OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

OpenVPN Access Server Cli Creating a group

https://forums.openvpn.net/viewtopic.php?t=21680

Page 1 of 1

OpenVPN Access Server Cli Creating a group

Posted: Wed May 04, 2016 7:36 am
by steve79
Hi there,

does any one knows how to create a group via CLI? i can't seems to find a way

Thanks

Steve.

Re: OpenVPN Access Server Cli Creating a group

Posted: Wed May 04, 2016 10:13 am
by novaflash
You can go to /usr/local/openvpn_as/scripts/ and look up the scripts there. For example if you run ./confdba --help or ./sacli --help you can see help information on how to use the command line scripts. You should be able to do something like this for example;

cd /usr/local/openvpn_as/scripts/
./sacli -u GROUP -mk type -v group UserPropPut
./confdba -u --prof GROUP -mk "group_declare" -v "true"
./confdba -u --prof GROUP -mk "type" -v "group"

You may need to run ./sacli start to let the Access Server reload settings. But the group should then exist. There are also other settings like c2s_dest_s and c2s_dest_v and such to set things that are configured on that group. You can find more info at https://docs.openvpn.net/access-server/ in the command line section. Should be some samples in there as well.

Re: OpenVPN Access Server Cli Creating a group

Posted: Thu May 05, 2016 1:39 pm
by steve79
Thanks Novaflash - but it does not seems strait forward command to create a group - I am trying to script this but does not seems strait forward.

Re: OpenVPN Access Server Cli Creating a group

Posted: Thu May 05, 2016 1:47 pm
by novaflash
I don't know what you expect. It's a command line script. The sample provided does exactly what you asked for.

Good luck now.

Re: OpenVPN Access Server Cli Creating a group

Posted: Mon Aug 07, 2017 5:45 pm
by astclair
It took me a while to decipher the answer that novaflash provided, but it is correct.

I had to implement this from the CLI in order to achieve some Google Auth implementation we needed. We wanted to restrict google auth to only a certain group. So, my group will be called googleauth.

The first thing I did to understand what's going on here is I added the group via the web interface, using the name googleauth. Then, via some trial and error, I identified the properties I need to pass to confdba. I need --userdb which says to query the Users's config database. I need --show which just means show me general information. I need --prof to identify which profile (think of profile as username or group name) to show.

So, I issued the command:

Code: Select all

cd /usr/local/openvpn_as/scripts
./confdba --userdb --show --prof googleauth
This produced the following result:

Code: Select all

{
  "googleauth": {
    "c2s_dest_s": "false",
    "c2s_dest_v": "false",
    "group_declare": "true",
    "prop_autologin": "false",
    "prop_deny": "false",
    "prop_google_auth": "true",
    "prop_superuser": "false",
    "type": "group"
  }
}
Now I know that I essentially need to emulate this setup, but from the CLI.

-----------------------------

Step 1. Create the group using sacli.

Code: Select all

cd /usr/local/openvpn_as/scripts
./sacli --user googleauth --key type --value group UserPropPut
The original example provided by novaflash includes a -m parameter, however sacli does not have that option. The above command creates group named googleauth.

Step 2. Configure the group options to match the JSON above, that was produced by creating the user from the UI

Code: Select all

cd /usr/local/openvpn_as/scripts
./confdba --userdb --prof googleauth --mod --key c2s_dest_s --value false
./confdba --userdb --prof googleauth --mod --key c2s_dest_v --value false
./confdba --userdb --prof googleauth --mod --key group_declare --value true
./confdba --userdb --prof googleauth --mod --key prop_autologin --value false
./confdba --userdb --prof googleauth --mod --key prop_deny --value false
./confdba --userdb --prof googleauth --mod --key prop_google_auth --value true
./confdba --userdb --prof googleauth --mod --key prop_superuser --value false
./confdba --userdb --prof googleauth --mod --key type --value group
Note that the --mod directive is required above.

Step 3. Start sacli

Code: Select all

cd /usr/local/openvpn_as/scripts
./sacli start
-----------------------------

After doing the above steps, I now have a new group that requires Google Authentication.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/