Opened 14 months ago

Closed 11 months ago

Last modified 11 months ago

#1330 closed User question (notabug)

Client-connect & client-disconnect deferred

Reported by: nanohayder Owned by:
Priority: major Milestone: release 2.5
Component: plug-ins / plug-in API Version: OpenVPN 2.5.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: tct

Description

hi,

how to configure the client-connect, disconnect and auth-user-pass-verify scripts to be deferred to backgrounds.

I'm unable to find an ENV that enables those I have used ENV "deferred_auth_pam" for the pam auth plugin and it works. but I can't find what is needed to accomplish the same for these client-connect, disconnect and auth-user-pass-verify

can you please help me?


Change History (4)

comment:1 Changed 14 months ago by tct

Cc: tct added

comment:2 Changed 12 months ago by Gert Döring

Here's my --client-connect script I use to test this on the server:

# where to send config commands?
    CONF=$1
...
    # deferred handling?

    # tell server we want deferred handling (= it should regularily
    # check that file for updates
    echo 2 >$client_connect_deferred_file

    # child process - try simple shell backgrounding
    (
        sleep 10
...
        echo 'push "setenv CCS_RET meow"' >>$CONF
        echo 'push "route-ipv6 fd00:dead:beef::1/128"' >>$CONF
...
        echo 1 >$client_connect_deferred_file   # 0 = fail, 1 = success
    ) &

    # parent process
    exit 0

so the magic is in

  • script writes "2" to $client_connect_deferred_file (this is set up by the openvpn server process), initiates a "background worker", and exits 0 on the foreground process
  • when the background process is done, it writes 0/1 to the file, telling openvpn "I am finished and this is the result"

I am sure this is documented somewhere... oh yes it is, it's right in the manpage :-) - search for "client_connect_deferred_file" (multiple appearances).

I'm not sure we ever added deferred operation to --auth-user-pass-verify scripts - if needed, this can be simulated by a plugin that backgrounds and then runs the shell script, see here: https://github.com/fac/auth-script-openvpn

For --client-disconnect there is no explicit deferred handling in OpenVPN, since the server does not care about anything the script might return. So, just background your script and return in the foreground process.

I hope I could clarify this a bit - took me a while to figure out in the pre-2.5 test phase, so I can relate.

comment:3 Changed 11 months ago by Gert Döring

Resolution: notabug
Status: newclosed

Since I've never heard anything more, I assume that the question was answered.

Closing the ticket.

comment:4 Changed 11 months ago by tct

The OP probably never returned because no notification email.

Note: See TracTickets for help on using tickets.