Solved Exists an Option to disable VPN Access for "Admin" user ?

[data303]

When you create a VPN Server (OVPN), then there is always an "admin" user already reconfigured which can not be deleted or disabled. Exists a way how I can disable this "admin" user so he can not connect through VPN?

 

[dev_null]

See: https://www.snbforums.com/threads/s...o-disable-admin-vpn-access.75048/#post-716477

 

[dev_null]

Here is the original source of that command (scroll to bottom of post): https://www.snbforums.com/threads/vpn-instructions-for-a-newbie.59478/post-523302

Note: the formatting is different in this post, and IIRC when I tested this approach, it worked.

 

[data303]

Thank you but it seems not to work when I enter a "Custom Configuration" into the advanced settings tab of the VPN server configuration then I get an error "OpenVPN server daemon failed to start. Please check your device environment or contents on the Advanced Setting page."

client-connect /jffs/scripts/ovpn-client-connect.sh

That is what I did:

1. Ensure Option "Enable JFFS custom scripts and configs" is activated in the "Administration" section
2. Log in via ssh and create a file i.e. "vi /jffs/scripts/ovpn-client-connect.sh"
3. Make the file executable "chmod +x /jffs/scripts/ovpn-client-connect.sh"
4. Go to the VPN Server Settings, change to "Advanced Settings"
5. Enter at "Custom Configuration" at the bottom the line "client-connect /jffs/scripts/ovpn-client-connect.sh".

Here the content of the "/jffs/scripts/ovpn-client-connect.sh"

#!/bin/sh
[ $username == "admin" ]  && exit 1

I tried with "$username" or just "username", also when the file is empty I get always the error "OpenVPN server daemon failed to start".

Do I need to restart the router when I do some modifications in "/jffs/scripts/" ?

 

[ColinTaylor]

If the server is failing to start it should tell you what the problem is in the router's System Log.

 

[data303]

Thank you, Yes I see "Dec 29 15:52:47 ovpn-server1[13611]: Options error: --client-connect script fails with '/jffs/scripts/ovpn-client-connect.sh': Permission denied (errno=13)"

But I don't understand why I have applied "chmod +x /jffs/scripts/ovpn-client-connect.sh" and also see that the executable flags has been set on the file

 

[ColinTaylor]

I've just tried exactly the same thing as you did on my router and the server started up without any errors. What Firmware are you using?

 

[data303]

I restarted the router and the VPN Server starts now with the "client-connect" script. However I always get the error "Dec 29 16:21:25 ovpn-server1[19616]: client WARNING: Failed running command (--client-connect): external program exited with error status: 1", allthough I login with a different username (not "admin")

What is your content of your script "/jffs/scripts/ovpn-client-connect.sh" ? I see here in the forum different suggestions.

My firmware is "3004.388.4_0-gnuton1"

 

[ColinTaylor]

However I always get the error "Dec 29 16:21:25 ovpn-server1[19616]: client WARNING: Failed running command (--client-connect): external program exited with error status: 1"

So it looks like the script is matching the username test and exiting with code 1. I can't say whether that's right or wrong for your setup because I don't use Username/Password Authentication so $username doesn't exist for me.

P.S. Put $username in quotes, e.g. "$username" just to be safe.

 

[Martinski]

...
Here the content of the "/jffs/scripts/ovpn-client-connect.sh"

#!/bin/sh
[ $username == "admin" ]  && exit 1

AFAIK, the specification for the "client-connect" option says that the cmd or script must return a success code for clients to connect, so something like this should work:

[ $username = "admin" ] && exit 1 || exit 0

I don't know whether the current OpenVPN version in your router is enforcing this rule.

 

[ColinTaylor]

AFAIK, the specification for the "client-connect" option says that the cmd or script must return a success code for clients to connect, so something like this should work:

[ $username = "admin" ] && exit 1 || exit 0

I don't know whether the current OpenVPN version in your router is enforcing this rule.

Unless set otherwise (e.g. a syntax error) the exit code is 0, so there shouldn't be any need to explicitly set it.
See post #14.

 

[data303]

Thank you it works now

Here the final content I ended with:

#!/bin/sh
[ $username == "admin" ] && exit 1 || exit 0

 

[Martinski]

Unless set otherwise (e.g. a syntax error) the exit code is 0, so there shouldn't be any need to explicitly set it.

Yes, that's technically correct. But based on the OP's results here:

I restarted the router and the VPN Server starts now with the "client-connect" script. However I always get the error "Dec 29 16:21:25 ovpn-server1[19616]: client WARNING: Failed running command (--client-connect): external program exited with error status: 1", allthough I login with a different username (not "admin")

I thought: "Well, just make the success status explicit and see how the server reacts."

 

[ColinTaylor]

Yes, that's technically correct. But based on the OP's results here:

I thought: "Well, just make the success status explicit and see how the server reacts."

Ah yes, I see my mistake now. He edited his post after I replied.

When username="admin" it exits setting rc=1. However if username<>"admin" the test fails (rc=1), also exiting with rc=1 (as the test was the last command executed). So you are correct, the exit code needs to be set to 0 when the test fails.