Opened 9 months ago

Closed 6 months ago

Last modified 6 months ago

#1330 closed User question (notabug)

Client-connect & client-disconnect deferred

Reported by: nanohayder Owned by:
Priority: major Milestone: release 2.5
Component: plug-ins / plug-in API Version: OpenVPN 2.5.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: tincantech



how to configure the client-connect, disconnect and auth-user-pass-verify scripts to be deferred to backgrounds.

I'm unable to find an ENV that enables those I have used ENV "deferred_auth_pam" for the pam auth plugin and it works. but I can't find what is needed to accomplish the same for these client-connect, disconnect and auth-user-pass-verify

can you please help me?

Change History (4)

comment:1 Changed 9 months ago by tincantech

Cc: tincantech added

comment:2 Changed 7 months ago by Gert Döring

Here's my --client-connect script I use to test this on the server:

# where to send config commands?
    # deferred handling?

    # tell server we want deferred handling (= it should regularily
    # check that file for updates
    echo 2 >$client_connect_deferred_file

    # child process - try simple shell backgrounding
        sleep 10
        echo 'push "setenv CCS_RET meow"' >>$CONF
        echo 'push "route-ipv6 fd00:dead:beef::1/128"' >>$CONF
        echo 1 >$client_connect_deferred_file   # 0 = fail, 1 = success
    ) &

    # parent process
    exit 0

so the magic is in

  • script writes "2" to $client_connect_deferred_file (this is set up by the openvpn server process), initiates a "background worker", and exits 0 on the foreground process
  • when the background process is done, it writes 0/1 to the file, telling openvpn "I am finished and this is the result"

I am sure this is documented somewhere... oh yes it is, it's right in the manpage :-) - search for "client_connect_deferred_file" (multiple appearances).

I'm not sure we ever added deferred operation to --auth-user-pass-verify scripts - if needed, this can be simulated by a plugin that backgrounds and then runs the shell script, see here:

For --client-disconnect there is no explicit deferred handling in OpenVPN, since the server does not care about anything the script might return. So, just background your script and return in the foreground process.

I hope I could clarify this a bit - took me a while to figure out in the pre-2.5 test phase, so I can relate.

comment:3 Changed 6 months ago by Gert Döring

Resolution: notabug
Status: newclosed

Since I've never heard anything more, I assume that the question was answered.

Closing the ticket.

comment:4 Changed 6 months ago by tincantech

The OP probably never returned because no notification email.

Note: See TracTickets for help on using tickets.