Is it Possible to limit OpenVPN connect time?

[btsucker]

Hi,

I am using 386.11 Merlin on RT-AC66U B1. I enable the VPN server1 on my router.
Is it possible to limited the connection time for security reason?
For example, It will force to disconnect the client after 5 mins no mater if it's still using or not.
I only need to use my home ip in some verification situation. so I don't need to keep the link very long.
If it is possible, please enlighten me.

I am a newbie and not a English native speaker.
If I need to run any script please tell me how to do it.
Thank you very much.

 

[Viktor Jaep]

If you're using the VPN, and then you don't need it on anymore for whatever reason... can't you just turn it off in the Asus Merlin UI?

 

[btsucker]

If you're using the VPN, and then you don't need it on anymore for whatever reason... can't you just turn it off in the Asus Merlin UI?

the reason I need to setup a VPN server in my router is that I want to let my family member or friends to use the ip for verification purpose. It usually just need for a very short period of time and it's hard to control when they will need it. So I wish I could just auto disconnect them after couple mins. just in case they forgot or any other security reason. Manually turning it off is not very practical. I hope you understand my situation.

 

[Viktor Jaep]

the reason I need to setup a VPN server in my router is that I want to let my family member or friends to use the ip for verification purpose. It usually just need for a very short period of time and it's hard to control when they will need it. So I wish I could just auto disconnect them after couple mins. just in case they forgot or any other security reason. Manually turning it off is not very practical. I hope you understand my situation.

But wouldn't you have to manually turn it on as well to let your family member use your IP for verification purposes? I'm just trying to understand the practicality? Is this how it would work?

1.) You manually turn on your VPN server
2.) At some point, perhaps a few hours later, your family member will log into the VPN and verify some IP
3.) 5 minutes after this with no more activity, you want the VPN server to turn itself off.

Correct?

 

[btsucker]

But wouldn't you have to manually turn it on as well to let your family member use your IP for verification purposes? I'm just trying to understand the practicality? Is this how it would work?

1.) You manually turn on your VPN server
2.) At some point, perhaps a few hours later, your family member will log into the VPN and verify some IP
3.) 5 minutes after this with no more activity, you want the VPN server to turn itself off.

Correct?

Sort like that. But I don't need the VPN server turn it off itself. Just log out the user after couple mins. for example, a 5 mins hard limit. If they still need the ip. they could just login again. I hope I could leave the VPN server on, so they don't need to call me or message me every time they need the VPN.

And if it is possible I also hope I could limit how many clients could use the VPN at the same time. the best situatuin will be only one or two users at the same time, and after 5 mins auto disconnect the user and free the resource.

 

[Viktor Jaep]

Sort like that. But I don't need the VPN server turn it off itself. Just log out the user after couple mins. for example, a 5 mins hard limit. If they still need the ip. they could just login again. I hope I could leave the VPN server on, so they don't need to call me or message me every time they need the VPN.

And if it is possible I also hope I could limit how many clients could use the VPN at the same time. the best situatuin will be only one or two users at the same time, and after 5 mins auto disconnect the user and free the resource.

There's probably a way to keep track of who's connected with a script, and kick them 5 minutes after they connect... but unfortunately out of my wheelhouse. I'm not seeing much as far as documentation goes that I have found about this subject.

 

[Martineau]

Sort like that. But I don't need the VPN server turn it off itself. Just log out the user after couple mins. for example, a 5 mins hard limit. If they still need the ip. they could just login again. I hope I could leave the VPN server on, so they don't need to call me or message me every time they need the VPN.

And if it is possible I also hope I could limit how many clients could use the VPN at the same time. the best situatuin will be only one or two users at the same time, and after 5 mins auto disconnect the user and free the resource.

Using OVPN custom scripts directives in the OVPN Server GUI

allows you to finely control clients when/how they connect.....and even put them on the naughty-step as punishment when they disconnect if you deem that they should endure a lockout for breach of your access rules/conditions etc.

e.g. In syslog you can see what happens when my old Samsung phone connects to OVPN Server 1

So I can apply all sorts of criteria to either reject a client user connection i.e. Too many connections, duplicates, wrong time of day etc.

