Context Navigation

← Previous Ticket
Next Ticket →

#1330 closed User question (notabug)

Client-connect & client-disconnect deferred

Reported by:	nanohayder	Owned by:
Priority:	major	Milestone:	release 2.5
Component:	plug-ins / plug-in API	Version:	OpenVPN 2.5.0 (Community Ed)
Severity:	Not set (select this one, unless your'e a OpenVPN developer)	Keywords:
Cc:	tincantech

Description

hi,

how to configure the client-connect, disconnect and auth-user-pass-verify scripts to be deferred to backgrounds.

I'm unable to find an ENV that enables those I have used ENV "deferred_auth_pam" for the pam auth plugin and it works. but I can't find what is needed to accomplish the same for these client-connect, disconnect and auth-user-pass-verify

can you please help me?

Change History (4)

comment:1 Changed 9 months ago by tincantech

Cc:	tincantech added

comment:2 Changed 7 months ago by Gert Döring

Here's my --client-connect script I use to test this on the server:

# where to send config commands?
    CONF=$1
...
    # deferred handling?

    # tell server we want deferred handling (= it should regularily
    # check that file for updates
    echo 2 >$client_connect_deferred_file

    # child process - try simple shell backgrounding
    (
        sleep 10
...
        echo 'push "setenv CCS_RET meow"' >>$CONF
        echo 'push "route-ipv6 fd00:dead:beef::1/128"' >>$CONF
...
        echo 1 >$client_connect_deferred_file   # 0 = fail, 1 = success
    ) &

    # parent process
    exit 0

so the magic is in

script writes "2" to $client_connect_deferred_file (this is set up by the openvpn server process), initiates a "background worker", and exits 0 on the foreground process
when the background process is done, it writes 0/1 to the file, telling openvpn "I am finished and this is the result"

I am sure this is documented somewhere... oh yes it is, it's right in the manpage :-) - search for "client_connect_deferred_file" (multiple appearances).

I'm not sure we ever added deferred operation to --auth-user-pass-verify scripts - if needed, this can be simulated by a plugin that backgrounds and then runs the shell script, see here: https://github.com/fac/auth-script-openvpn

For --client-disconnect there is no explicit deferred handling in OpenVPN, since the server does not care about anything the script might return. So, just background your script and return in the foreground process.

I hope I could clarify this a bit - took me a while to figure out in the pre-2.5 test phase, so I can relate.

comment:3 Changed 6 months ago by Gert Döring

Resolution:	→ notabug
Status:	new → closed

Since I've never heard anything more, I assume that the question was answered.

Closing the ticket.

comment:4 Changed 6 months ago by tincantech

The OP probably never returned because no notification email.

Note: See TracTickets for help on using tickets.

Download in other formats: