[SOLVED] OpenVPN allowed hours

[mad_ady]

I'm using OpenVPN with my Asus (RMerlin firmware) and I'm quite happy with it.
However, I recently got a new request - to enable an account only during certain hours. E.g. the VPN account can connect only during 8:00 - 16:00, and must be disconnected after 16 (if it is connected).

I could script my way through this and use bash + cutter + mangle the router configuration to add and remove the account based on cron events, but before I start in my journey to madness, I'd like to ask if there is already an elegant way to implement this that I might not know of?

Thanks

 

[mad_ady]

Based on the number of replies, I'm guessing there isn't...
Ok, fine... I'll do it the hard way. Will try to post a guide when it's done...

 

[mad_ady]

Ok, I've built something along these lines:
* when disabling access, delete the user from nvram vpn_serverx_clientlist, nvram commit and restart openvpn
* when enabling access, add the user + password back to nvram vpn_serverx_clientlist, nvram commit and restart openvpn

This works beautifully, except for the part where openvpn still connects with a user that is no longer in the nvram (at least not in nvram get). Most likely the users are cached someplace else and I need to edit/restart something else.

Any idea what that could be?

Here is my current script, for reference: https://pastebin.com/ZfYF9dmp (if you run this, remember to delete temporary-user when you're done!).

 

[mad_ady]

Ok, I've dug a little through the filesystem and it looks like openvpn authenticates using libpam - with users defined in

/tmp/etc/group.openvpn
/tmp/etc/passwd.openvpn
/tmp/etc/shadow.openvpn

I can change my script to change the user there, but I wanted to ask first:
1. What is the mechanism by which a user from nvram gets configured in /tmp/etc/*.openvpn?
2. Is there a built-in command-line way to do openvpn user-management?

 

[mad_ady]

Well, apart from the *.openvpn files I've noticed that the accounts are merged in /etc/passwd, /etc/shadow and /etc/group.
So - this would mean I could use standard usermod to enable/disable a user.

Is there a problem if I do this - apart from the lack of useradd/usermod/userdel?

Is there a better way?

 

[mad_ady]

Well, I've made it work at an acceptable level. The new script (https://pastebin.com/nLdtpaER) will enable or disable the user directly in /etc/shadow by adding or removing a '!' from the password hash string.

You will need to edit the file and set USER to the vpn user you want enabled/disabled and SERVER to server1 or server2 depending on what the user connects to.

Next run the script in cron with either enable/disable parameters.

When the user is disabled the vpn process is restarted if that user is connected, to force its disconnection. So all connected users may feel a slight disconnection.

Bugs: If the client to be disconnected uses "OpenVPN connect" if you disable the account and the client tries to connect and fails, the client forgets the saved password . However "OpenVPN for Android" doesn't have this problem.