Using a custom CLI script allows me to interrogate info available for a connected Server client as shown below

Item 1 shows the time the client initially connected and item 2 shows the USERNAME (followed by CLIENT ID and PEER ID).

So a crude cron job script could easily check every minute to see if any client has been connected for more than 5 minutes and act accordingly (not sure if I ever posted the scripts years ago?)

EDIT: I did rewrite 'VPN_ServerStatus.sh as 'OpenVPNServerStatus.sh' to apply time and traffic limits see this post !!

Anyway, the only thing I am not sure of is if a KILL command to the USERNAME does still correctly terminate the designated client connection session without further scripting i.e. use of OVPN 'client-disconnect' feature.

However, if you only have 1 inbound client connection (or you don't mind bouncing the server regardless) then sending SIGUSR1 to the server works!

 

[btsucker]

Using OVPN custom scripts directives in the OVPN Server GUI

View attachment 50340

allows you to finely control clients when/how they connect.....and even put them on the naughty-step as punishment when they disconnect if you deem that they should endure a lockout for breach of your access rules/conditions etc.

e.g. In syslog you can see what happens when my old Samsung phone connects to OVPN Server 1

View attachment 50341

So I can apply all sorts of criteria to either reject a client user connection i.e. Too many connections, duplicates, wrong time of day etc.

Using a custom CLI script allows me to interrogate info available for a connected Server client as shown below

View attachment 50342


Item 1 shows the time the client initially connected and item 2 shows the USERNAME (followed by CLIENT ID and PEER ID).

So a crude cron job script could easily check every minute to see if any client has been connected for more than 5 minutes and act accordingly (not sure if I ever posted the scripts years ago?)

EDIT: I did rewrite 'VPN_ServerStatus.sh as 'OpenVPNServerStatus.sh' to apply time and traffic limits see this post !!

Anyway, the only thing I am not sure of is if a KILL command to the USERNAME does still correctly terminate the designated client connection session without further scripting i.e. use of OVPN 'client-disconnect' feature.

However, if you only have 1 inbound client connection (or you don't mind bouncing the server regardless) then sending SIGUSR1 to the server works!

Thank you very much for your reply, but I need a little bit more explanation here.
I followed to your old post but I am not sure which code or scripts should I use? and where should I put it?
I know I need to ssh login to the router and paste the scripts.
I have already enabled the JFFS custom scripts and SSH service in Merlin, but I really need more help for the following steps.

 

[btsucker]

There's probably a way to keep track of who's connected with a script, and kick them 5 minutes after they connect... but unfortunately out of my wheelhouse. I'm not seeing much as far as documentation goes that I have found about this subject.

No matter what I still want to thank you for responding to my question and take time for searching possible solution for me. I really appreciate it.

 

[Martineau]

Thank you very much for your reply, but I need a little bit more explanation here.
I followed to your old post but I am not sure which code or scripts should I use? and where should I put it?
I know I need to ssh login to the router and paste the scripts.
I have already enabled the JFFS custom scripts and SSH service in Merlin, but I really need more help for the following steps.

EDIT Updated 8th Jun 2023 (version 0.99Alpha2)

• FIX: Ignore any OVPN Server if it is DOWN
• FIX: Monitoring of a single username
• NEW: Optionally revoke/deny/block the offending user for 10 minutes

Copy'n'paste the following crude script to

/jffs/scripts/LimitOVPNSession.sh

#!/bin/sh
VER="0.99Alpha2"




# FUNCTIONS
# =========
Say(){
   echo -e $$ $@ | /usr/bin/logger -st "($(basename $0))"
}




#########################################################Main#############################################
Main() { true; }            # Syntax that is Atom Shellchecker compatible!


# cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh SGS8 enforce server"


LIMIT_USER=$1            # User to be time limited on ANY server for
TIME_LIMIT=60            # Max 5 mins


ENFORCE=$2
BOUNCE_SERVER=$3


for VPN_ID in 1 2
    do

          if [ "$(nvram get vpn_server${VPN_ID}_state)" != "2" ];then            # Patch Alpha2
            echo -e $cRESET"\n\tOpenVPN Server ${VPN_ID} not ACTIVE!"
            continue
        fi

        # Request the server to dump current stats to its repository '/etc/openvpn/server${VPN_ID}/status'  - unfortunately also to Syslog
        killall -USR2 vpnserver$VPN_ID

        #sleep 1        # Not necessary but status file contents surely should be refeshed by now!

