How to disconnect a specific client, instead of the user?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

How to disconnect a specific client, instead of the user?

Post by stephan.budach » Fri Jun 04, 2021 6:30 am

I know how to disconnect a user using sacli:

Code: Select all

sacli -u <user name> consultant DisconnectUser
However, I want to disconnect a specific client and I thought that the verb DisconnectClient would do that, but I cannot seem to find what arguments this verbs neesds. Does anybody know this and could share it?

Thanks

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to disconnect a specific client, instead of the user?

Post by chilinux » Sun Jun 06, 2021 8:47 am

You should be able to bring up the commands provided by sacli with the following:

Code: Select all

sacli --help
Depending on the version of OpenVPN AS, it should list DisconnectClient in addition to DisconnectUser as commands.

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Sun Jun 06, 2021 12:45 pm

Yeah, I know that, but sacli --help doesn't expose any more context as to what arguments are to be passed to what verb. It just spits our a general help. It event won't hint the -u parameter for DisconnectUser, although you can guess that easily enough from the list of options. Well… there's nothing there that catches my eye regarding DisconnectUser. I am even unsure, what would identify a specific client session. Looks like it would have to be a combination of peerID and clientID, but you seem to cannot specify either of those as an argument.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to disconnect a specific client, instead of the user?

Post by chilinux » Sun Jun 06, 2021 1:34 pm

My best guess is that instead of -u or --user, it appears DisconnectClient expects -c or --cn

As a side note, my favorite part of sacli is this line:

Code: Select all

      --active               Only show active clients in ListClients
There is also three other references to a ListClients in the --help

So, it would make perfect sense from this help that there exists a ListClients commands that accepts the option of --active, right?

And yet attempting to do that gives me this:

Code: Select all

ERROR: totally unknown command 'ListClients': util/options:79,sagent/sacli:1268,<string>:1,sagent/sagent_entry:49,sagent/sacli:1274,util/options:79,sagent/sacli:1268,util/error:74,util/error:55
So not only is the --help a little hard to follow but some of the options/commands seem to be "totally unknown" like the developers of sacli are like "totally" Cheech & Chong. :P

I'm kind of hoping OpenVPN AS 2.9.0 will include the errors "ListClients not here, man." Maybe also include an easter egg of "Dave's Not Here" if run at 4:20 pm.

On a more serious note, I share your frustration with the lack of full documentation and examples for everything sacli is supposed to do/offer.

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Sun Jun 06, 2021 8:15 pm

Yeah… I noticed that as well. However, DisconnectClient does at least not bail out with some error message, it simply returns 0. I couldn't say, what would distinguish -u DisconnectUser from -u DisconnectClient, since this attribute is always the same for every client connection a user initiates. The same applies to -c.

I have raised a support request and the first thing support replied with was a reference to DisconnerUser. Lets see, if they can shed some light on this. If not, I will stick with DisconnectUser - it's just a little bit more aggressive and "omnidirectional". 😉

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to disconnect a specific client, instead of the user?

Post by chilinux » Mon Jun 07, 2021 9:05 am

I get the feeling OpenVPN AS Tier 1 support only has access to the same documentation that we do. My experience has been that it will eventually need to be escalated to the product developers at which point the ticket will just sit in limbo with no updates.

The level of support provided is frustrating when the price increases are taken into consideration. I understand that if I want enterprise grade support that I need to pay enterprise prices. But we are getting two rate hikes one year immediately after the other with the sales pitch that the first rate hike is "discounted" (sorry, but my definiton of "discount" is the price going down from what you already pay, not up).

The justification being they are now competitors to Forinet, Cisco, Barracuda, SonicWall and Array Networks would make sense for the amount of price increase, if they are really competitors. But at least one or more of those five are probably doing a better job at support. A simple question like how do you use DisconnectClient shouldn't result with an unrelated "answer" at that price.

The other key frustration is if the price is going up but the quality of support is remaining the same, are they just simply cooking the books to show higher profitability to encourage someone to buy-out the company? If they are, will the product even continue to be offered after the buy-out in the long term?

Let me know if you ever get details/examples of using DisconnectClient. I kind of wish I could go just back to OpenVPN Community Edition just so I could have direct access to the server's management interface again. What you want to do was trival with an expect script.

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Mon Jun 07, 2021 12:39 pm

I totally understand your concern and this is something, that is worrying me as well. If I may ask, what was your reason to go with AS in the first place?

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Mon Jun 07, 2021 1:45 pm

Soo… this is what sacli expects when you issue the verbs DisconnectUser or DisconnectClient:

Code: Select all

    elif cmd == 'disconnectclient':
        d = proxy.callRemote('DisconnectClients', [cn], bool(opt['restart']), opt['reason'], opt['client_reason'], bool(opt['psid']))
        if d:
            d.addCallback(general_post).addErrback(Passthru.errback)
    elif cmd == 'disconnectuser':
        d = proxy.callRemote('DisconnectUsers', [opt['user']], bool(opt['restart']), opt['reason'], opt['client_reason'], bool(opt['psid']))
        if d:
            d.addCallback(general_post).addErrback(Passthru.errback)
Seems, that you were right about the cn, but I dont't know how to obtain it. My guess is, that it somewhat resembles the commonName which is returned by VPNStatus, but since this one is always the same for each client session, it still doesn't enable me to disconnect a specific client, right?

