Help with client-disconnect script

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
User avatar
xauen
Forum Team
Posts: 80
Joined: Tue May 10, 2011 7:57 pm
Location: Manila, Philippines
Contact:
Contact xauen

Help with client-disconnect script

Post by xauen » Sat May 28, 2011 5:46 pm

Hello

Scenario:
1. I have a multi server VPN with a central authentication system using pam_mysql.
2. Every time a user logs-in on a specific server he can also login on the other servers at the same time using the same central authentication servers that I have.
3. To avoid this issues i set up a client-connect / client-disconnect script which is down below.
4. During client-connect, using pam_mysql, it triggers the "session" data to become 1 (default is 0 session) meaning the username is in use.
5. Therefore on the other servers during authentication, it will not pass because of the where=0 clause. It will not meet the desired condition of the server.

Problem:
1. client-connect script can trigger the "session=1" upon client connection but client-disconnect script won't trigger the "session=0" which is the default.

My client.conf:

Code: Select all

client
dev tun
remote xxx.xxx.xxx.xxx
proto udp
port 9200
resolv-retry infinite
persist-key
persist-tun
comp-lzo
ca ca.crt
verb 1
mute 3
cipher BF-CBC
reneg-sec 0
route-method exe
route-delay 2
auth-user-pass sonic.txt
script-security 2
keepalive 5 60
redirect-gateway def1
float
lport 53
My server.conf

Code: Select all

dev tun
proto udp
port 9200 

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
 
# record in database
script-security 2
client-connect ./connect.sh
client-disconnect ./disconnect.sh

user nobody
group nogroup
server 10.8.0.0 255.255.255.0
 
reneg-sec 0
keepalive 20 120
persist-key
persist-tun
 
# user/pass auth from mysql
plugin ./openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
 
client-to-client
 
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
 
comp-lzo
 
max-clients 90

status status/udp.log
log-append /var/log/openvpn/udp.log
verb 3
mute 5
My pam_mysql script (openvpn):

Code: Select all

auth            sufficient      pam_mysql.so \
user=MyUser passwd=MyPass host=localhost db=MyDB \
table=panelusers usercolumn=panelusername passwdcolumn=password \
where=session=0 sqllog=0 crypt=0
 
account         required        pam_mysql.so \
user=MyUser passwd=MyPass host=localhost db=MyDB \
table=panelusers usercolumn=panelusername passwdcolumn=password \
where=session=0 sqllog=0 crypt=0


My client-connect script (connect.sh)

Code: Select all

#!/bin/bash
 
HOST='MyIP'
DB='MyDB'
DBADMIN='MyName'
DBPASSWD='MyPass'
 
mysql -h$HOST -u$DBADMIN -p$DBPASSWD -e "UPDATE panelusers SET session=1 WHERE panelusername='$common_name';" $DB
My client-disconnect script (disconnect.sh)

Code: Select all

#!/bin/bash
 
HOST='MyIP'
DB='MyDB'
DBADMIN='MyName'
DBPASSWD='MyPass'
 
mysql -h$HOST -u$DBADMIN -p$DBPASSWD -e "UPDATE panelusers SET session=0 WHERE panelusername='$common_name';" $DB
Where might be the problem sirs?
Is there anything I should add on the .conf to safely execute the disconnect.sh upon client-disconnect?
I think its not being executed once the client has been disconnected.
Nothing much has changed on my connect.sh and disconnect.sh aside from session=1 to session=0

note:
already made those files (connect.sh & disconnect.sh) as executables before running them.

Code: Select all

chmod +x /etc/openvpn/connect.sh
chmod +x /etc/openvpn/disconnect.sh
OS is Ubuntu 10.04 32bit VPS

Edit: added error log:

Code: Select all

Sat May 28 23:48:35 2011 TLS Error: Unroutable control packet received from 173.224.216.203:9200 (si=3 op=P_CONTROL_V1)
Sat May 28 23:48:35 2011 TLS Error: Unroutable control packet received from 173.224.216.203:9200 (si=3 op=P_CONTROL_V1)
Sat May 28 23:48:35 2011 TLS Error: Unroutable control packet received from 173.224.216.203:9200 (si=3 op=P_CONTROL_V1)
Sat May 28 23:48:35 2011 NOTE: --mute triggered...
Sat May 28 23:49:59 2011 TLS Error: reading acknowledgement record from packet
Sat May 28 23:50:02 2011 TLS Error: reading acknowledgement record from packet
Sat May 28 23:50:05 2011 TLS Error: reading acknowledgement record from packet
Sat May 28 23:50:07 2011 NOTE: --mute triggered...

Sat May 28 23:51:16 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 12 2009
Sat May 28 23:51:16 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat May 28 23:51:16 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat May 28 23:51:16 2011 LZO compression initialized
Sat May 28 23:51:16 2011 UDPv4 link local: [undef]:53
Sat May 28 23:51:16 2011 UDPv4 link remote: 173.224.216.203:9200
Sat May 28 23:51:17 2011 TLS Error: Unroutable control packet received from 173.224.216.203:9200 (si=3 op=P_CONTROL_V1)
Sat May 28 23:51:18 2011 SIGTERM[hard,] received, process exiting
"Never be bullied into silence. Never allow yourself to be made a victim. Accept no ones definition of you"
-IDK
Top
User avatar
xauen
Forum Team
Posts: 80
Joined: Tue May 10, 2011 7:57 pm
Location: Manila, Philippines
Contact:
Contact xauen

Re: Help with client-disconnect script

Post by xauen » Sat May 28, 2011 6:00 pm

Ok.

During my google search i've found some interesting articles.
I think the main problem with my configuration is that the client shuts down the connection without informing the server it will go down. Thus, client-disconnect script is not called. Am I right? well.. possibly.

I will have to try adding --explicit-exit-notify on client script but what [n] should I use?

Anyone can help me here?

edit:
Found out and I will try to use explicit-exit-notify 2 on client.opvn
"Never be bullied into silence. Never allow yourself to be made a victim. Accept no ones definition of you"
-IDK
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: Help with client-disconnect script

Post by janjust » Sat May 28, 2011 9:12 pm

'explicit-exit-notify' is indeed the way to go.
Can I close this thread and the thread topic8230.html ? it seems to be a double post.
Top
taybinakh
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 28, 2019 1:48 pm

Re: Help with client-disconnect script

Post by taybinakh » Fri Jun 28, 2019 1:49 pm

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1 only works with UPD!!
Top
rgaufman
OpenVpn Newbie
Posts: 4
Joined: Thu Jan 03, 2019 9:11 pm

Re: Help with client-disconnect script

Post by rgaufman » Sun Jul 10, 2022 12:38 pm

I believe the problem is this:

1. Client 1 connects (--client-connect)
2. For some reason Client 1 has to reconnect (maybe it crashed or switched external IP, who knows) (--client-connect)
3. Client could not notify of exit and original connection times out after 120 seconds (--client-disconnect)

So what you have there is 2 connections with 2 separate sessions and then 1 of them disconnects. But because there is no session ID of any kind for each connection, it's not clearly if it's the first or second connection that disconnected.

Any solution to this?
Top
Post Reply

Return to “Configuration”