Limit concurrent connection to 1

[antoniofiliona]

Hi. I have setup an Openvpn 2.4.7 server on Ubuntu 20.04 LTS and got everything working properly. What i can't figure out is how to limit a client to 1 connection and reject any subsequent connection from that common name.

With "duplicate-cn" commented out in the server config, my tests shows a second connection is still successful although the second connection is assigned the same IP as the first connection, leading to IP conflict.

Can someone help me apply the setting that will reject the second connection attempt from a client that is already connected to the OpenVPN server?

Thank you.

[TinCanTech]

How about --max-clients n

[antoniofiliona]

From what i read, --max-clients n limits the total number of clients simultaneously connected to the server, which would work if the server was built for only 1 client, but since i have multiple clients and only want to limit the number of connections per client, that option won't work.

After many days searching online for other info, i did finally find a post similar to my request here.

[url=https://serverfault.com/questions/85059 ... vpn/850889[/url]

Adding the following to the server.conf file

View OriginalServer config

script-security 2
up /etc/openvpn/connectScript.sh
client-connect /etc/openvpn/connectScript.sh
client-disconnect /etc/openvpn/connectScript.sh

and then using the bash script Lacek detailed in the link above (i added a couple of echos to watch what the script is doing and when)

Code: Select all

#!/bin/bash

PERSIST_DIR=/tmp/pDir

function handle_connect {
        CLIENTFILE=$PERSIST_DIR/$common_name

        echo Testing for the existance of the temp folder
        if [ -d $PERSIST_DIR ] ;  then
                echo "Folder exists"
        else
                echo "Folder doens't exist, creating folder now"
                mkdir $PERSIST_DIR
        fi

        if [ -e $CLIENTFILE ]; then
                echo Client file exists
                NUMCONN=$(cat $CLIENTFILE)
                NEWCONN=$(expr $NUMCONN + 1)
                if [ $NEWCONN -gt 3 ]; then exit 1; fi
                echo $NEWCONN >$CLIENTFILE
        else
                echo 1 >"$CLIENTFILE"
        fi
}
function handle_disconnect {
        echo Starting disconnect for $common_name
        CLIENTFILE=$PERSIST_DIR/$common_name
        if [ -e "$CLIENTFILE" ]; then
                echo File found, remove connection
                NUMCONN=$(cat $CLIENTFILE)
                NEWCONN=$(expr $NUMCONN - 1)
                echo $NEWCONN >$CLIENTFILE
        fi
        echo Completed disconnect
}

case "$script_type" in
        up)
                rm -f $PERSIST_DIR/*
                ;;
        client-connect)
                "handle_connect"
                ;;
        client-disconnect)
                "handle_disconnect"
                ;;
esac

And now that works perfectly for what i needed! I did allow 3 connections per client because my tests shows a loss of internet connectivity by switching from wifi to cell data did not cause a disconnect notification to be sent to the server which then continued to use up 1 of the 2 connections allowed until the connection timeout kicked in.

[TinCanTech]

Sorry, I misunderstood your initial question.

Looks like a decent enough solution

[ivanff]

I have also experimented with a similar task and the above script does not work properly. Yes, the client whose limit is exceeded will not immediately connect, but when reconnecting (reconnecting), it connects successfully., maybe it depends on the openvpn client, I tested it on securepoint.

but I still found the solution that I left. Here is the script below that I use both to generally limit client sessions per config, and to limit the session with a fixed address (in this case, limit = 1)

my sprit will need to enable the telnet management interface

I will be happy to improve and expand my solution!

Code: Select all

#!/bin/bash

PERSIST_DIR=/tmp/openvpn
mkdir -p $PERSIST_DIR
#systemd not allowed
#chown nobody:nogroup $PERSIST_DIR

function handle_connect {
  printenv >> $PERSIST_DIR/$common_name.client-connect.envs
  echo "**************" >> $PERSIST_DIR/$common_name.client-connect.envs

  case "$common_name" in
    serf-001)
        max_conn=1
        ;;
    *)
        max_conn=2
        ;;
  esac

  client_src="${trusted_ip}:${trusted_port}"
  CLIENTFILE=$PERSIST_DIR/$common_name

  if [ -e "$CLIENTFILE" ]; then
    NUMCONN=$(wc -l < $CLIENTFILE)
    NEWCONN=$(expr $NUMCONN + 1)
    if [ $NEWCONN -gt $max_conn ]; then
      echo "*** Can't connect more then ${max_conn} connection(s)***"
#management control port of openvpn
      (sleep 1
echo "kill ${client_src}"
sleep 1
echo "quit" ) | telnet localhost 7505
      exit 1;
    fi
  else
    touch "$CLIENTFILE"
  fi
  
  if grep "$client_src" "$CLIENTFILE"; then
    echo "*** exists client ***"
  else 
    echo $client_src >> "$CLIENTFILE"
  fi
}

function handle_disconnect {
  printenv >> $PERSIST_DIR/$common_name.client-disconnect.envs
  echo "**************" >> $PERSIST_DIR/$common_name.client-disconnect.envs

  client_src="${trusted_ip}:${trusted_port}"
  CLIENTFILE=$PERSIST_DIR/$common_name

  if [ -e "$CLIENTFILE" ]; then
     sed -i '/'"${client_src}"'/d' "$CLIENTFILE"
  fi
}

case "$script_type" in
  up)
        rm -f $PERSIST_DIR/*
        ;;
  client-connect)
        "handle_connect"
        ;;
  client-disconnect)
        "handle_disconnect"
        ;;