Problem with client-connect script

[gryzli]

Hi there to all of u.

I'm new here (in the forum), and i've got some strugglin with the openvpn (openvpn-2.1.1-2), client-connect option.

Some info:
- i have configured an openvpn server with the option client-connect "connect.php" (for ex.), and i use this script to dynamically assign some settings (routes, iptables and so on ). When the script fails, the exit value of 1 is correctly returned to the openvpn (and the openvpn is seeing that).

The problem:

The problem is that when the script connect.php returns an exit value of 1, the client is not disconnected, but hangs on doing PUSH_REQUESTS to the server.

Do you have any suggestions, how can i force the client to disconnect completely after client-connect script failure ?

Regards
Thanks in advance !

[gladiatr72]

Hello,

You can include some business in your client-connect script to connect to the openvpn management socket (see "management" directive in the docs) and then use either the 'kill cn' or 'kill IP:port' commands to disconnect the client right before returning your error code.

-Stephen

[gryzli]

Hello,

You can include some business in your client-connect script to connect to the openvpn management socket (see "management" directive in the docs) and then use either the 'kill cn' or 'kill IP:port' commands to disconnect the client right before returning your error code.

-Stephen

Hi Stephen,

Yes i know, that i can do it through the management console, but i don't think it's the way it shoud be (the things will go complicated more than necessery ).

The reason i wrote about that problem here is that, as far as i see from the openvpn manual, if the client-connect script returns exit code of 1, the client must be disconnected (as it should be on auth_failed).

If that's behaviour is as it should be, so is there any easier way i can disconnect the client more clean, than goin through the management interface ?

Thanks again
Regards

[gladiatr72]

Hey there,

I just ran a few tests on a utility vpn setup that utilizes some client-connect goodness for firewall manipulation. Are you sure your non-zero code is actually making it out? What happens when you preload your script's variables and run it from the shell? My test netted the following from the logs:

Code: Select all

Thu Jan  6 11:43:02 2011 us=911918 stephen.spencer_util/10.10.2.2:49751 client-connect command failed: shell command exited with error status: 1
Thu Jan  6 11:43:04 2011 us=934373 stephen.spencer_util/10.10.2.2:49751 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jan  6 11:43:04 2011 us=934470 stephen.spencer_util/10.10.2.2:49751 SENT CONTROL [stephen.spencer_util]: 'AUTH_FAILED' (status=1)
Thu Jan  6 11:43:04 2011 us=934484 stephen.spencer_util/10.10.2.2:49751 Delayed exit in 5 seconds
Thu Jan  6 11:43:07 2011 us=47099 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

This was just a few little bash bits to do an 'exit 1' when the identifying bits of the CN on my phone's certificate shows up.

So, anyway, the hook does work as documented.

-S

[gryzli]

Hey there,

I just ran a few tests on a utility vpn setup that utilizes some client-connect goodness for firewall manipulation. Are you sure your non-zero code is actually making it out? What happens when you preload your script's variables and run it from the shell? My test netted the following from the logs:

Code: Select all

Thu Jan  6 11:43:02 2011 us=911918 stephen.spencer_util/10.10.2.2:49751 client-connect command failed: shell command exited with error status: 1
Thu Jan  6 11:43:04 2011 us=934373 stephen.spencer_util/10.10.2.2:49751 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jan  6 11:43:04 2011 us=934470 stephen.spencer_util/10.10.2.2:49751 SENT CONTROL [stephen.spencer_util]: 'AUTH_FAILED' (status=1)
Thu Jan  6 11:43:04 2011 us=934484 stephen.spencer_util/10.10.2.2:49751 Delayed exit in 5 seconds
Thu Jan  6 11:43:07 2011 us=47099 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

This was just a few little bash bits to do an 'exit 1' when the identifying bits of the CN on my phone's certificate shows up.

So, anyway, the hook does work as documented.

-S

Hi again,

Firstable i want to know that in my case, i don't use bash script, but external program ("/usr/bin/php phpscript"). I'm not sure if that matters, but in my logs there is a message "external program exited", not an "shell script exited".