Oh… and btw, also notice "disconnectclient" vs "DisconnectClients"… now that would at least fit… and it looks like DisconnectUser --user is the same as DisconnectClient [cn] and DisconnectUser is the way to disconnect all users… if used without --user/-u.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to disconnect a specific client, instead of the user?

Post by chilinux » Mon Jun 07, 2021 5:40 pm

The reason for going with AS in the first place was to improve density of VPN servers in a multi-tenant environment. Each customer could have their own VM instance of OpenVPN AS combined on the same physical server. Most other solutions did not lend themselves to use in a multi-tenant setting.

I was assuming ListClients would provide information on what the cn should be. But since it is "totally" unknown, it doesn't help much. You might be able to find something in the OpenVPN AS logs which might provide a clue as to the cn values expected.

As to "disconnectclient" vs "DisconnectClients" it is my assumption that earlier on in the code the cmd is passed through lower() such that none of the commands are actually case sensative.

Since sacli is just a XML-RPC client, it should stand to reason that even if the sacli documentation is lacking, the XML-RPC documentation must provide details for the DisconnectClients XML-RPC call. But things don't work out well attacking the problem from that front either.

They promote that "AS has a full XML-RPC API with hundreds of methods that can control and monitor every aspect of the AS" on this page:
https://openvpn.net/advantages/

But where is this list and description of hundreds of methods?

Here is a 3 page REST API document:
https://openvpn.net/images/pdf/REST_API.pdf

It shows how to use the single method of GetUserlogin which is hundreds of methods short of being hundreds of methods.

This page explains how to use the OPENVPN_AS_DEBUG environmental variable with sacli to better see the XML-RPC session:
https://openvpn.net/vpn-server-resource ... mand-line/

And this page appears to talk about making XML-RPC API logging more verbose:
https://openvpn.net/vpn-server-resource ... I_VERBOSE1

But nothing I have found documents the hundreds of methods that is part of the AS advantages. :(

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Tue Jun 08, 2021 4:26 am

Yeah, I also tried the OPENVPN_AS_DEBUG with DisconnectClient, but as I didn't know what to put in as an argument, the returned result was kinda useless… ☹️

Maybe I will turn my attention to the OpenVPN Connect client, because it should return this information, but I am kinda weary about that.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: How to disconnect a specific client, instead of the user?

Post by openvpn_inc » Tue Jun 08, 2021 10:01 am

Hello,

Sorry, at the moment it is not possible to disconnect only 1 of the VPN tunnels started under the same user account. The cn is the same for all tunnels established under the same account name. If you have different user account names, then you can disconnect them separately.

Regarding ListClients and --active, that's indeed a known issue. In Access Server 2.9.0 (not yet released at the time I'm writing this) we have resolved this and updated sacli quite a bit.

To see which connections are currently active you can use:
./sacli VPNStatus

The CN or Common Name is usually just the username, or username+_AUTOLOGIN if it's an autologin profile. If you want to see a list of CNs used in Access Server you can use for example sa dump which will list all the certificates and their CNs.

Regarding the request for documentation for XML-RPC, that is part of our ongoing efforts to update and reorganize the documentation for our Access Server product. At the moment you can use the information already posted here to use sacli to do an XML-RPC call and see what it does. It can then easily be reproduced with any XML-RPC type client you wish to use.

Regarding the request to disconnect only 1 VPN connection even though it is connected multiple times under the same identity, that is something we will put in a future release of Access Server.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Tue Jun 08, 2021 6:41 pm

Hi Johan,

thanks for clarifying. At least, I can stop snooping around for the (yet) still non-existant documentation. I will then use DisconnectClirnt for the time being, at least this doesn't come with the risk of kicking everyone out of the VPN.

Kind regards,
Stephan

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to disconnect a specific client, instead of the user?

Post by chilinux » Wed Jun 09, 2021 4:38 pm

You might be able to play tricks with iptables to kill a specific session instead of disconnecting all sessions of a user. It could be used to issue a tcp-reset or ICMP port-unreachable using the the --reject-with option and configure the rule to impact only a specific source IP and source port.

You could also try outbound rules specific to the destination IP and port to cause a tcp reset or port-unreachable to be return back to the server as well.

The server side session should then eventually timeout with the client no longer able to reach it or act accordingly to the RST/unreachable packets.

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Thu Jun 10, 2021 7:09 am

Yeah… but, this even more funky, as what I am doing already. However, all relevant information is actually provided, that's for sure. I'd rather like to see the OpenVPN Connect client gaining the feature of reporting the HW serial number of the connecting client - at least each OS provides a way to get a hold of them, why no pass that through when connecting and we can tick this problem for probably some time to come.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to disconnect a specific client, instead of the user?

Post by chilinux » Thu Jun 10, 2021 10:59 am

I think the desktop version of OpenVPN Connect already has that feature.

