openvpn management "kill" command not working

[xauen]

Hi,

I want to kill a client session using openvpn managament. After initiating the script the client disconnects from the server but after around 5-10 secs it start connecting again, automatically.

I want to automatically kill a client connection on the other servers after he/she connects to a specific server (using same user credentials) using telnet command.

Server script:

Code: Select all

dev tun
proto udp
port 1194

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

script-security 2
client-connect /etc/openvpn/server/clientconnect.sh
client-disconnect /etc/openvpn/server/clientdisconnect.sh

server 10.8.0.0 255.255.255.0
 
reneg-sec 0
keepalive 2 15
persist-key
persist-tun 
client-cert-not-required
username-as-common-name
 
client-to-client
 
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
 
comp-lzo
 
max-clients 40

status status/vpn.log
verb 3

bash script:

Code: Select all

#! bin/bash

telnet remote.ip port <<EOF
kill client.user.name
EOF

BTW:
when i also telnet a remote openvpn management port(not using script) the result is still the same.
The client gets disconnected but after a few seconds he/she appears in the "status".

Anything wrong with my configuration?

[janjust]

nothing wrong with your config - the client is killed and automatically reconnects; it's a feature of OpenVPN

if you want to allow a client to connect to only a single server then you must use something else: I'd go for using a 'client-config-dir' directory and when a client connects to serverA , I'd automatically write out a CCD file on serverB (and C, D ...) containing just the word 'disable' - this will disable the client on those servers.

[xauen]

Yes, its plausible.

1. But the problem with that setup is if the server A goes down it cannot execute a client-disconnect, thereby locking out the user because the ccd file on other server didn't get updated.
2. Another thing is ssh'ing to all the 40 servers we have is difficult, although easy to imagine but setting this up would be rigorous.

[janjust]

setting up multiple servers and allowing a user to connect to a single server is ALWAYS going to be rough; I'd still go for the CCD file , combined with a keepalive check to see if the VPN server which reported the client is still alive - if the server drops out, the CCD file should be removed.

Instead of using a CCD file you could also use a central database; you'd have to use a 'client-connect' and 'client-disconnect' script on all servers to facilitate this.

[xauen]

Can you please elaborate more on the keepalive check you suggest?

Actually i am already Using the client-connect / disconnect script but for client status on (to check if he/she is online or not) by writing to a central mysql server session column combined with other variables like $common_name etc.

Before I am using the central database to determine if a client is online or not by writing active=1 to "active" column where user=$common_name. But the problem with this is that if the server went down the active column got stuck to =1 (unable to execute the client-disconnect) thereby locking out the user.

Is there a way i can monitor the packets going to the client IP to determine if he/she is online or not?
If packet=0 on a specific time interval then client should be deamed offline and remote server will remove the client username from the denial lists?

[maikcat]

a different approach includes fail2ban..

just my 2 cents..

Michael

[janjust]

nice angle, maikcat; I've heard of fail2ban but never used it.

as for the original question: sounds like you're almost there; I'd include a 'keepalive' check on the database server to see if VPN ServerX is alive; if VPN server X does not respond for N seconds, then clear all locks for VPN server X. This could be done using a simple cron job on the database server itself or on any machine which can access both VPN server X via ping and the database using a database client.

[xauen]

yeah,.. your right Janjust.

I will ping other remote child servers from remote child server a, if other remote servers are alive it will copy the status file from remote child server A to other remote child server b and c and so on,.. and i will add authentication script to check the status file if user is there. If user is in the file then close the tunnel.

Otherwise, if one of the server is dead, then overwrite the status file of that specific server so client will not be locked out.

And i can do it from the cron every minute using a script.

Thank you, a great idea!

[xauen]

Success!!

Script will be posted later for others to see,..

Thanks everyone!