So, i'm gonna be more precise in my examples, here are the logs from the client/server:
Server Logs:

Code: Select all

Thu Jan  6 20:08:56 2011 us=687123 test-user/my.test.ip.addr:33545 client-connect command failed: external program exited with error status: 1
RThu Jan  6 20:08:59 2011 us=41041 test-user/my.test.ip.addr:33545 PUSH: Received control message: 'PUSH_REQUEST'
WRThu Jan  6 20:09:04 2011 us=282193 test-user/my.test.ip.addr:33545 PUSH: Received control message: 'PUSH_REQUEST'
WRThu Jan  6 20:09:09 2011 us=523075 test-user/my.test.ip.addr:33545 PUSH: Received control message: 'PUSH_REQUEST'
....
....

As you see below, the exit code is identified as "1".

Client Logs:

Code: Select all

Thu Jan  6 20:08:58 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan  6 20:09:04 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan  6 20:09:09 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan  6 20:09:14 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan  6 20:09:19 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan  6 20:09:24 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan  6 20:09:29 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
..... infinite.....

Here is a part of my server config:

Code: Select all

dev tun
fast-io
client-cert-not-required
user vpn
group vpn
persist-tun
persist-key
server x.x.x.x 255.255.0.0
username-as-common-name
client-connect "/usr/local/bin/php My_script.php"
client-disconnect "/usr/local/bin/php My_script.php"
duplicate-cn
tmp-dir /tmp
client-config-dir ccd
script-security 2
keepalive 1 5
comp-lzo
tls-server
dh ssl/dh1024.pem
cert ssl/server.crt
key ssl/server.key
ca ssl/ca.crt
plugin /etc/openvpn/mysql-auth/libopenvpn-mysql-auth.so -c /etc/openvpn/mysql-auth.cnf -d

Regards

[gladiatr72]

Thu Jan 6 20:08:56 2011 us=687123 test-user/my.test.ip.addr:33545 client-connect command failed: external program exited with error status: 1

Right. This error message indicates that your client-connect script is not being executed.

-S

[gryzli]

Thu Jan 6 20:08:56 2011 us=687123 test-user/my.test.ip.addr:33545 client-connect command failed: external program exited with error status: 1

Right. This error message indicates that your client-connect script is not being executed.

-S

This error is forced by me, so i manually return "exit(1)" in my php script(i mean, the script is executing, and then throws the exit (1)).

So after recieving the exit 1 status , openvpn have to disconnect the client(this the man says), but that's not happening. The client is goin into PUSH_REQUEST loop, until i make "CTRL + C" on the clients vpn, or restart the server.

[gladiatr72]

Hrm. Well, I don't know what to tell you then. It's a pretty simple process, really. Whether you use bash, perl, php or lisp, to indicate a 'not authorized' message requires a non-zero error code to be returned on your program's stderr pipe. What is not in your error log is any indication of an AUTH_FAILED event which would preclude the client knowing that the proper thing to do is to disconnect. This indicates to me that whatever mechanism you're using to try to relay an error state for authentication is failing to do its job.

-Stephen

[gryzli]

Hrm. Well, I don't know what to tell you then. It's a pretty simple process, really. Whether you use bash, perl, php or lisp, to indicate a 'not authorized' message requires a non-zero error code to be returned on your program's stderr pipe. What is not in your error log is any indication of an AUTH_FAILED event which would preclude the client knowing that the proper thing to do is to disconnect. This indicates to me that whatever mechanism you're using to try to relay an error state for authentication is failing to do its job.

-Stephen

I tried to use a simple bash script, instead of the php one. The bash script contains:

Code: Select all

#!/bin/bash
exit 1

The situation is the same, openvpn indicates error 1 of the script execution, but the client is still sending PUSH_REQUEST's ....that's weird

[SquareJ]

I know this is extremely old but i had the same issue and tracked it for some time so thought i would share:

Was a permissions issue on the python script being called and the library it required.

used openvpn group for file ownership with read access.

[SquareJ]

I should have added - Easily diagnosed by starting the server at the command line and watching for errors:

/etc/init.d/openvpn stop
/usr/sbin/openvpn /etc/openvpn/server.conf