I installed the script "post_auth_mac_address_checking.py" to check client's MAC address during vpn connexion.
https://openvpn.net/vpn-server-resource ... -checking/
It works fine. I modified the script (see below) to put the MAC addresses in local MySQL database instead of in the script.
It works also but my problem is when I make some changes in the mysql database(add or delete mac addresses), OpenVPN don't see the changes.
How can I "force" openvpn to execute the script for each connection ?
Is there a cache for script I need to refresh ?
Thank you for your help!
the script :
Code: Select all
#!/usr/bin/env python
import uuid
import re
import MySQLdb
import sys
from pyovpn.plugin import *
# f this is set to "NONE" or "DISABLED" then the server administrator must
# always manually register each MAC/UUID address by hand on the command line.
first_login_ip_addr="NONE"
# If False or undefined, AS will call us asynchronously in a worker thread.
# If True, AS will call us synchronously (server will block during call),
# however we can assume asynchronous behavior by returning a Twisted
# Deferred object.
SYNCHRONOUS=False
# Get authorized MAC addresses in the mysql database
conn = MySQLdb.connect(host='127.0.0.1',user='xxx',passwd='xxx',db='xxx')
with conn as cur:
cur = conn.cursor()
cur.execute("SET SESSION TRANSACTION ISOLATION LEVEL READ COMMITTED")
result_iso = cur.fetchall()[0]
cur.execute("SELECT mac_address FROM whitelist_mac;")
results = cur.fetchall()
whitelistmac = [row[0] for row in results]
# this function is called by the Access Server after normal VPN or web authentication
def post_auth(authcred, attributes, authret, info):
print "********** POST_AUTH", authcred, attributes, authret, info
#get the phone's MAC address
from uuid import getnode
MAC_phone = (':'.join(re.findall('..', '%012x' % uuid.getnode())))
# get user's property list, or create it if absent
proplist = authret.setdefault('proplist', {})
# user properties to save - we will use this to pass the hw_addr_save property to be
# saved in the user property database.
proplist_save = {}
error = ""
# The 'error' text goes to the VPN client and is shown to the user.
# The 'print' lines go to the log file at /var/log/openvpnas.log (by default).
if attributes.get('vpn_auth'): # only do this for VPN authentication
hw_addr = authcred.get('client_hw_addr') # MAC address reported by the VPN client
username = authcred.get('username') # User name of the VPN client login attempt
clientip = authcred.get('client_ip_addr') # IP address of VPN client login attempt
if hw_addr or MAC_phone:
if (hw_addr or MAC_phone) in whitelistmac:
print "***** POST_AUTH MAC CHECK: account user name : %s" % username
print "***** POST_AUTH MAC CHECK: client IP address : %s" % clientip
if hw_addr:
print "***** POST_AUTH MAC CHECK: PC MAC address : %s" % hw_addr
else:
print "***** POST_AUTH MAC CHECK: Phone MAC address : %s" % MAC_phone
print "****** POST_AUTH MAC CHECK: iso %s" % result_iso
print "****** POST_AUTH MAC CHECK: whitelist %s" % whitelistmac
print "***** POST_AUTH MAC CHECK: connection attempt : SUCCESS"
else:
error = "Le client n'est pas autorisé à se connecter."
print "***** POST_AUTH MAC CHECK: account user name : %s" % username
print "***** POST_AUTH MAC CHECK: client IP address : %s" % clientip
if hw_addr:
print "***** POST_AUTH MAC CHECK: PC MAC address : %s" % hw_addr
else:
print "***** POST_AUTH MAC CHECK: Phone MAC address : %s" % MAC_phone
print "****** POST_AUTH MAC CHECK: whitelist %s" % whitelistmac
print "****** POST_AUTH MAC CHECK: iso %s" % result_iso
print "***** POST_AUTH MAC CHECK: connection attempt : FAILED"
else:
error = "L'adresse MAC du client n'a pas été diffusé."
print "***** POST_AUTH MAC CHECK: account user name : %s" % username
print "***** POST_AUTH MAC CHECK: client IP address : %s" % clientip
print "***** POST_AUTH MAC CHECK: Phone MAC address : %s" % MAC_phone
print "***** POST_AUTH MAC CHECK: PC MAC address : NONE REPORTED"
print "***** POST_AUTH MAC CHECK: action taken : VPN connection denied with a suitable error message."
print "***** POST_AUTH MAC CHECK: connection attempt : FAILED"
# process error, if one occurred
if error:
authret['status'] = FAIL
authret['reason'] = error # this error string is written to the server log file
authret['client_reason'] = error # this error string is reported to the client user
return authret, proplist_save
if conn:
conn.close()