        # Get ALL connected clients and check connected time
        for LINE in $(grep -E "^CLIENT_LIST" /etc/openvpn/server${VPN_ID}/status | tr ' ' '-')
            do
                Say $LINE
                USERNAME=$(echo $LINE | awk 'BEGIN { FS=","} {print $10}')
                CONNECT_TIME=$(echo $LINE | awk 'BEGIN { FS=","} {print $9}')

                NOW=$(date +%s)
                DURATION=$((NOW-CONNECT_TIME))


                # 'limit [enforce]' syntax is very crude without the Management Interface.
                # Terminating a USERNAME or one of its connections is tricky
                #
                # Revoking a certificate for a misbehaving client together with 'disable' in CCD would have to be in sequence
                LIMIT_USER=$(echo "$LIMIT_USER" | tr ',' ' ')                    # Allow CSV list of users to check
                  if [ -n "$(echo "${LIMIT_USER} " | grep -oE "$USERNAME\s")" ];then    # Patch Alpha2
                    if [ $DURATION -gt $TIME_LIMIT ];then
                        Say "VPN Server $VPN_ID Client user '$USERNAME' Session duration EXCEEDS $TIME_LIMIT second session threshold limit! - Action=${ENFORCE} $BOUNCE_SERVER"
                        if [ -n "$ENFORCE" ];then
                            if [ -n "$BOUNCE_SERVER" ];then
                                # If the revoke repository exists then add the offending user
                                if [ -f /jffs/configs/BlockedVPN${VPN_ID}_Users ] && [ -z "$(grep -o "$USERNAME" /jffs/configs/BlockedVPN${VPN_ID}_Users)" ];then   # Patch Alpha2
                                    echo -e "$USERNAME" >> /jffs/configs/BlockedVPN${VPN_ID}_Users                                  # Patch Alpha2
                                    # Remove the user from the revoke repository after 10 minutes
                                    [ -f /jffs/scripts/UnRevokeOVPN_User.sh ] && /jffs/scripts/UnRevokeOVPN_User.sh $USERNAME &     # Patch Alpha2
                                fi
                                killall -SIGUSR1 vpnserver${VPN_ID}    # Bounce the server!  - but client could immediately auto reconnect?
                            else
                                killall $USERNAME        # Sadly this doesn't work
                            fi
                        fi
                    else
                        Say "VPN Server $VPN_ID Client user '$USERNAME' Session has been ACTIVE for $(date -d @"$DURATION" "+%T")"
                    fi
                fi
            done
    done




exit 0

then make it executable and probably advisable if you also explicitly ensure the script file is UNIX rather than Windoze format

dos2unix /jffs/scripts/LimitOVPNSession.sh
chmod +x /jffs/scripts/LimitOVPNSession.sh

Then test the crude script.

e.g. retrieve a list of connected clients

/jffs/scripts/LimitOVPNSession.sh

(LimitOVPNSession.sh): 2021 CLIENT_LIST,client,31.94.64.125:40839,10.8.0.88,,6804,3191,Fri-May-26-10:23:06-2023,1685092986,SGS8,1,0

I only have one client connected, so you can test if the script can determine how long a matching USERNAME has been connected

e.g.

/jffs/scripts/LimitOVPNSession.sh SGS8

(LimitOVPNSession.sh): 2074 CLIENT_LIST,client,31.94.64.125:40839,10.8.0.88,,10518,3191,Fri-May-26-10:23:06-2023,1685092986,SGS8,1,0

(LimitOVPNSession.sh): 2074 VPN Server 1 Client user 'SGS8' Session has been ACTIVE for 00:00:17

If you check again after 5 mins at least, you should get the exceeded warning

/jffs/scripts/LimitOVPNSession.sh SGS8

(LimitOVPNSession.sh): 8177 CLIENT_LIST,client,31.94.64.125:40839,10.8.0.88,,10518,3191,Fri-May-26-10:23:06-2023,1685092986,SGS8,1,0

(LimitOVPNSession.sh): 8177 VPN Server 1 Client user 'SGS8' Session has been ACTIVE for 00:06:57

(LimitOVPNSession.sh): 8177 VPN Server $VPN_ID Client user 'SGS8' Session duration EXCEEDS 300 second session threshold limit! - Action=

Now you can test if the script can crudely RESTART the server if ANY client is connected for more than 5 mins.

