Send Email on Client Connection

[kcsupport2020]

I am trying to get an email to send when a client makes a connection to my OpenVPN server.

I have an OpenVPN Access Server v2.9.2 that was originally deployed from the OVA file they offer. It has been updated to the current version periodically. When searching this option most articles talk about editing a conf file (/etc/openvpn/server.conf) and utilizing a client-connect hook that can be used to fire off a script. I have the script working but I am not sure if the Access Server supports this. I have not been able to locate the conf file on this one. Various articles refer to the as.conf and the json being what AS uses to build its conf.

Does the OpenVPN Access Server v2.9.2 use the client-connect hook still and if so where can I leverage it?

Thanks for reading!

client-connect /etc/openvpn/server/connect-disconnect.sh
client-disconnect /etc/openvpn/server/connect-disconnect.sh

[chilinux]

I believe the prefer way to do something list this is through a post_auth python script as explained here:
https://openvpn.net/vpn-server-resource ... -examples/

OpenVPN AS also has an option to try to use OpenVPN Community Edition directives.

You can find that option by logging into the admin web portal and going to Configuration -> Advanced VPN -> Server Config Directives

Make sure you can still access the admin web portal via port 943 instead of 443. The web page provides the warning that "Minimal checking is performed on the supplied directives." What it does not warn the user of is if the directive is invalid then when restarting with the new configuration the OpenVPN service may not start resulting in port 443 being unavailable. At that point, the admin web portal will only be available via port 943.

It may also be possible that some server config directive changes may interfere with functionality/features of OpenVPN AS. If you want to confirm that client-connect and client-disconnect is not already used by OpenVPN AS or won't negatively impact it, it is probably best to open an official support ticket.

I am not able to find any OpenVPN AS knowledge base article that explains which OpenVPN CE directives are already used or which are available for customer reuse. So, just keep that in mind when using the "Server Config Directives" option.

[openvpn_inc]

Hello kcsupport2020,

I am sorry but certain functions are not possible with Access Server.

What you can do is load a post_auth script that, when a user authenticates successfully with the Access Server, fires off some email task. The post_auth scripting can be done in Python3 language, and therefore it wouldn't be too hard to send out emails with that. For examples of post_auth scripting see this page:
https://openvpn.net/vpn-server-resource ... -examples/

Kind regards,
Johan

[kcsupport2020]

Thank you for this information! I did make a support ticket and the last message they sent was that it wasn't possible.

I'll check out the linked pages and see what I can get working. If it supports using python3 then it should be pretty straight forward. I'll report back with what I end up trying.

Thanks again

[openvpn_inc]

Hi kcsupport2020,

Yes I know - the ticket you posted on Zendesk I just reviewed and updated with this information as well. Technically the answer there was correct - Access Server can't send out emails.

But with work and a post_auth script, this functionality can be added.

Kind regards,
Johan

[kcsupport2020]

Thank you for the information. With this viewtopic.php?t=15927 as a start I was able to get exactly what I needed. I had to change a few things for Python3 and this was my first python script so I am sure there are things that are in there that probably aren't needed. I installed postfix as a simple send only mail server on the machine in order to send the mail as described here. I did not do the SSL config portion as messages will be sent internally.

I created my script file on the Access Server and saved it as auth_script.py:

Code: Select all

import time
import datetime

import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.utils import COMMASPACE, formatdate
from datetime import datetime

# mail server information
mailsubject = "OpenVPN Connection"
mailsender = "OVPN Notification <from@email.com>"
mailserver = "localhost"
time = datetime.now().strftime('%Y-%m-%d %H:%M:%S')

def sendMail(to, fro, subject, text,server="localhost"):
    assert type(to)==list
    #assert type(files)==list
 
    msg = MIMEMultipart()
    msg['From'] = fro
    msg['To'] = COMMASPACE.join(to)
    msg['Date'] = formatdate(localtime=True)
    msg['Subject'] = subject
 
    msg.attach( MIMEText(text) )
 
    smtp = smtplib.SMTP(server)
    smtp.sendmail(fro, to, msg.as_string() )
    smtp.close()

def post_auth(authcred, attributes, authret, info):
    print("********** POST_AUTH %s %s %s %s" % (authcred, attributes, authret, info) + "\r\n************   POST_AUTH END")
    
    body = ''
    body = "Successful OpenVPN Connection at " + time + '\r\n'

    if authcred.get('username'):
        username = authcred.get('username')
    else:
        username = 'missing'
    
    if authcred.get('client_ip_addr'):
        client_ip = authcred.get('client_ip_addr')
    else:
        client_ip = 'noip'
    
    body = body + "Username: " + username + '\r\n'
    body = body + "Client IP: " + client_ip + '\r\n\n'
    body = body + "Please note this connection.  If the user should not be a member of OpenVPN group let IT know."

    sendMail(['To Name <to@email.com>,To2 Name2 <to2@email.com>'],mailsender,mailsubject,body)
    return authret

I then navigated to the scripts folder (on my openvpn_as it is /usr/local/openvpn_as/scripts) and ran this command:

./sacli --key "auth.module.post_auth_script" --value_file="<POST_AUTH_SCRIPT_PATH_AND_FILENAME>" ConfigPut

Then I restarted the server to apply this config:

./sacli start

Now when a successful OpenVPN connection is established, our admins receive an email with the username,time,client_ip of the connection for logging purposes. authcred, attributes, authret, info definitely have other variables that may be valuable to you. You can see in the /var/log/openvpn_as log that print command shows you the variables that may be useful.

[openvpn_inc]

Hello kcsupport2020,

Nice work, this will help others that want to implement this.

Kind regards,
Johan