Block older client versions

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
dsekely_brs
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 04, 2017 6:35 pm

Block older client versions

Post by dsekely_brs » Wed Oct 07, 2020 8:11 pm

Is it possible to block clients from connecting if they are using an older client? Latest version is 3.2.1.1180 but we have some users still using 2.1.3.110. We are currently on OpenVPN Access Server 2.7.5
Top
dsekely_brs
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 04, 2017 6:35 pm

Re: Block older client versions

Post by dsekely_brs » Mon Feb 24, 2025 6:53 pm

I've circled back on this and am trying to do this with a post_auth script but I'm having trouble parsing the users client version

Here is the script that I'm using

Code: Select all

from pyovpn.plugin import *
from packaging.version import parse  # Import version parsing utility

def post_auth(authcred, attributes, authret, info):

    # get user's property list, or create it if absent
    proplist = authret.setdefault('proplist', {})

    # get ASCLI version, default to 0.0.0 if missing
    uv_ascli_ver = proplist.get('UV_ASCLI_VER', '0.0.0')

    # Compare UV_ASCLI_VER with 3.7.0
    if parse(uv_ascli_ver) > parse(3.7.0):
        authret['status'] = SUCCEED
    else:
        authret['status'] = FAIL  # Fail authentication
        authret['reason'] = 'ASCLI version too low'
        authret['client_reason'] = 'Client version is too old. Need to have greater than 3.7.0.  You have ${uv_ascli_ver}'
    return authret
Top
dsekely_brs
OpenVpn Newbie
Posts: 8
Joined: Tue Apr 04, 2017 6:35 pm

Re: Block older client versions

Post by dsekely_brs » Mon Feb 24, 2025 9:29 pm

For anyone else I was able to get this working

Code: Select all

from pyovpn.plugin import *
from packaging.version import parse  # Import version parsing utilitya


def post_auth(authcred, attributes, authret, info):

        # define minimum version
        min_client_ver='3.8.0'

        # Get user's property list, or create it if absent
        proplist = authret.setdefault('proplist', {})

        # Only apply version check for VPN authentication
        if attributes.get('vpn_auth'):
            # Get ASCLI version, default to 0.0.0 if missing
            uv_ascli_ver = attributes.get('client_info', {}).get('UV_ASCLI_VER', '0.0.0')

            # Compare UV_ASCLI_VER with min_client_ver
            if parse(uv_ascli_ver) > parse(min_client_ver):
                authret['status'] = SUCCEED
            else:
                authret['status'] = FAIL  # Fail authentication
                authret['reason'] = 'ASCLI version too low'
                authret['client_reason'] = f'Your client is too old.  Minimum client version is {min_client_ver} and you have {uv_ascli_ver}'
    
        return authret
Top
Post Reply

Return to “The OpenVPN Access Server”