OpenVPN AS ignoring conn_ip returned by post_auth script

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
galser
OpenVpn Newbie
Posts: 1
Joined: Tue Oct 23, 2012 3:11 pm

OpenVPN AS ignoring conn_ip returned by post_auth script

Post by galser » Tue Oct 23, 2012 3:56 pm

Hello all, at present moment I am trying to create and LDAP-based authorization system for OpenVPN,
everything works ok ...but I need to force client IP address and facing a following problem :

According to documentation :

For authret exist
proplist (dictionary, optional) -- a list of user properties for the
connecting user.

* conn_ip -- (string: IP address) dynamic IP address that should be
assigned to user -- this IP address MUST exist within
a group subnet; if conn_group is not specified, AS will
try to derive the group by looking at the set of all
groups, and finding the group for which this IP address
is contained within group_subnets (only in Layer 3 mode)
Ok, my script returning in authret correct IP-address from the configured range, and I can see in logs two lines :

Code: Select all

2012-10-23 10:40:17-0400 [-] POST_AUTH : authret after group check {'status': 0, 'reason': 'LDAP auth succeeded on ldaps://XXXX/ group : vpn_YYYYY', 'user': 'testuser', 'proplist': {'conn_ip': '172.27.127.41', 'prop_autogenerate': 'true'}}
2012-10-23 10:40:17-0400 [-] AUTH SUCCESS {'status': 0, 'reason': 'LDAP auth succeeded on ldaps://XXXX/ group : vpn_YYYYY', 'serial_list': [], 'user': 'testuser', 'proplist': {'conn_ip': '172.27.127.41', 'prop_autogenerate': 'true'}, 'common_name': 'testuser', 'serial': '18'} cli=/

IP-address 172.27.127.41 : and just after that :

Code: Select all

2012-10-23 10:40:17-0400 [-] OVPN 0 OUT: 'Tue Oct 23 10:40:17 2012 MANAGEMENT: CMD 'client-auth 4 0''
2012-10-23 10:40:18-0400 [-] OVPN 0 OUT: 'Tue Oct 23 10:40:18 2012 testuser/XX.XX.XX.XX:56811 OPTIONS IMPORT: LZO parms modified'
2012-10-23 10:40:18-0400 [-] OVPN 0 OUT: 'Tue Oct 23 10:40:18 2012 testuser/XX.XX.XX.XX:56811 MULTI: Learn: 172.27.127.3 -> testuser/XX.XX.XX.XX:56811'
2012-10-23 10:40:18-0400 [-] OVPN 0 OUT: 'Tue Oct 23 10:40:18 2012 testuser/XX.XX.XX.XX:56811 MULTI: primary virtual IP for testuser/XX.XX.XX.XX:56811: 172.27.127.3'
Where IP-address 172.27.127.3... Why ?

E.g. either I am not understanding prop_autogenerate influence. or ? How to force Access Server to use address that I had returned in auth_ret proplist ? Banging my head for last week, no luck...

Post Reply