NOTE: If this hack is not useful or too disruptive then do not proceed.

/jffs/scripts/LimitOVPNSession.sh SGS8 enforce server

(LimitOVPNSession.sh): 2074 CLIENT_LIST,client,31.94.64.125:40839,10.8.0.88,,10518,3191,Fri-May-26-10:23:06-2023,1685092986,SGS8,1,0

(LimitOVPNSession.sh): 14455 VPN Server 1 Client user 'SGS8' Session duration EXCEEDS 300 second session threshold limit! - Action=enforce server

You can create a cron job to run every minute to perform the session limit check.

Copy'n'paste the following (where xxxxxx is the USERNAME to be managed) into

/jffs/scripts/init-start

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh xxxxxx enforce server"

 

[Martineau]

And if it is possible I also hope I could limit how many clients could use the VPN at the same time. the best situatuin will be only one or two users at the same time, and after 5 mins auto disconnect the user and free the resource.

To limit the number of concurrent connected clients

EDIT Updated 8th Jun 2023 (version v1.xxAlpha2)

• NEW: Block user if defined in revoke repository e.g. '/jffs/configs/BlockedVPN1_Users'

EDIT Updated 9th Jun 2023 (version v1.xxAlpha3)

• FIX: Blocking of revoked users.

Copy'n'paste the following crude script to

/jffs/scripts/VPNClientConnect.sh

#!/bin/sh
VER="v1.xxAlpha3"

Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}
SayT(){
   echo -e $$ $@ | logger -t "($(basename $0))"
}
ListConnectedClients () {

    local SERVERID=$1
    local CNT=0

    shift 1

    for PID in "$@"
        do
            if [ -n "$@" ];then
                kill -SIGUSR2 $PID
                local CNT=$(grep -E "^CLIENT_LIST" /etc/openvpn/server${SERVERID}/status | wc -l)
                echo $CNT
                if [ "$CNT" -gt 0 ];then
                    return 0
                else
                    return 1
                fi
            else
                echo 0
            fi
        done
}
#===============================================MAIN==========================================================================
Main() { true; }            # Syntax that is Atom Shellchecker compatible!

FIRMWARE=$(echo $(nvram get buildno) | awk 'BEGIN { FS = "." } {printf("%03d%02d",$1,$2)}')

VPN_SERVER_ID=${dev:4:1}
[ -z "$VPN_SERVER_ID" ] && VPN_SERVER_ID=1

if [ "$common_name" == "client" ];then
    Say $VER "VPN Server" $VPN_SERVER_ID "Client user '"$username"' CCD configuration starting...." [$@]
else
    Say $VER "VPN Server" $VPN_SERVER_ID "Client CN '"$common_name"' CCD configuration starting...." [$@]
fi


# Configure the VPN Client CCD/file dynamically
STATUS="OK"                    # Let's be positive! ;-)
FAIL_REASON=99                # Default FAIL code

MAX_CLIENTS=999        # Maximum number of clients for Server1 (Load Balance)
# Allow overriding by defining custom NVRAM variable perhaps controlled by cron job for acceptable periods e.g 09:00-17:00/00:00-09:00
[ -n "$(nvram get MyMaximumclientsovpn${VPN_SERVER_ID})" ] && MAX_CLIENTS=$(nvram get MyMaximumclientsovpn${VPN_SERVER_ID})

PID="$(pidof vpnserver${VPN_SERVER_ID})"
CONNECTED=$(ListConnectedClients "$VPN_SERVER_ID" "$PID")
if [ $((CONNECTED+1)) -le $MAX_CLIENTS ];then
    [ "$STATUS"  == "OK" ] && Say "VPN Server" $VPN_SERVER_ID "Clients connected count is "$((CONNECTED))
    PIDOTHER="$(pidof vpnserver${OTHER_VPN_ID})"
    CONNECTEDOTHER=$(ListConnectedClients "$OTHER_VPN_ID" "$PIDOTHER")
    Say "VPN Server" $OTHER_VPN_ID "Clients connected count is "$((CONNECTEDOTHER))
else
    STATUS="FAIL"                # Refuse the connection
    FAIL_REASON=90
    Say "VPN Server" $VPN_SERVER_ID "Clients connected count "$((CONNECTED+1))" exceeds Maximum ALLOWED ($MAX_CLIENTS) rc="$FAIL_REASON
fi

