On the server side, I suppose
Is it “keepalive 10 60” or is it less or more than that?
This would be a question but there’s no such tag
Most enterprise used proprietary software that doesn’t allow for configs like that. They all have built in settings that are specific to themselves.
Actually, with OpenVPN, there is one reason you might want to adjust these: OpenVPN runs on-connect/disconnects blocking and in the main loop, preventing the server from handling keepalives. If your scripts run longer then the keepalive period, this will mean that all your clients disconnect…
SO they donn’t use keepalives?
I don’t understand this. Maybe you made some grammar mistakes or my English sucks, but I don’t get it.
I do have keepalive 10 60 in the server.conf. What scripts are you talking about?
Yes. But Not like that. That looks like a line configuration for open VPN. Enterprise software has the necessary configurations built into it some software doesn’t let you change stuff at that level because it’s tuned to work properly from the manufacturer.
OpenVPN has the possibility to run a script whenever certain events happen (a client connects, disconnects or timeouts for instance). This is useful for custom logging or firewalling for instance.
Configuring these scripts is done via on-* directives in the configuration file. For instance, if you add ‘on-connect /usr/local/bin/blah.sh’ to the config and restart openvpn, the script ‘blah.sh’ will be called everytime a client connects
Ah those scripts! Yeah my bad, sorry, now I understand
What would be a useful timeout script typically used on the OpenVPN server? I’m not asking for the code, just the concept
the scripts need to run as quick as possible, since the OpenVPN process runs these in a blocking way (the server cannot process packets while the script is running).
So leave the keepalive settings as is, and focus on the runtime of your scripts.
No I!m saying what it should do
Whatever is needed to be done with that info:
- custom logging, metrics and/or alerting
- custom firewall rules
- custom hardening / security
- custom ip / routing requirements
Can the killing of stale connections be done via a timeout script, do you think? I’m trying to get as close to the way OpenVPN Access Server works as possible. The rep said they use a specialized service exactly for this purpose, so there never would be a case where eg. the client reboots without disconnecting from the VPN session first, then because only 1 active VPN session / user is allowed, the client wouldn’t be able to reconnect to the VPN post-reboot for 1-2 minutes, give or take?
Yes, that is possible. If you are looking into replicating AS functionality, have a look at the management interface and use your creativity:
In one setup I manage I use both techniques (on-* scripts and mgmt interface) to perform exactly what you are trying to achieve.
Does the mgmt script need to be run on the VPN server?
Can you tell me what the differences between setting an aggressive keepalive vs using a script to always interact with the management interface is, from the perspective of immediately cleaning up stale connections?
It can be on both sides of the tunnel, but it makes sense to do it on the server side, since that is a natural choke point.
Missing keepalives will kill the tunnel, but it does not close the connections running over the tunnel. So if you reconnect to the vpn server before the tcp timeout occurs, your sessions will stay established. Depending on how your setup is done, this can lead to session hijacking for tunneled traffic. There is nothing that OpenVPN itself can do to prevent this.
In order to fix this, you need to configure your vpn server with some mechanism that allows you to control the tunneled traffic. One option for that is a firewall.
So conceptually, whenever a client disconnects, you instruct OpenVPN to call a script that will kill all connections belonging to that client.
Edit: note that the mgmt interface is not used for that. I pointed out this interface because it allows you to rebuild AS functionality if you feel like it. Also note that quite some stuff that AS does is handled by software outside of the openvpn process.
Most likely what software are we talking? Namely?
Under Linux that would be iptables/nftables with connection tracking. Under the BSDs it would be PF.
I dont do other OSs so ymmv on other platforms.