Signed-off-by: David Sommerseth <davids@openvpn.net>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: Fix typos, clarify man page section about deferred client-connect
script. Add section to Changes.rst
Patch V6: Convert manpage to rst
It also incorporates suggested changes from Richard Bonhomme
<tincanteksup@gmail.com> [0]
[0] Message-ID: <
82c2d70f-e2f9-f810-2c55-
788358a0cb08@gmail.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20331.h
tml
Patch V7: Re-include the changes of Changes.rst and openvpn-plugin.h
Clarify some parts of the documentation.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
20200720142703.3324-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20511.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Asynchronous (deferred) authentication support for auth-pam plugin.
See src/plugins/auth-pam/README.auth-pam for details.
+Deferred client-connect
+ The ``--client-connect`` option and the connect plugin API allow
+ asynchronous/deferred return of the configuration file in the same way
+ as the auth-plugin.
+
Faster connection setup
A client will signal in the ``IV_PROTO`` variable that it is in pull
mode. This allows the server to push the configuration options to
This directory will be used by in the following cases:
- * ``--client-connect`` scripts to dynamically generate client-specific
- configuration files.
+ * ``--client-connect`` scripts and :code:`OPENVPN_PLUGIN_CLIENT_CONNECT`
+ plug-in hook to dynamically generate client-specific configuration
+ :code:`client_connect_config_file` and return success/failure via
+ :code:`client_connect_deferred_file` when using deferred client connect
+ method
- * :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plugin hook to return
- success/failure via ``auth_control_file`` when using deferred auth
+ * :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns
+ success/failure via :code:`auth_control_file` when using deferred auth
method
* :code:`OPENVPN_PLUGIN_ENABLE_PF` plugin hook to pass filtering rules
returns a non-zero error status, it will cause the client to be
disconnected.
+ If a ``--client-connect`` wants to defer the generating of the
+ configuration then the script needs to use the
+ :code:`client_connect_deferred_file` and
+ :code:`client_connect_config_file` environment variables, and write
+ status accordingly into these files. See the `Environmental Variables`_
+ section for more details.
+
--client-disconnect cmd
Like ``--client-connect`` but called on client instance shutdown. Will
not be called unless the ``--client-connect`` script and plugins (if
Total number of bytes sent to client during VPN session. Set prior to
execution of the ``--client-disconnect`` script.
+:code:`client_connect_config_file`
+ The path to the configuration file that should be written to by the
+ ``--client-connect`` script (optional, if per-session configuration
+ is desired). This is the same file name as passed via command line
+ argument on the call to the ``--client-connect`` script.
+
+:code:`client_connect_deferred_file`
+ This file can be optionally written to in order to to communicate a
+ status code of the ``--client-connect`` script or plgin. Only the
+ first character in the file is relevant. It must be either :code:`1`
+ to indicate normal script execution, :code:`0` indicates an error (in
+ the same way that a non zero exit status does) or :code:`2` to indicate
+ that the script deferred returning the config file.
+
+ For deferred (background) handling, the script or plugin MUST write
+ :code:`2` to the file to indicate the deferral and then return with
+ exit code :code:`0` to signal ``deferred handler started OK``.
+
+ A background process or similar must then take care of writing the
+ configuration to the file indicated by the
+ :code:`client_connect_config_file` environment variable and when
+ finished, write the a :code:`1` to this file (or :code:`0` in case of
+ an error).
+
+ The absence of any character in the file when the script finishes
+ executing is interpreted the same as :code:`1`. This allows scripts
+ that are not written to support the defer mechanism to be used
+ unmodified.
+
:code:`common_name`
The X509 common name of an authenticated client. Set prior to execution
of ``--client-connect``, ``--client-disconnect`` and
* OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure
*
* In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by
- * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous
- * authentication where the plugin (or one of its agents) may indicate
- * authentication success/failure some number of seconds after the return
- * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single
- * char to the file named by auth_control_file in the environmental variable
- * list (envp).
+ * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_CLIENT_CONNECT and
+ * OPENVPN_PLUGIN_CLIENT_CONNECT_V2. This enables asynchronous
+ * authentication or client connect where the plugin (or one of its agents)
+ * may indicate authentication success/failure or client configuration some
+ * number of seconds after the return of the function handler.
+ * For OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY and OPENVPN_PLUGIN_CLIENT_CONNECT
+ * this is done by writing a single char to the file named by
+ * auth_control_file/client_connect_deferred_file
+ * in the environmental variable list (envp).
+ *
+ * In addition the OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER and
+ * OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 are called when OpenVPN tries to
+ * get the deferred result. For a V2 call implementing this function is
+ * required as information is not passed by files. For the normal version
+ * the call is optional.
*
* first char of auth_control_file:
* '0' -- indicates auth failure
projects / thirdparty / openvpn.git / commitdiff