# Is a user revoked?
if [ -f /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users ] && [ -n "$(grep -o "$username" /jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users)" ];then   # Patch Alpha3 Patch Alpha2
    Say "VPN Server" $VPN_SERVER_ID "Client '$username' access revoked (see '/jffs/configs/BlockedVPN${VPN_SERVER_ID}_Users')"
    STATUS="FAIL"                # Refuse the connection
    FAIL_REASON=91
fi


Say "VPN Server" $VPN_SERVER_ID "Client CCD configuration ended."
if [ "$STATUS" == "OK" ];then
    exit 0
else
    exit $FAIL_REASON                # Kill client connection
fi

then add the OpenVPN client-connect /jffs/scripts/VPNClientConnect.sh directive to the OpenVPN Server GUI custom field.

 

[btsucker]

Copy'n'paste the following crude script to

/jffs/scripts/LimitOVPNSession.sh

#!/bin/sh
VER="0.99Alpha1"


# FUNCTIONS
# =========
Say(){
   echo -e $$ $@ | /usr/bin/logger -st "($(basename $0))"
}


#########################################################Main#############################################
Main() { true; }            # Syntax that is Atom Shellchecker compatible!

# cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh SGS8 enforce server"

LIMIT_USER=$1            # User to be time limited on ANY server for
TIME_LIMIT=300            # Max 5 mins

ENFORCE=$2
BOUNCE_SERVER=$3

for VPN_ID in 1 2
    do
  
        # Request the server to dump current stats to its repository '/etc/openvpn/server${VPN_ID}/status'  - unfortunately also to Syslog
        killall -USR2 vpnserver$VPN_ID
      
        #sleep 1        # Not necessary but status file contents surely should be refesh by now!
      
        # Get ALL connected clients and check connected time
        for LINE in $(grep -E "^CLIENT_LIST" /etc/openvpn/server${VPN_ID}/status | tr ' ' '-')
            do
                Say $LINE
                USERNAME=$(echo $LINE | awk 'BEGIN { FS=","} {print $10}')
                CONNECT_TIME=$(echo $LINE | awk 'BEGIN { FS=","} {print $9}')
              
                NOW=$(date +%s)
                DURATION=$((NOW-CONNECT_TIME))

                # 'limit [enforce]' syntax is very crude without the Management Interface.
                # Terminating a USERNAME or one of its connections is tricky
                #
                # Revoking a certificate for a misbehaving client together with 'disable' in CCD would have to be in sequence
                if [ "$USERNAME" == "$LIMIT_USER" ];then           
                    if [ $DURATION -gt $TIME_LIMIT ];then
                        Say "VPN Server $VPN_ID Client user '$USERNAME' Session duration EXCEEDS $TIME_LIMIT second session threshold limit! - Action=${ENFORCE} $BOUNCE_SERVER"
                        if [ -n "$ENFORCE" ];then
                            if [ -n "$BOUNCE_SERVER" ];then
                                killall -SIGUSR1 vpnserver${VPN_ID}    # Bounce the server!  - but client will immediately auto reconnect?
                            else
                                killall $USERNAME        # Sadly this doesn't work
                            fi
                        fi
                    else
                        Say "VPN Server $VPN_ID Client user '$USERNAME' Session has been ACTIVE for $(date -d @"$DURATION" "+%T")"
                    fi
                fi
            done
    done


exit 0

then make it executable and probably advisable if you also explicitly ensure the script file is UNIX rather than Windoze format

dos2unix /jffs/scripts/LimitOVPNSession.sh
chmod +x /jffs/scripts/LimitOVPNSession.sh

Then test the crude script.

e.g. retrieve a list of connected clients

/jffs/scripts/LimitOVPNSession.sh

(LimitOVPNSession.sh): 2021 CLIENT_LIST,client,31.94.64.125:40839,10.8.0.88,,6804,3191,Fri-May-26-10:23:06-2023,1685092986,SGS8,1,0

I only have one client connected, so you can test if the script can determine how long a matching USERNAME has been connected

e.g.

