Hi, On Fri, Jan 08, 2021 at 11:33:38AM +0100, Ralf Hildebrandt wrote: > We have a flock of openvpn Servers. We're using DNS round robin > (openvpn.charite.de). > > Currentlym we have > 421 clients on machine 0 > 465 clients on machine 1 > 598 clients on machine 2 > 246 clients on machine 3 > > How can I change my auth-user-pass-verify / client-connect or > learn-address scripts to prevent MORE clients on machine 2? > > I could return AUTH_FAILED, but that would irritate the users, since > their clients would ask for a (new) password.
I actually not not have an answer to your question (not sure there is
anything else to return today, *but* I do not understand that code
part very well).
I do know that explicit-exit-notify is signalled with an extra parameter
that tells the client "reconnect" or "go to the next server"
("RESTART,[N]" vs. "RESTART").
So, depending on your authentication, it might be an idea to "let them
in", and then disconnect them right away (via management interface)
with a "client-kill cid RESTART,[N]" message.
For clients using 2FA auth, this will be very annoying (= won't work),
unless you also have --auth-gen-token + secret active. For clients using
(cached) auth+pass or cert-only, this might work out nicely.
But, you need to talk to the management interface.
(Maybe I'm all wrong and there is a way to send RESTART from plugin
or scripts, and I just don't know it yet)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
