Problem with client-connect script
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jan 06, 2011 12:28 pm
Problem with client-connect script
Hi there to all of u.
I'm new here (in the forum), and i've got some strugglin with the openvpn (openvpn-2.1.1-2), client-connect option.
Some info:
- i have configured an openvpn server with the option client-connect "connect.php" (for ex.), and i use this script to dynamically assign some settings (routes, iptables and so on ). When the script fails, the exit value of 1 is correctly returned to the openvpn (and the openvpn is seeing that).
The problem:
The problem is that when the script connect.php returns an exit value of 1, the client is not disconnected, but hangs on doing PUSH_REQUESTS to the server.
Do you have any suggestions, how can i force the client to disconnect completely after client-connect script failure ?
Regards
Thanks in advance !
I'm new here (in the forum), and i've got some strugglin with the openvpn (openvpn-2.1.1-2), client-connect option.
Some info:
- i have configured an openvpn server with the option client-connect "connect.php" (for ex.), and i use this script to dynamically assign some settings (routes, iptables and so on ). When the script fails, the exit value of 1 is correctly returned to the openvpn (and the openvpn is seeing that).
The problem:
The problem is that when the script connect.php returns an exit value of 1, the client is not disconnected, but hangs on doing PUSH_REQUESTS to the server.
Do you have any suggestions, how can i force the client to disconnect completely after client-connect script failure ?
Regards
Thanks in advance !
- gladiatr72
- Forum Team
- Posts: 194
- Joined: Mon Dec 13, 2010 3:51 pm
- Location: Lawrence, KS
Re: Problem with client-connect script
Hello,
You can include some business in your client-connect script to connect to the openvpn management socket (see "management" directive in the docs) and then use either the 'kill cn' or 'kill IP:port' commands to disconnect the client right before returning your error code.
-Stephen
You can include some business in your client-connect script to connect to the openvpn management socket (see "management" directive in the docs) and then use either the 'kill cn' or 'kill IP:port' commands to disconnect the client right before returning your error code.
-Stephen
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jan 06, 2011 12:28 pm
Re: Problem with client-connect script
gladiatr72 wrote:Hello,
You can include some business in your client-connect script to connect to the openvpn management socket (see "management" directive in the docs) and then use either the 'kill cn' or 'kill IP:port' commands to disconnect the client right before returning your error code.
-Stephen
Hi Stephen,
Yes i know, that i can do it through the management console, but i don't think it's the way it shoud be (the things will go complicated more than necessery ).
The reason i wrote about that problem here is that, as far as i see from the openvpn manual, if the client-connect script returns exit code of 1, the client must be disconnected (as it should be on auth_failed).
If that's behaviour is as it should be, so is there any easier way i can disconnect the client more clean, than goin through the management interface ?
Thanks again
Regards
- gladiatr72
- Forum Team
- Posts: 194
- Joined: Mon Dec 13, 2010 3:51 pm
- Location: Lawrence, KS
Re: Problem with client-connect script
Hey there,
I just ran a few tests on a utility vpn setup that utilizes some client-connect goodness for firewall manipulation. Are you sure your non-zero code is actually making it out? What happens when you preload your script's variables and run it from the shell? My test netted the following from the logs:
This was just a few little bash bits to do an 'exit 1' when the identifying bits of the CN on my phone's certificate shows up.
So, anyway, the hook does work as documented.
-S
I just ran a few tests on a utility vpn setup that utilizes some client-connect goodness for firewall manipulation. Are you sure your non-zero code is actually making it out? What happens when you preload your script's variables and run it from the shell? My test netted the following from the logs:
Code: Select all
Thu Jan 6 11:43:02 2011 us=911918 stephen.spencer_util/10.10.2.2:49751 client-connect command failed: shell command exited with error status: 1
Thu Jan 6 11:43:04 2011 us=934373 stephen.spencer_util/10.10.2.2:49751 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jan 6 11:43:04 2011 us=934470 stephen.spencer_util/10.10.2.2:49751 SENT CONTROL [stephen.spencer_util]: 'AUTH_FAILED' (status=1)
Thu Jan 6 11:43:04 2011 us=934484 stephen.spencer_util/10.10.2.2:49751 Delayed exit in 5 seconds
Thu Jan 6 11:43:07 2011 us=47099 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
So, anyway, the hook does work as documented.
-S
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jan 06, 2011 12:28 pm
Re: Problem with client-connect script
Hi again,gladiatr72 wrote:Hey there,
I just ran a few tests on a utility vpn setup that utilizes some client-connect goodness for firewall manipulation. Are you sure your non-zero code is actually making it out? What happens when you preload your script's variables and run it from the shell? My test netted the following from the logs:This was just a few little bash bits to do an 'exit 1' when the identifying bits of the CN on my phone's certificate shows up.Code: Select all
Thu Jan 6 11:43:02 2011 us=911918 stephen.spencer_util/10.10.2.2:49751 client-connect command failed: shell command exited with error status: 1 Thu Jan 6 11:43:04 2011 us=934373 stephen.spencer_util/10.10.2.2:49751 PUSH: Received control message: 'PUSH_REQUEST' Thu Jan 6 11:43:04 2011 us=934470 stephen.spencer_util/10.10.2.2:49751 SENT CONTROL [stephen.spencer_util]: 'AUTH_FAILED' (status=1) Thu Jan 6 11:43:04 2011 us=934484 stephen.spencer_util/10.10.2.2:49751 Delayed exit in 5 seconds Thu Jan 6 11:43:07 2011 us=47099 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
So, anyway, the hook does work as documented.
