Problem with client-disconnect script

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
User avatar
xauen
Forum Team
Posts: 80
Joined: Tue May 10, 2011 7:57 pm
Location: Manila, Philippines
Contact:
Contact xauen

Problem with client-disconnect script

Post by xauen » Sat May 28, 2011 2:18 pm

Hello

Scenario:
1. I have a multi server VPN with a central authentication system using pam_mysql.
2. Every time a user logs-in on a specific server he can also login on the other servers at the same time using the same central authentication servers that I have.
3. To avoid this issues i set up a client-connect / client-disconnect script which is down below.
4. During client-connect, using pam_mysql, it triggers the "session" data to become 1 (default is 0 session) meaning the username is in use.
5. Therefore on the other servers during authentication, it will not pass because of the where=0 clause. It will not meet the desired condition of the server.

Problem:
1. client-connect script can trigger the "session=1" upon client connection but client-disconnect script won't trigger the "session=0" which is the default.

My client.conf:

Code: Select all

client
dev tun
remote xxx.xxx.xxx.xxx
proto udp
port 9200
resolv-retry infinite
persist-key
persist-tun
comp-lzo
ca ca.crt
verb 1
mute 3
cipher BF-CBC
reneg-sec 0
route-method exe
route-delay 2
auth-user-pass sonic.txt
script-security 2
keepalive 5 60
redirect-gateway def1
float
lport 53
My server.conf

Code: Select all

dev tun
proto udp
port 9200 

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
 
# record in database
script-security 2
client-connect ./connect.sh
client-disconnect ./disconnect.sh

user nobody
group nogroup
server 10.8.0.0 255.255.255.0
 
reneg-sec 0
keepalive 20 120
persist-key
persist-tun
 
# user/pass auth from mysql
plugin ./openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
 
client-to-client
 
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
 
comp-lzo
 
max-clients 90

status status/udp.log
log-append /var/log/openvpn/udp.log
verb 3
mute 5
My pam_mysql script (openvpn):

Code: Select all

auth            sufficient      pam_mysql.so \
user=MyUser passwd=MyPass host=localhost db=MyDB \
table=panelusers usercolumn=panelusername passwdcolumn=password \
where=session=0 sqllog=0 crypt=0
 
account         required        pam_mysql.so \
user=MyUser passwd=MyPass host=localhost db=MyDB \
table=panelusers usercolumn=panelusername passwdcolumn=password \
where=session=0 sqllog=0 crypt=0


My client-connect script (connect.sh)

Code: Select all

#!/bin/bash
 
HOST='MyIP'
DB='MyDB'
DBADMIN='MyName'
DBPASSWD='MyPass'
 
mysql -h$HOST -u$DBADMIN -p$DBPASSWD -e "UPDATE panelusers SET session=1 WHERE panelusername='$common_name';" $DB
My client-disconnect script (disconnect.sh)

Code: Select all

#!/bin/bash
 
HOST='MyIP'
DB='MyDB'
DBADMIN='MyName'
DBPASSWD='MyPass'
 
mysql -h$HOST -u$DBADMIN -p$DBPASSWD -e "UPDATE panelusers SET session=0 WHERE panelusername='$common_name';" $DB
Where might be the problem sirs?
Is there anything I should add on the .conf to safely execute the disconnect.sh upon client-disconnect?
I think its not being executed once the client has been disconnected.
Nothing much has changed on my connect.sh and disconnect.sh aside from session=1 to session=0

note:
already made those files (connect.sh & disconnect.sh) as executables before running them.

Code: Select all

chmod +x /etc/openvpn/connect.sh
chmod +x /etc/openvpn/disconnect.sh
OS is Ubuntu 10.04 32bit VPS

Edit: added error log:

Code: Select all

Sat May 28 23:48:35 2011 TLS Error: Unroutable control packet received from 173.224.216.203:9200 (si=3 op=P_CONTROL_V1)
Sat May 28 23:48:35 2011 TLS Error: Unroutable control packet received from 173.224.216.203:9200 (si=3 op=P_CONTROL_V1)
Sat May 28 23:48:35 2011 TLS Error: Unroutable control packet received from 173.224.216.203:9200 (si=3 op=P_CONTROL_V1)
Sat May 28 23:48:35 2011 NOTE: --mute triggered...
Sat May 28 23:49:59 2011 TLS Error: reading acknowledgement record from packet
Sat May 28 23:50:02 2011 TLS Error: reading acknowledgement record from packet
Sat May 28 23:50:05 2011 TLS Error: reading acknowledgement record from packet
Sat May 28 23:50:07 2011 NOTE: --mute triggered...

Sat May 28 23:51:16 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 12 2009
Sat May 28 23:51:16 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat May 28 23:51:16 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat May 28 23:51:16 2011 LZO compression initialized
Sat May 28 23:51:16 2011 UDPv4 link local: [undef]:53
Sat May 28 23:51:16 2011 UDPv4 link remote: 173.224.216.203:9200
Sat May 28 23:51:17 2011 TLS Error: Unroutable control packet received from 173.224.216.203:9200 (si=3 op=P_CONTROL_V1)
Sat May 28 23:51:18 2011 SIGTERM[hard,] received, process exiting
"Never be bullied into silence. Never allow yourself to be made a victim. Accept no ones definition of you"
-IDK
Top
Post Reply

Return to “Scripting and Customizations”