Script examples for client-connect/disconnect??

[BobAGI]

I want to log server side client connect/disconnect events on my Ubuntu server.

And I have tried to read the documentation here:
https://openvpn.net/community-resources ... envpn-2-5/

I can find a lot of entries for the client-connect client-disconnect details, including how it can be configured with call arguments.
But what I don't find is any working example of such a script...

I have also googled for it but that too fails because no-one I have found seems to want to show an actually working setup including:

- What needs to be entered in the server.conf file, like permissions
- Where the script could reside to be usable
- What the script file properties should be
- How the script can get the information to write to the log
- How it can actually reach a log location and write a file there

A working example, which logs client connect and disconnect events with a readable timestamp and some user data into a log file located in say the /etc/openvpn/log directory would be very useful in my opinion.

I definitely do NOT want to send any email or such, just log to the file.
But the file must never be overwritten such that info disappears.

Is there such an example somewhere?

[BobAGI]

UPDATE WITH WORKING SOLUTION:

/etc/openvpn/server/serverlocal.conf:

Code: Select all

#Add logging of client connect/disconnect events:
script-security 2
client-connect /etc/openvpn/scripts/serverlocal-events.sh
client-disconnect /etc/openvpn/scripts/serverlocal-events.sh

/etc/openvpn/scripts/serverlocal-events.sh:

Code: Select all

#!/bin/bash
# Executed on the server side for client connect and disconnect events.
# Log file path
LOG_FILE="/etc/openvpn/log/serverlocal-events.log"
# Log timestamp
LOG_TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
# Log client connect or disconnect event with IP address
if [ "$script_type" == "client-connect" ]; then
    echo "$LOG_TIMESTAMP - $common_name connected with IP $trusted_ip" >>
"$LOG_FILE"
elif [ "$script_type" == "client-disconnect" ]; then
    echo "$LOG_TIMESTAMP - $common_name disconnected with IP $trusted_ip" >>
"$LOG_FILE"
fi

And when I test this with a connect - disconnect cycle this is what I get:

Code: Select all

2024-02-16 11:34:26 - BosseUbu connected with IP 217.213.74.168
2024-02-16 11:34:32 - BosseUbu disconnected with IP 217.213.74.168

Case closed.

[RemoteOne]

You can also use the script to add further security to your server.

We use easy-rsa to generate a unique certificate for each client machine - baked into the .ovpn file. It has the hostname of the client as the "cn" in the certificate. Users need to sign in with AD user/password and google authenticator TOTP, and must be members of an AD vpn_users group.

Additionally, on the server we have a text file that lists which users are allowed to connect using each certificate. A simple text file list of

Code: Select all

<user1>[,<user2>,...<userN>]<TAB><hostname> 

In the script we have

# first, search for the common_name (cn) in the user_certs.txt file, and set the cert_user environment variable to the listed user(s)
# note: multiple users are permitted for a cert to allow for shared laptops, and emergency admin user logins.
# seperate multiple users with commas (no spaces)
# ordinary users should not be allowed to use each other's certs

Code: Select all

declare $(/usr/bin/awk -v cn="$common_name" -v tmp="CERT_NOT_FOUND" '$0 ~ cn{tmp=$1} END {print "cert_user=" tmp}' /etc/openvpn/server/user-certs.txt )
export cert_user

# $(cert_user,,} converts $cert_user to lowercase, ${username,,} converts $username to lowercase
# [[ ]] statement looks for *username* to not match cert_user - effectively - if username is not a substring of cert_user

if [[ "${cert_user,,}" != *"${username,,}"* ]]; then
   echo "$(date '+%Y-%m-%d %H:%M:%S') DENIED  username=$username cert_user=$cert_user cert=$common_name" >> $logfile
   exit 1
fi

echo "$(date '+%Y-%m-%d %H:%M:%S') GRANTED username=$username cert_user=$cert_user cert=$common_name" >> $logfile
exit 0