/jffs/scripts/LimitOVPNSession.sh SGS8

(LimitOVPNSession.sh): 2074 CLIENT_LIST,client,31.94.64.125:40839,10.8.0.88,,10518,3191,Fri-May-26-10:23:06-2023,1685092986,SGS8,1,0

(LimitOVPNSession.sh): 2074 VPN Server 1 Client user 'SGS8' Session has been ACTIVE for 00:00:17

If you check again after 5 mins, you should get the exceeded warning

/jffs/scripts/LimitOVPNSession.sh SGS8

(LimitOVPNSession.sh): 8177 CLIENT_LIST,client,31.94.64.125:40839,10.8.0.88,,10518,3191,Fri-May-26-10:23:06-2023,1685092986,SGS8,1,0

(LimitOVPNSession.sh): 8177 VPN Server 1 Client user 'SGS8' Session has been ACTIVE for 00:05:17

(LimitOVPNSession.sh): 8177 VPN Server $VPN_ID Client user 'SGS8' Session duration EXCEEDS 300 second session threshold limit! - Action=

Now you can test if the script can crudely RESTART the server if ANY client is connected for more than 5 mins.

NOTE: If this hack is not useful or too disruptive then do not proceed.

/jffs/scripts/LimitOVPNSession.sh SGS8 enforce server

(LimitOVPNSession.sh): 2074 CLIENT_LIST,client,31.94.64.125:40839,10.8.0.88,,10518,3191,Fri-May-26-10:23:06-2023,1685092986,SGS8,1,0

(LimitOVPNSession.sh): 14455 VPN Server 1 Client user 'SGS8' Session duration EXCEEDS 300 second session threshold limit! - Action=enforce server

You can create a cron job to run every minute to perform the session limit check.

Copy'n'paste the following (where xxxxxx is the USERNAME to be managed) into

/jffs/scripts/init-start

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh xxxxxx enforce server"

Thank you for your reply. The script file works. But I got some questions.



1. I create the init-start file and reboot. It doesn't add the corn job. I try "cru l" it doesn't show up in the list.
I did try to "cru a" the job in ssh. it works. but it will lost every time the router reboot.

2. I will have 4 user accounts in my VPN server. Do I just add 4 lines of cron job with different username?

3. If I understand it right, this method did not just kick out the user. It restart the VPN server. So If there are 2 user login in the same time and one of them stay over 5 mins, both of them will lost the connection due to the server restart, right? I can accept this, I just want to be sure. And I might need to tell the users that this could happen and it's not the VPN server problem.

4. If in the future I don't need this anymore. I just rename the script file to maybe "XXX.bak" and rm the init-start file, right?

 

[Martineau]

Thank you for your reply. The script file works. But I got some error and questions.

1. every time I run the script I got a small notice "line 1: =0.99Alpha1: not found" should I ignore it?

Did you incorrectly copy'n'paste?

The first line of any router shell script should normally be

#!/bin/sh

or if written in Bash

#!/full_path_to/bash

etc.

2. I create the init-start file and reboot. It doesn't add the corn job. I try "cru l" it doesn't show up in the list.
I did try to "cru a" the job in ssh. it works. but it will lost every time the router reboot.

Did you make the init-start script executable?

i.e. check the attributes of all files in the directory

ls -l /jffs/scripts

3. I will have 4 user accounts in my VPN server. Do I just add 4 lines of cron job with different username?

It would be better if you have just the single cron job and instead look for a match for the 4 users in the script...

i.e. change line

if [ "$USERNAME" == "$LIMIT_USER" ];then

to

if [ "$USERNAME" == "user1" ] || [ "$USERNAME" == "user2" ] || [ "$USERNAME" == "user3" ] || [ "$USERNAME" == "user4" ];then

4. If I understand it right, this method did not just kick out the user. It restart the VPN server. So If there are 2 user login in the same time and one of them stay over 5 mins, both of them will lost the connection due to the server restart, right? I can accept this, I just want to be sure. And I might need to tell the users that this could happen and it's not the VPN server problem.

