在OpenVPN上,我安装了脚本“ post_auth_mac_address_checking.py”,以在VPN连接期间检查客户端的MAC地址。 https://openvpn.net/vpn-server-resources/access-server-post-auth-script-host-checking/ 工作正常。我修改了脚本(见下文),以将MAC地址放在本地MySQL数据库中,而不是在脚本中。 它也可以工作,但是我的问题是当我在mysql数据库中进行一些更改(添加或删除mac地址)时,OpenVPN看不到更改。
如何“强制” openvpn为每个连接执行脚本? 我需要刷新脚本的缓存吗?
谢谢您的帮助!
脚本:
#!/usr/bin/env python
import uuid
import re
import MySQLdb
import sys
from pyovpn.plugin import *
# f this is set to "NONE" or "DISABLED" then the server administrator must
# always manually register each MAC/UUID address by hand on the command line.
first_login_ip_addr="NONE"
# If False or undefined, AS will call us asynchronously in a worker thread.
# If True, AS will call us synchronously (server will block during call),
# however we can assume asynchronous behavior by returning a Twisted
# Deferred object.
SYNCHRONOUS=False
# Get authorized MAC addresses in the mysql database
conn = MySQLdb.connect(host='127.0.0.1',user='xxx',passwd='xxx',db='xxx')
with conn as cur:
cur = conn.cursor()
cur.execute("SET SESSION TRANSACTION ISOLATION LEVEL READ COMMITTED")
result_iso = cur.fetchall()[0]
cur.execute("SELECT mac_address FROM whitelist_mac;")
results = cur.fetchall()
whitelistmac = [row[0] for row in results]
# this function is called by the Access Server after normal VPN or web authentication
def post_auth(authcred, attributes, authret, info):
print "********** POST_AUTH", authcred, attributes, authret, info
#get the phone's MAC address
from uuid import getnode
MAC_phone = (':'.join(re.findall('..', '%012x' % uuid.getnode())))
# get user's property list, or create it if absent
proplist = authret.setdefault('proplist', {})
# user properties to save - we will use this to pass the hw_addr_save property to be
# saved in the user property database.
proplist_save = {}
error = ""
# The 'error' text goes to the VPN client and is shown to the user.
# The 'print' lines go to the log file at /var/log/openvpnas.log (by default).
if attributes.get('vpn_auth'): # only do this for VPN authentication
hw_addr = authcred.get('client_hw_addr') # MAC address reported by the VPN client
username = authcred.get('username') # User name of the VPN client login attempt
clientip = authcred.get('client_ip_addr') # IP address of VPN client login attempt
if hw_addr or MAC_phone:
if (hw_addr or MAC_phone) in whitelistmac:
print "***** POST_AUTH MAC CHECK: account user name : %s" % username
print "***** POST_AUTH MAC CHECK: client IP address : %s" % clientip
if hw_addr:
print "***** POST_AUTH MAC CHECK: PC MAC address : %s" % hw_addr
else:
print "***** POST_AUTH MAC CHECK: Phone MAC address : %s" % MAC_phone
print "***** POST_AUTH MAC CHECK: connection attempt : SUCCESS"
else:
error = "Le client n'est pas autorisé à se connecter."
print "***** POST_AUTH MAC CHECK: account user name : %s" % username
print "***** POST_AUTH MAC CHECK: client IP address : %s" % clientip
if hw_addr:
print "***** POST_AUTH MAC CHECK: PC MAC address : %s" % hw_addr
else:
print "***** POST_AUTH MAC CHECK: Phone MAC address : %s" % MAC_phone
print "***** POST_AUTH MAC CHECK: connection attempt : FAILED"
else:
error = "L'adresse MAC du client n'a pas été diffusé."
print "***** POST_AUTH MAC CHECK: account user name : %s" % username
print "***** POST_AUTH MAC CHECK: client IP address : %s" % clientip
print "***** POST_AUTH MAC CHECK: Phone MAC address : %s" % MAC_phone
print "***** POST_AUTH MAC CHECK: PC MAC address : NONE REPORTED"
print "***** POST_AUTH MAC CHECK: action taken : VPN connection denied with a suitable error message."
print "***** POST_AUTH MAC CHECK: connection attempt : FAILED"
# process error, if one occurred
if error:
authret['status'] = FAIL
authret['reason'] = error # this error string is written to the server log file
authret['client_reason'] = error # this error string is reported to the client user
return authret, proplist_save
if conn:
conn.close()
答案 0 :(得分:0)
”如果您对mac.py文件进行了更改,则将需要再次使用上述命令将脚本的新版本加载到配置数据库中,并再次重新加载Access Server的配置。 。”
您需要删除旧脚本:
cd /usr/local/openvpn_as/scripts
./sacli -k auth.module.post_auth_script ConfigDel
./sacli start
然后,添加新脚本:
cd /usr/local/openvpn_as/scripts
./sacli -k auth.module.post_auth_script --value_file=/root/mac.py ConfigPut
./sacli start
(假设您的脚本位于/root/mac.py中)