-S
Firstable i want to know that in my case, i don't use bash script, but external program ("/usr/bin/php phpscript"). I'm not sure if that matters, but in my logs there is a message "external program exited", not an "shell script exited".
So, i'm gonna be more precise in my examples, here are the logs from the client/server:
Server Logs:
Code: Select all
Thu Jan 6 20:08:56 2011 us=687123 test-user/my.test.ip.addr:33545 client-connect command failed: external program exited with error status: 1
RThu Jan 6 20:08:59 2011 us=41041 test-user/my.test.ip.addr:33545 PUSH: Received control message: 'PUSH_REQUEST'
WRThu Jan 6 20:09:04 2011 us=282193 test-user/my.test.ip.addr:33545 PUSH: Received control message: 'PUSH_REQUEST'
WRThu Jan 6 20:09:09 2011 us=523075 test-user/my.test.ip.addr:33545 PUSH: Received control message: 'PUSH_REQUEST'
....
....
Client Logs:
Code: Select all
Thu Jan 6 20:08:58 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan 6 20:09:04 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan 6 20:09:09 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan 6 20:09:14 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan 6 20:09:19 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan 6 20:09:24 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jan 6 20:09:29 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
..... infinite.....
Code: Select all
dev tun
fast-io
client-cert-not-required
user vpn
group vpn
persist-tun
persist-key
server x.x.x.x 255.255.0.0
username-as-common-name
client-connect "/usr/local/bin/php My_script.php"
client-disconnect "/usr/local/bin/php My_script.php"
duplicate-cn
tmp-dir /tmp
client-config-dir ccd
script-security 2
keepalive 1 5
comp-lzo
tls-server
dh ssl/dh1024.pem
cert ssl/server.crt
key ssl/server.key
ca ssl/ca.crt
plugin /etc/openvpn/mysql-auth/libopenvpn-mysql-auth.so -c /etc/openvpn/mysql-auth.cnf -d
- gladiatr72
- Forum Team
- Posts: 194
- Joined: Mon Dec 13, 2010 3:51 pm
- Location: Lawrence, KS
Re: Problem with client-connect script
Right. This error message indicates that your client-connect script is not being executed.Thu Jan 6 20:08:56 2011 us=687123 test-user/my.test.ip.addr:33545 client-connect command failed: external program exited with error status: 1
-S
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jan 06, 2011 12:28 pm
Re: Problem with client-connect script
This error is forced by me, so i manually return "exit(1)" in my php script(i mean, the script is executing, and then throws the exit (1)).gladiatr72 wrote:Right. This error message indicates that your client-connect script is not being executed.Thu Jan 6 20:08:56 2011 us=687123 test-user/my.test.ip.addr:33545 client-connect command failed: external program exited with error status: 1
-S
So after recieving the exit 1 status , openvpn have to disconnect the client(this the man says), but that's not happening. The client is goin into PUSH_REQUEST loop, until i make "CTRL + C" on the clients vpn, or restart the server.
- gladiatr72
- Forum Team
- Posts: 194
- Joined: Mon Dec 13, 2010 3:51 pm
- Location: Lawrence, KS
Re: Problem with client-connect script
Hrm. Well, I don't know what to tell you then. It's a pretty simple process, really. Whether you use bash, perl, php or lisp, to indicate a 'not authorized' message requires a non-zero error code to be returned on your program's stderr pipe. What is not in your error log is any indication of an AUTH_FAILED event which would preclude the client knowing that the proper thing to do is to disconnect. This indicates to me that whatever mechanism you're using to try to relay an error state for authentication is failing to do its job.
-Stephen
-Stephen
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jan 06, 2011 12:28 pm
Re: Problem with client-connect script
I tried to use a simple bash script, instead of the php one. The bash script contains:gladiatr72 wrote:Hrm. Well, I don't know what to tell you then. It's a pretty simple process, really. Whether you use bash, perl, php or lisp, to indicate a 'not authorized' message requires a non-zero error code to be returned on your program's stderr pipe. What is not in your error log is any indication of an AUTH_FAILED event which would preclude the client knowing that the proper thing to do is to disconnect. This indicates to me that whatever mechanism you're using to try to relay an error state for authentication is failing to do its job.
-Stephen
Code: Select all
#!/bin/bash
exit 1
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Feb 01, 2021 12:55 am
Re: Possible solution - Problem with client-connect script
I know this is extremely old but i had the same issue and tracked it for some time so thought i would share:
Was a permissions issue on the python script being called and the library it required.
used openvpn group for file ownership with read access.
Was a permissions issue on the python script being called and the library it required.
used openvpn group for file ownership with read access.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Feb 01, 2021 12:55 am
Re: Problem with client-connect script
I should have added - Easily diagnosed by starting the server at the command line and watching for errors:
/etc/init.d/openvpn stop
/usr/sbin/openvpn /etc/openvpn/server.conf
/etc/init.d/openvpn stop
/usr/sbin/openvpn /etc/openvpn/server.conf