On Sat, 20 Jan 2024 22:17:10 +0100, Gert Doering <g...@greenie.muc.de> wrote:
>Hi,
>
>On Sat, Jan 20, 2024 at 07:57:17PM +0100, Bo Berglund wrote:
>> >Anything can be done via --client-connect / --client-disconnect scripts.
>>
>> Very interesting, I did not know about this....
>>
>> It makes it possible to actually create a separate logfile for client
>> activity
>> without the overhead of the regular logs.
>>
>> And it seems like a client reject could also be put into the --client-connect
>> script since it gets the client's Common Name as a parameter.
>>
>> So having a list of disallowed clients read by the --client-connect script
>> makes
>> it as simple as matching the provided CN value to the list and exit non-zero
>> if
>> a match is found would disconnect the connecting client, right?
>
>Correct :-)
>
>> And one could do so much more with this type of script!
>
>Indeed... like "look up in DNS or LDAP which IP address the client should
>get, and return that to the openvpn process".
>
>There is one catch: OpenVPN blocks while --client-connect executes, so
>if you do something that takes more than "few milliseconds", you need
>to return 2 right away ("deferred operation") and progress the parts
>that take longer in the background, writing the final result to
>$auth_control_file (look for "deferred" in man openvpn).
Well, looking up a name in a "forbiddenusers" file which just contains alist of
the CN of blocked users should qualify for "quick".
OTOH using the ccd dir as I have proposed earlier is probably as good, but needs
a lot of files if the blocked clients are numerous, so a single file with the
list of these users is probably more efficient/easier to maintain.
Other use:
----------
I had been looking for a way to log user access easily (not trying to extract
stuff from the openvpn own logs), and this seems to be a viable way to do it.
The openvpn own logs do not contain timestamps, which I find disturbing.
Now I can start my own logging and get access logs with connect and disconnect
including timestamps. :)
Thanks for your post about this.
>gert
--
Bo Berglund
Developer in Sweden
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
