Hi, On Sat, Jan 20, 2024 at 07:57:17PM +0100, Bo Berglund wrote: > >Anything can be done via --client-connect / --client-disconnect scripts. > > Very interesting, I did not know about this.... > > It makes it possible to actually create a separate logfile for client activity > without the overhead of the regular logs. > > And it seems like a client reject could also be put into the --client-connect > script since it gets the client's Common Name as a parameter. > > So having a list of disallowed clients read by the --client-connect script > makes > it as simple as matching the provided CN value to the list and exit non-zero > if > a match is found would disconnect the connecting client, right?
Correct :-)
> And one could do so much more with this type of script!
Indeed... like "look up in DNS or LDAP which IP address the client should
get, and return that to the openvpn process".
There is one catch: OpenVPN blocks while --client-connect executes, so
if you do something that takes more than "few milliseconds", you need
to return 2 right away ("deferred operation") and progress the parts
that take longer in the background, writing the final result to
$auth_control_file (look for "deferred" in man openvpn).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