Correct. If the OpenVPN management console could be used on the router then a simple 'kill username' would work, but I couldn't get it to work etc, so unfortunately the server is restarted.

5. If in the future I don't need this anymore. I just rename the script file to maybe "XXX.bak" and rm the init-start file, right?

Yes, although init-start could be used by other scripts, so simply remove the line containing cru a

 

[btsucker]

Did you incorrectly copy'n'paste?

The first line of any router shell script should normally be

#!/bin/sh

or if written in Bash

#!/full_path_to/bash

etc.

Did you make the init-start script executable?

i.e. check the attributes of all files in the directory

ls -l /jffs/scripts

It would be better if you have just the single cron job and instead look for a match for the 4 users in the script...

i.e. change line

if [ "$USERNAME" == "$LIMIT_USER" ];then

to

if [ "$USERNAME" == "user1" ] || [ "$USERNAME" == "user2" ] || [ "$USERNAME" == "user3" ] || [ "$USERNAME" == "user4" ];then

Correct. If the OpenVPN management console could be used on the router then a simple 'kill username' would work, but I couldn't get it to work etc, so unfortunately the server is restarted.

Yes, although init-start could be used by other scripts, so simply remove the line containing cru a

1. That error is just a copy and paste mistake. My bad, sorry.

2. I edited the LimitOVPNSession.sh file according to your suggestion. I just add 2 users "vpnuserA" and "vpnuserB"
for the test.
I run the script in ssh it correctly shows which user is connected to the VPN and for how long. it also shows warning if the user stay over 300 sec.
But how do I use this new script to disconnect(restart server) users? If I use

/jffs/scripts/LimitOVPNSession.sh username enforce server

I will still need to add 4 cron job.

3. I did

ls -l /jffs/scripts

LimitOVPNSession.sh and init-start are both -rwxrwxrwx


4. I didn't add the VPNClientConnect.sh file to test yet. Still trying to get the first script to work. Do I need the both file to make it work?

 

[Martineau]

1. That error is just a copy and paste mistake. My bad, sorry.

It happens

2. I edited the LimitOVPNSession.sh file according to your suggestion. I just add 2 users "vpnuserA" and "vpnuserB"
for the test.
I run the script in ssh it correctly shows which user is connected to the VPN and for how long. it also shows warning if the user stay over 300 sec.
But how do I use this new script to disconnect(restart server) users? If I use

/jffs/scripts/LimitOVPNSession.sh username enforce server

I will still need to add 4 cron job.

No, the script args 'enforce server' will auto restart the server so only one cron job is required for any number of defined users.

3. I did

ls -l /jffs/scripts

LimitOVPNSession.sh and init-start are both -rwxrwxrwx

If you manually run
init-start does it show any errors?

4. I didn't add the VPNClientConnect.sh file to test yet. Still trying to get the first script to work. Do I need the both file to make it work?

No

 

[btsucker]

ok, some update

1.
Do you mean I just use the script like

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh"

Even I success manully add it to the job list, It doesn't seem to auto restart the VPN server if a user stay longer than 300 sec. How do I use it properly to manage multi user in one cron job?

2.
there's no error if I manually run init-start
and with

cru l

I can see LimitOVPNSession add to the job list after I run it.
So I guess the file is ok. But Merlin did not use or load it every time reboot??

 

[Martineau]

Do you mean I just use the script like

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh"

Even I success manully add it to the job list, It doesn't seem to auto restart the VPN server if a user stay longer than 300 sec. How do I use it properly to manage multi user in one cron job?

As shown in post #10 you need to specify 3 args to the script to tell it to perform the desired action.

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh xxxxxx enforce server"

You will see a line in syslog if the 300 sec time-limit has been exceeded by a client, together with the action= that will be performed.
Do you have any messages?

2.
there's no error if I manually run init-start
and with

cru l

I can see LimitOVPNSession add to the job list after I run it.
So I guess the file is ok. But Merlin did not use or load it every time reboot??