In the web admin panel, go to Configuration -> Advanced VPN -> Client Config Directives

Then in the text box add: push-peer-info

You will then need to download the latest ovpn configuration file in the user web portal.

At that point IV_HWADDR should appear in the log with the MAC address of the network interface.

There is also examples give on how to automatically take action based on the MAC address in a post authentication script:
https://openvpn.net/vpn-server-resource ... -checking/

My understanding of iOS and Android is the latest versions tend to randomize the MAC address given to the apps when requested. You may need to play around a little with the different client platforms you want to support to confirm they all work the way you expect.

It should be noted this doesn't really improve much from a security perspective. Most NIC drivers will allow you to modify the MAC address. Even if the drivers don't the function call for the OpenVPN Connect to get the MAC address can be hooked to feed it a different value. The feature may be of limited usefullness when there is unintentional misbehaving activity on the client side.

If you want an additional hardware based validation credential then the feature request we should be seeking is for OpenVPN Connect client to support FIDO and Google Titan authentication keys. OpenVPN AS already supports Google Authenticator (TOTP) which was the previous enhanced security model promoted by Google. There might be some hope that with Google adopting/promoting FIDO that also supporting it would be considered.

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Thu Jun 10, 2021 1:27 pm

Yes, I know, but I afaik, the MAC address reported is always the one used by the OpenVPN client. The only reliable MAC address to a portable Mac is its Wifi one, but we also need to support USB-C/Tunderbolt LAN adaptors and those MAC addresses are bound only the removable dongle. With HW serial address, I was referring to the serial number of the mainboard itself. That seems to be the only reliable way to identify a Mac these days. The same applies to standard PCs, where you can also always get the MB's serial number.

Any other 2FA will also not prevent accounts from logging in to the VPN from a non-company device. Anyway, I just tried push-peer-info and it doesn't send the MB's serial number. I think, that would be rather easy to do, especially as the client send back the complete macOS version with actual release tag.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to disconnect a specific client, instead of the user?

Post by chilinux » Thu Jun 10, 2021 3:02 pm

Best way I can think of to force OpenVPN to be tied to a company issued device would be to use hardware with a Trusted Platform Module (TPM) and then leverage the cryptoapicert option in the OpenVPN client.

In this theoretical senario, you would no longer give employees direct access to the user web portal of OpenVPN AS. Instead, you would manually generate each user's configuration file using sacli with the Get1 command. Then extract the <cert> and <key> sections to be stored on the device's TPM. Next the extracted sections in the configuration would be manually replaced with the cryptoapicert option. This should then make using the OpenVPN AS server difficult for any hardware that wasn't provisioned by the company ahead of time.

This isn't something I have ever done before and is very different than how the product is intended to be used. You may need to go through a lot of work yourself to figure out how to accomplish what I am suggesting.

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Fri Jun 11, 2021 6:40 am

Usually, the TPM won't let you extract anything. Afair, TPM only allows you to validate against a stored cert, but not get the cert itself or the private key. Your suggestions also comes with a looot of work, as you already noticed, so right now, I'd be quite satisfied with the MB's serial number being checked against our internal database. Its just a slight slap on the wrist for the self-proclaimed "power users", who always tend to try this sort of thing anyway.

And I have already a little python app on my AS in place, which does that. I'd rather have it run event-based in the post-auth, or some post-login hook, instead of having it scanning for new connections regularly.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to disconnect a specific client, instead of the user?

Post by chilinux » Fri Jun 11, 2021 11:58 am

If I understand you correctly, what you would like is if a client "up" script could set UV_ variables to then be passed onto the post_auth script.

As far as I know, that functionality doesn't exist yet but might make an interesting feature request. I would suggest poking OpenVPN AS support with it.

OpenVPN Connect v3.3 has been released with new command line options:
https://openvpn.net/vpn-server-resource ... n-connect/

You can write your own application that gets the user's configuration over XML-RPC, adds a "setenv UV_MB=xxxx" to it and then imports the profile into OpenVPN Connect. Then have the post_auth only accept connections that have the UV_MB available and with a correct value.

It may be a little more kludgy to create your own wrapper around OpenVPN Connect for retreiving/importing the configuration, but I think it might do what you are asking for?

stephan.budach
OpenVpn Newbie
Posts: 15
Joined: Tue May 25, 2021 8:05 am

Re: How to disconnect a specific client, instead of the user?

Post by stephan.budach » Mon Jun 14, 2021 8:32 am

Well, what I really would like to have, would be that the client just pushes the serial number of the client's mainboard along with the other values, it gathers, like OS version etc. There's really no need to go fancy with this. If the platform the client is running on, doesn't support that (although I highly doubt that this could happen nowadays), leave it empty. As you can do with MAC addresses, you could handle this on the AS in the post auth-hook.
I will surely keep nagging support with this, as I truely think, that this is a legitimate feature to request. ;)

I also took a (very) brief look at the OVPN Connect 3.3 cli doc, but actually creating a wrapper around the OVPN cli, is really something I would like to avoid, though.

Post Reply