..

Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Tue Oct 12, 2021 2:26 pm

You probably understand the issue better than anyone in the world right now. If that's the best answer then I'm screwed lol.

User avatar
TinCanTech
Forum Team
Posts: 9752
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to use Deferred client-connect

Post by TinCanTech » Tue Oct 12, 2021 2:29 pm

Simply use Easy-TLS

Marc05
OpenVpn Newbie
Posts: 11
Joined: Sun Sep 26, 2021 2:19 pm

Re: How to use Deferred client-connect

Post by Marc05 » Wed Oct 13, 2021 1:34 am

Unfortunately things are indeed more complicated for me. I do appreciate the work though, thank you!

Post Reply