You need to ensure that custom scripts are enabled in the GUI see Administration>System TAB and set Enable JFFS custom scripts and configs=YES

 

[btsucker]

As shown in post #10 you need to specify 3 args to the script to tell it to perform the desired action.

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh xxxxxx enforce server"

You will see a line in syslog if the 300 sec time-limit has been exceeded by a client, together with the action= that will be performed.
Do you have any messages?



You need to ensure that custom scripts are enabled in the GUI see Administration>System TAB and set Enable JFFS custom scripts and configs=YES

Just a quick reply. I am not at home right now.

Yes, I have enabled the custom scripts in Merlin.

I will test the script when I get home. But I am still confused about what you mean.
Can you give me a example how to setup the cru command with the script.
I have created 2 test accounts in my VPN server now, "vpnuserA" and "vpnuserB"
How should I use one cru command to check both these accounts?
do you mean like

/jffs/scripts/LimitOVPNSession.sh vpnuser1 enforce server /jffs/scripts/LimitOVPNSession.sh vpnuser2 enforce server

just repeat for all users but in one line?

 

[Martineau]

Just a quick reply. I am not at home right now.

Yes, I have enabled the custom scripts in Merlin.

I will test the script when I get home. But I am still confused about what you mean.
Can you give me a example how to setup the cru command with the script.
I have created 2 test accounts in my VPN server now, "vpnuserA" and "vpnuserB"
How should I use one cru command to check both these accounts?
do you mean like

/jffs/scripts/LimitOVPNSession.sh vpnuser1 enforce server /jffs/scripts/LimitOVPNSession.sh vpnuser2 enforce server

just repeat for all users but in one line?

Did you alter the script to hardcode the USERNAMEs to monitor as instructed in post #13

i.e.

Is it Possible to limit OpenVPN connect time?

Hi, I am using 386.11 Merlin on RT-AC66U B1. I enable the VPN server1 on my router. Is it possible to limited the connection time for security reason? For example, It will force to disconnect the client after 5 mins no mater if it's still using or not. I only need to use my home ip in some...

www.snbforums.com

Issue the following command to see if you get the same response

grep -F '"$USERNAME" == "$LIMIT_USER"' /jffs/scripts/LimitOVPNSession.sh

                if [ "$USERNAME" == "$LIMIT_USER" ];then

If the response is returned then you need a new version of the script that allows your cron job to pass the list of USERNAMEs to monitor

i.e. replace line:

if [ "$USERNAME" == "$LIMIT_USER" ];then

with two lines:

LIMIT_USER=$(echo "$LIMIT_USER" | tr ',' ' ')                    # Allow CSV list of users to check
if [ -n "$(echo "$LIMIT_USER" | grep -oE "$USERNAME\s")" ];then

then you have one cron job and you pass the list of USERNAMEs you want monitored.

e.g.

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh 'vpnuserA,vpnuserB' enforce server"

 

[btsucker]

Just a quick reply. I am not at home right now.

Yes, I have enabled the custom scripts in Merlin.

I will test the script when I get home. But I am still confused about what you mean.
Can you give me a example how to setup the cru command with the script.
I have created 2 test accounts in my VPN server now, "vpnuserA" and "vpnuserB"
How should I use one cru command to check both these accounts?
do you mean like

/jffs/scripts/LimitOVPNSession.sh vpnuser1 enforce server /jffs/scripts/LimitOVPNSession.sh vpnuser2 enforce server

just repeat for all users but in one line?

some update

I think I got the script work right.
I use

cru a LimitOVPNSession "*/1 * * * * /jffs/scripts/LimitOVPNSession.sh vpnuserA vpnuserB enforce server"

Now it will check the vpnuserA and vpnuserB user accounts, if any of them stay over 5 mins it will auto restart the VPN server. And it also leave the other accounts that I didn't add to the script alone.

Sadly, I add this line to init-start file, it still didn't load the job after reboot. I reboot the router and check with

cru l

LimitOVPNSession is not on the list.

I notice that in your script you mentioned the client side might just auto reconnect after the server restart. Since the script is working, I try to test it more thoroughly and I think you are right. I use openVPN app in my phone to test it. After the server restart, it just auto reconnect to the VPN. If the user's online activities have some buffer(like streaming video), they probably won't even notice the connection is lost.