IDS-Viet/VPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
VPN/docs/connection.md

2.3 KiB
Raw Permalink Blame History

Connection Flow with MAC Validation

Client starts OpenVPN

The user runs their .ovpn config, which includes:

auth-user-pass (username & password prompt or file).

TLS client certificate.

OpenVPN receives login request

The OpenVPN server (server.conf) is configured with:

auth-user-pass-verify /etc/openvpn/access/auth.py via-env

This tells OpenVPN: “When a client logs in, call my Python script and pass credentials via environment variables.”

Access Server (auth.py) is executed

OpenVPN sets environment variables like:

username (VPN login username)

password (VPN login password)

untrusted_ip (clients source IP)

common_name (from client certificate)

But MAC address is not included by default.

To enforce MAC binding, your .ovpn client config must also send the local MAC address (e.g., using --push-peer-info and setenv).

Example in client config:

setenv CLIENT_MAC 00:11:22:33:44:55

→ This will be available to the server script as an environment variable CLIENT_MAC.

Validation logic in auth.py

auth.py looks up the username in MySQL.

It checks:

Password hash

Registered MAC address = CLIENT_MAC

If both match → return exit code 0 (success).

If mismatch → return exit code 1 (deny).

Session Management (session.py)

When client successfully connects, OpenVPN can run another script using client-connect directive:

client-connect /etc/openvpn/access/session.py client-disconnect /etc/openvpn/access/session.py

This allows you to:

Record session start in DB.

Start a background timer to enforce max session time.

On disconnect, update DB session table.

Decision

If validation fails → OpenVPN rejects the connection.

If validation passes → OpenVPN allows the tunnel, assigns IP, and routes traffic.

🔧 Example Interaction Setup in server.conf auth-user-pass-verify /etc/openvpn/access/auth.py via-env client-connect /etc/openvpn/access/session.py client-disconnect /etc/openvpn/access/session.py script-security 3

📝 Summary

OpenVPN triggers your Python scripts at authentication and session events.

Your scripts validate MAC + user credentials against MySQL.

Session time control is also handled by your scripts (client-connect + client-disconnect).

OpenVPN itself doesnt know about MAC/time limits → it just calls your scripts, and your logic decides allow or deny.