OpenVPN client notification (connected/disconnected)

rguerra · July 12, 2018, 12:48am

This is a revised version of the Turris documentation here , translated into english and with Maxmilian_Picmaus’s up/down scripts.

This example uses the feature create_notification to send a message according to the settings in the Foris administration section of the Maintenance section.

1. in the file /etc/config/openvpn add:

If you are using Foris openVPN plugin, add it to the section
config openvpn 'server_turris

option script_security '2'
option client_connect '/etc/openvpn/up.sh'
option client_disconnect '/etc/openvpn/down.sh'

2. create a file /etc/openvpn/up.sh

#!/bin/bash
message="$(echo -e "${common_name} connected      to: ${HOSTNAME} \\nRemote:  ${untrusted_ip} \\nVirtual: ${ifconfig_pool_remote_ip}")"
/usr/bin/create_notification -s news "${message}"
/usr/bin/notifier
exit 0

3. create a file /etc/openvpn/down.sh

#!/bin/bash
message="$(echo -e "${common_name} disconnected from: ${HOSTNAME} \\nRemote:  ${untrusted_ip} \\nVirtual: ${ifconfig_pool_remote_ip}")"
/usr/bin/create_notification -s news "${message}"
/usr/bin/notifier
exit 0

4. set the scripts to 0755

chmod 0755 /etc/openvpn/up.sh
chmod 0755 /etc/openvpn/down.sh

5. Make sure scripts are backed-up

If you want to include these extra scripts in the backups of the router, add /etc/openvpn directory to the /etc/config/backups. Something like:

config generate generate
    list dirs "/etc/openvpn"

6. Restart OpenVPN

/etc/init.d/openvpn restart

dkomrska · July 12, 2018, 6:25am

I would recommend to replace the “\n\n” with “\\n”.

The difference is visible in the Foris interface, where the “\n\n” is not visualised as a line break.

Both options are working fine for the e-mail notification.

Nones · July 12, 2018, 7:11am

Thank you … good job!

Bendys · July 12, 2018, 7:19am

Great

Maxmilian_Picmaus · July 12, 2018, 8:41pm

Here is my scripts with different formating , with “echo -e” ,"\n" instead of “\n”

up

#!/bin/bash
message="$(echo -e "${common_name} connected      to: ${HOSTNAME} \\nRemote:  ${untrusted_ip} \\nVirtual: ${ifconfig_pool_remote_ip}")"
/usr/bin/create_notification -s news "${message}"
/usr/bin/notifier

down

#!/bin/bash
message="$(echo -e "${common_name} disconnected from: ${HOSTNAME} \\nRemote:  ${untrusted_ip} \\nVirtual: ${ifconfig_pool_remote_ip}")"
/usr/bin/create_notification -s news "${message}"
/usr/bin/notifier

rguerra · July 12, 2018, 9:12pm

I like your your scripts. I’ll include them in the original post and give you credit.

vojtech.myslivec · July 17, 2018, 5:28pm

Hi, it looks good. I have some notes here:

"$( echo -e ...)" is useless. You can define multiline variable in shell like this:

message="${common_name} connected from…
Remote: …"
chmod 777 OMG Never set anything to 777 please. (0)755 is all you need

would you update the documentation in the public wiki?

rguerra · July 17, 2018, 11:21pm

Happy to update the documentation in the public wiki - what’s the location/URL of the entry on OpenVPN client notification?

Nones · July 18, 2018, 6:21am

The link to public (community) wifi is here.

jklaas · July 18, 2018, 1:27pm

Where do the options get added? In my so-far untouched /etc/config/openvpn, I have four config openvpn '<vpn_name>' entries. Three are examples and not enabled, but I can imagine having more than one active one set up.

Do all the options listed above go outside these individual vpn configs at the top or will they need to go inside each individual vpn config that I would want this reporting?

vojtech.myslivec · July 18, 2018, 8:51pm

Yes, I meant the one described in the first message of this topic. I can provide the czech translation once the english version would be ready. Thanks.

PS: if you want to include these extra scripts in the backups of the router, add /etc/openvpn directory to the /etc/config/backups. Something like:

config generate generate
    list dirs "/etc/openvpn"

vojtech.myslivec · July 18, 2018, 8:55pm

If you are using Foris openVPN plugin, add it to the section

config openvpn 'server_turris
    ....

@rguerra you should add this note to the docs as well IMO ;]

rguerra · July 19, 2018, 2:55pm

I have updated the initial post with the comments shared so far. I’ve also updated the Turris Wiki accordingly.

Please let me know if there’s any additional changes that might improve things. Thanks!

Maxmilian_Picmaus · July 27, 2018, 5:18pm

thanks for hint, i did not know that it can be defined like that.

peci1 · September 20, 2018, 2:17am

@vojtech.myslivec, do you know which “program” uses this config file? Is it only ssbackups (cloud backups), or also the “save configuration” button in foris? Where is this config file documented? Can I also specify files, not just dirs? Thank you

vojtech.myslivec · September 20, 2018, 7:59am

Both “save configuration” and “ssbackups” use maintain-config-backup CLI tool and this tool reads the /etc/config/backups config.

So both tools use the same config

Some documentation is in the Cloud backups docs and source code for this tool is in turris-os-packages. As I look in the code, “dirs” stands for “any file”, so it should work well like this:

    list dirs "/etc/whatever/my_file.conf"

Please note the Cloud backups have limited size to 2 MB each.

PS: it would be better to open a new topic next time as this config has nothing in common with “OpenVPN client notification”. thanks

peci1 · September 20, 2018, 10:42pm

Thank you, your info really helped.

Normally I don’t misuse threads for non-relevant discussions, this one was an exception… If you can, would you move it to a new thread?

vojtech.myslivec · September 21, 2018, 7:12am

It’s ok, no problem. I think it cannot be moved in a simply way.

dkomrska · November 14, 2018, 8:43am

Hi @rguerra, I am using your scripts on my Omnia and I am very happy with them.

Recently I got an idea to indicate visually when someone is connected over the VPN. This might be useful in case you are about to unplug your Omnia from network/power.

First I wanted to retrieve the information from the /tmp/openvnp-status.log file. Unfortunately, this file is updated every minute and I wanted to visualise the change immediately.

So I went for following solution:

Add clients IP to a file in /tmp/ when connected and enable LED usr1
Remove clients IP from the file in /tmp/ when disconnecting
Disable LED usr1 in case the file in /tmp/ is empty

Following lines will do the job when added to appropriate scripts:

up.sh

#Add clients IP to the file /tmp/openvpn-connectedclients.log
echo ${ifconfig_pool_remote_ip} >> /tmp/openvpn-connectedclients.log
# Enable usr1 LED
rainbow usr1 enable

down.sh

# Remove clients IP from the file /tmp/openvpn-connectedclients.log
sed -i "/^${ifconfig_pool_remote_ip}$/d" /tmp/openvpn-connectedclients.log
#Disable the LED usr1 in case the file is empty => no other OpenVPN client is connected
[ -s /tmp/openvpn-connectedclients.log ] || rainbow usr1 disable

I hope that someone might find this useful.

Marchus · October 23, 2019, 3:36pm

Once I add
option client_connect ‘/etc/openvpn/up.sh’
to the openvpn config file, I cannot connect to my VPN, I am getting an AUTH_FAILED error. Anyone knows how to resolve this?