stephdl
(Stéphane de Labrusse)
March 28, 2020, 9:27pm
11
maybe you simply have not created your first user, create it in the panel
to disable
db vpn setprop toto@domain.com status disabled
signal-event nethserver-openvpn-save
you could imagine a loop to parse all users in the databse and enable/disable it following the time
stephdl
(Stéphane de Labrusse)
March 28, 2020, 9:30pm
12
click in the last connected
pike
(Michael Kicks)
March 28, 2020, 9:35pm
13
Write a firewall rule for that OpenVPN user or it’s ip address.
PaulVM
(Paolo)
March 28, 2020, 9:41pm
14
ok, definitly I was blind
Found.
Thanks
PaulVM
(Paolo)
March 28, 2020, 9:48pm
15
Thanks.
Tried to disable a user (of 3 created for test but never used until now). I still have no status::
/sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] …
signal-event nethserver-openvpn-save
db vpn show
tess-vpn=vpn
OpenVpnIp=
VPNRemoteNetmask=
VPNRemoteNetwork=
tess00@tess.com=vpn-user
OpenVpnIp=10.20.1.233
VPNRemoteNetmask=
VPNRemoteNetwork=
tess01@tess.com=vpn-user
OpenVpnIp=
VPNRemoteNetmask=
VPNRemoteNetwork=
PaulVM
(Paolo)
March 28, 2020, 9:50pm
16
Is it safe to play with iptables on NethServer?
pike
(Michael Kicks)
March 28, 2020, 9:52pm
17
You have the firewall interface for play with. Anyway… at any update of the rules into the interface, Shorewall and iptable are waved and reconfigure according to the interface.
stephdl
(Stéphane de Labrusse)
March 28, 2020, 9:59pm
18
Simply create the status prop for the user like I wrote
Sometime do not search to understand, just play
PaulVM
(Paolo)
March 28, 2020, 10:10pm
19
I wanto disable specific rw user outside working hours.
Following your hint I can assign to it a fixed IP (10.20.1.101)
In a cron job insert a line like:
iptables -A INPUT -s 10.20.1.101 -j DROP
and in another cron job I insert:
iptables -D INPUT -s 10.20.1.101 -j DROP
(or shorewall restart)
Is INPUT the right Chain or have I to use another Chain (net2ovpn)?
pike
(Michael Kicks)
March 28, 2020, 10:14pm
20
That was not my suggestion…
Bind a OpenVPN user to an ip address.
Use the firewall rule to define WHEN the user is allowed (use objects) then the following rule that do not allow the user to access to the internal lan.
PaulVM
(Paolo)
March 28, 2020, 10:15pm
21
You are right …
I missed the “status” word in my command …
Thanks.
1 Like
PaulVM
(Paolo)
March 28, 2020, 10:33pm
22
Tonight I not very smart … May be usually on saturday I used to do different activities before Corona Time …
This?:
pike
(Michael Kicks)
March 28, 2020, 10:36pm
23
That’s what I’ll do.
Take time to test it
PaulVM
(Paolo)
March 28, 2020, 10:40pm
24
I’ll do it tomorrow or monday
Thanks
1 Like
PaulVM
(Paolo)
March 29, 2020, 5:39pm
25
Is there a corresponding command line that can be used in a script to export the list and send something human readable via mail?
Thanks.
stephdl
(Stéphane de Labrusse)
March 29, 2020, 6:27pm
26
the api can be queried by the command line in a terminal
echo '{"action":"connectionHistory","account":"stephane@domain.org","timeInterval":"today"}' | /usr/bin/sudo /usr/libexec/nethserver/api/nethserver-vpn-ui/openvpn-rw/read | jq
echo '{"action":"connectionHistory","account":"stephane@domain.org","timeInterval":"last_week"}' | /usr/bin/sudo /usr/libexec/nethserver/api/nethserver-vpn-ui/openvpn-rw/read | jq
echo '{"action":"connectionHistory","account":"stephane@domain.org","timeInterval":"last_month"}' | /usr/bin/sudo /usr/libexec/nethserver/api/nethserver-vpn-ui/openvpn-rw/read | jq
you retrieve a json object that you can parse and email it to who you want
PaulVM
(Paolo)
March 29, 2020, 8:32pm
27
Ok, now I have to convert it in human readable format (like in the windows panel):
Started Ended Duration RemoteIP Received Sent
Today I discovered jq exist and probably if I study it I can achieve this, but if there is already an example that I can use …
Thanks
stephdl
(Stéphane de Labrusse)
March 29, 2020, 10:00pm
28
It is linux time in second since 1970, happy coding
Valeriy
(Valeriy)
April 6, 2020, 5:58am
29
Did you manage to configure VPN user access by time?
pike
(Michael Kicks)
April 6, 2020, 10:24am
30
Did you read this post?
As far as i know, not via custom routes on GUI
On RoadWarrior server page you can push all routes to clients into advanced section, but into user section you cannot customize routes pushed to specific users.
But you can specify the ip that user should receive by the server, therefore on firewall you can setup rules for allow access to subnets or hosts interval (even with time conditions)
Different request (per user route) same solution (firewall rule on the ip assigned to the user)
1 Like