Discussion:
[Openvpn-users] Disconnect messages in the management interface?
Joe Patterson
2017-03-10 16:47:01 UTC
Permalink
I'm pretty sure that the answer to this is probably "no", but I'm gonna ask
anyhow...

For clients connecting without auth-user-pass, I get a CLIENT notification
for ESTABLISHED, but none for DISCONNECT. Is there a way to make openvpn
send DISCONNECT messages on the management interface even if the client
didn't authenticate with a username/password?

The management app I'm writing is managing multiple openvpn instances and
it's fine for the ones that use username/password (because I get a CLIENT
notification for CONNECT, ESTABLISHED, DISCONNECT, and others), but when
it's managing one that doesn't use usernames/passwords, it only gets
ESTABLISHED and never knows when a client disconnects.

So far, the only solutions that I can think of are:
A) have a separate client-connect script that uses some sort of messaging
to inform my main app that something's disconnected. That seems really
ugly, but might work.
B) periodically poll for 'status' and note which clients aren't there
anymore. That means I have to balance how long I'm OK with stale clients
versus how often I poll status.
C) configure my password-less clients with a static username/password (via
the [up] file argument to --auth-user-pass) that I then ignore. This is
probably the best option, I just don't like it, and wanted to find out if
there was something simple I was overlooking. :)

Thanks!

-Joe
Jan Just Keijser
2017-03-13 14:25:10 UTC
Permalink
Hi Joe,
Post by Joe Patterson
I'm pretty sure that the answer to this is probably "no", but I'm
gonna ask anyhow...
For clients connecting without auth-user-pass, I get a CLIENT
notification for ESTABLISHED, but none for DISCONNECT. Is there a way
to make openvpn send DISCONNECT messages on the management interface
even if the client didn't authenticate with a username/password?
The management app I'm writing is managing multiple openvpn instances
and it's fine for the ones that use username/password (because I get a
CLIENT notification for CONNECT, ESTABLISHED, DISCONNECT, and others),
but when it's managing one that doesn't use usernames/passwords, it
only gets ESTABLISHED and never knows when a client disconnects.
A) have a separate client-connect script that uses some sort of
messaging to inform my main app that something's disconnected. That
seems really ugly, but might work.
B) periodically poll for 'status' and note which clients aren't there
anymore. That means I have to balance how long I'm OK with stale
clients versus how often I poll status.
C) configure my password-less clients with a static username/password
(via the [up] file argument to --auth-user-pass) that I then ignore.
This is probably the best option, I just don't like it, and wanted to
find out if there was something simple I was overlooking. :)
most likely you are using "proto udp": when a client disconnects, no
message is sent to the server by default. In order to have a client
explicitly send a 'log off' message, add
explicit-exit-notify 3
to the client config and reconnect. When a client now disconnects, the
"client-disconnect" script is triggered. It is not related to the
auth-user-pass option.
Does that work for you?

HTH,

JJK
Joe Patterson
2017-03-13 15:00:11 UTC
Permalink
Nope, I'm using proto tcp. Also ping 10 and ping-exit 120 so, iirc, even
if a udp client crashes without being able to send an exit-notify, the lack
of keepalive pings will eventually lead to a disconnect. Also, the output
of "status" immediately reflects the disconnected client. There are just
no disconnect messages.

Actually, I just realized that this is more problematic than I had first
thought... Without a "CONNECT" that waits for client_auth CID KID, I don't
have a way to pass client config directives like ifconfig-push (unless I
put them in a client-config directory, but I'm trying to avoid that.)

This is a pure testing environment, so there may be some weird values here,
but this is my server config:

ifconfig 192.168.1.1 192.168.1.2
ifconfig-pool 192.168.1.8 192.168.1.254
route 192.168.1.0 255.255.255.0
dev tun2
proto tcp-server
port 1195
management 127.0.0.1 5552
duplicate-cn
ca ca.crt
cert server.crt
comp-lzo
dh dh1024.pem
ping 10
ping-exit 120
key server.key
mode server
persist-key
persist-tun
ping-timer-rem
tls-server
verb 4
reneg-sec 120
INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
{I connect with my client}
CLIENT:ESTABLISHED,0
CLIENT:ENV,n_clients=1
{normal ENV info}
CLIENT:ENV,redirect_gateway=0
CLIENT:ENV,END
status 2
TITLE,OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
[PKCS11] [MH/PKTINFO] [AEAD] built on Dec 27 2016
TIME,Mon Mar 13 10:44:07 2017,1489416247
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6
Address,Bytes Received,Bytes Sent,Connected Since,Connected Since
(time_t),Username,Client ID,Peer ID
CLIENT_LIST,jpatterson,127.0.0.1:54140,192.168.1.10,,2907,2847,Mon Mar 13
10:43:57 2017,1489416237,UNDEF,0,0
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last
Ref (time_t)
ROUTING_TABLE,192.168.1.10,jpatterson,127.0.0.1:54140,Mon Mar 13 10:43:57
2017,1489416237
GLOBAL_STATS,Max bcast/mcast queue length,0
END
{I disconnect my client}
status 2
TITLE,OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
[PKCS11] [MH/PKTINFO] [AEAD] built on Dec 27 2016
TIME,Mon Mar 13 10:44:19 2017,1489416259
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6
Address,Bytes Received,Bytes Sent,Connected Since,Connected Since
(time_t),Username,Client ID,Peer ID
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last
Ref (time_t)
GLOBAL_STATS,Max bcast/mcast queue length,0
END

So the server definitely knows the client is disconnected.

The more I look at this, the more convinced I am that I need to configure
clients to send a bogus username/password, not for any authentication
purposes, but just so that the server can have 'management-client-auth and
not shut down a client because it isn't passing user/pass info.

Thanks,

-Joe
Hi Joe,
Post by Joe Patterson
I'm pretty sure that the answer to this is probably "no", but I'm
gonna ask anyhow...
For clients connecting without auth-user-pass, I get a CLIENT
notification for ESTABLISHED, but none for DISCONNECT. Is there a way
to make openvpn send DISCONNECT messages on the management interface
even if the client didn't authenticate with a username/password?
The management app I'm writing is managing multiple openvpn instances
and it's fine for the ones that use username/password (because I get a
CLIENT notification for CONNECT, ESTABLISHED, DISCONNECT, and others),
but when it's managing one that doesn't use usernames/passwords, it
only gets ESTABLISHED and never knows when a client disconnects.
A) have a separate client-connect script that uses some sort of
messaging to inform my main app that something's disconnected. That
seems really ugly, but might work.
B) periodically poll for 'status' and note which clients aren't there
anymore. That means I have to balance how long I'm OK with stale
clients versus how often I poll status.
C) configure my password-less clients with a static username/password
(via the [up] file argument to --auth-user-pass) that I then ignore.
This is probably the best option, I just don't like it, and wanted to
find out if there was something simple I was overlooking. :)
most likely you are using "proto udp": when a client disconnects, no
message is sent to the server by default. In order to have a client
explicitly send a 'log off' message, add
explicit-exit-notify 3
to the client config and reconnect. When a client now disconnects, the
"client-disconnect" script is triggered. It is not related to the
auth-user-pass option.
Does that work for you?
HTH,
JJK
Loading...