Every time I add a "client-connect" attribute,I cant connect

[iautran]

Hi,

based on this topic topic10024.html, I wanted to have an email sent each time I will connect through OpenVPN.
I have edited the server.conf file and added two lines :

script-security 3 system
client-connect /etc/openvpn/scripts/clientconnect.sh

BUT, since I made this modification, I always have an authentication failure on my client (that was working before).
If I comment the "client-connect" line, the authentication works again.

The authentication is based on certificates and my "test" client is an iPhone with OpenVPN app.

Someone has an idea why when I uncomment the "client-connect" line, I always have an Authentication failure ?

Thank you

[maikcat]

for start post complete configs used and server log.
also

--client-connect cmd
Run command cmd on client connection.

cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single- or double-quoted and/or escaped using a backslash, and should be separated by one or more spaces.

The command is passed the common name and IP address of the just-authenticated client as environmental variables (see environmental variable section below). The command is also passed the pathname of a freshly created temporary file as the last argument (after any arguments specified in cmd ), to be used by the command to pass dynamically generated config file directives back to OpenVPN.

If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by the last argument.

See the --client-config-dir option below for options which can be legally used in a dynamically generated config file.

Note that the return value of script is significant. If script returns a non-zero error status, it will cause the client to be disconnected.

Michael.

[iautran]

Thank you for your answer.
Here is my configuration file

server.conf

# dans /etc/openvpn
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.0.100 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 8.8.8.8" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
script-security 3 system
# --script-security 2
client-connect /etc/openvpn/scripts/clientconnect.sh

client.ovpn

client
dev tun
proto udp
remote 78.193.xx.xx 1223
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
script-security 3 system
<ca>
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAg[]....TYK7MbbTIeAAiJu5Tg==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIE8DCCA9igAwIBAg[...]vTdRFgChfY=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BF3C5EA8B52BC2B1

Mez2V20p[...]drGf2j1rI7+1Q==
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
be697a3fbac[...]ed00a945f4f
-----END OpenVPN Static key V1-----
</tls-auth>

Maybe I am missing something ?
Thank you

[iautran]

Thank you !

Here are my conf files :

[maikcat]

the most important bit is the script itself...

as the man page says "If script returns a non-zero error status, it will cause the client to be disconnected".

you must check what status your script returns and configure it accordingly.

Michael.

[iautran]

The "clientconnect.sh" script is the one provided on the original topic quoted in my first post.

It's this one :

#!/bin/bash
#Send an email when a client connects with today's time and date
NOW="$(date +"%H:%M:%S - %Y-%m-%d")"

sendmail alerts@company.com <<EOF
FROM: alerts@company.com
TO: me@company.com
SUBJECT: OpenVPN - CONNECTED: $common_name - $NOW
At $NOW, $common_name connected to the OpenVPN server.

IP: $trusted_ip
PORT: $trusted_port
MTU: $tun_mtu
.
EOF
exit 0

If I launch it manually, I correctly receive an email.
Can you tell me how can I verify if the exit code 0 is correctly returns by the script ?

Thanks

[Traffic]

Your openvpn server process drops privileges:

user nobody
group nogroup

[iautran]

You're the man

Thank you for your help; that did the trick.

Is there anyway to keep my openvpn secure with the "user "nobody" and group nobody configured ?

Thank you

[Traffic]

The way I do it is to create a user:group = openvpn:openvpn with the necessary rights.

BTW: maikcat is the man .. not me

[iautran]

Question for an admin or a moderator

Please, can you edit one of my post that indicates one of IP address I dont want to publish please on the "client.ovpn" quote ?

I cant do it myself.

Thank you

[maikcat]

done

Regards,

Michael.