Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Limit OS X Server VPN connections to one per user' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Limit OS X Server VPN connections to one per user
Authored by: Cerberus on Oct 30, '09 12:02:16PM
Thank you for this! I was wandering around the interwebs wondering if there was anyway to easily watch who was in and out of my VPN service and I found this. This is an AWESOME start!

What I ran into was that once applied, any client would immediately be disconnected saying there were already logged in. And this is true if you count the CURRENT connection...

So I started down a path that took me all the way to possibly finding a bug.I have submitted it to bugtracker. The gist is that pppd does not pass the ttydevice to auto-up nor to ip-up. So I had to write a few lines to get this info.

I am the type of admin that does NOT like process' doing things in the 'dark', so I captured some pertinent info into /var/log/auto-up and /var/log/ip-up and it now notifies syslog when it force kills a connection. I may sort the data better once I am comfortable it all works consistently (it has been fine for the past 6 hours but I want longer before blessing it completely.

Next code change will be some way to allow a group or something to have more than one (don't know why I want that but I hate being pigeon-holed)

#!/usr/bin/perl
use Fcntl; #The Module

# Version 1.0
# made june 25. by Simen S. .ya, simen@mac.com
# please don't remove my name from the credits if you modify the source
# from http://www.macosxhints.com/article.php?story=20080625145536473

# Modified 30 Oct 2009 - Peter J Scordamaglia
# send notification of forcibly denied VPN Connections to authpriv.notice

my $in = `/usr/sbin/serveradmin command vpn:command = getConnectedUsers | /usr/bin/grep -G "vpn:ConnectedUsers:_array_index:[[:xdigit:]]*:name"`;
my $interface = $ARGV[0];
my $peername  = $ARGV[1];
my $username  = $ARGV[2];
my $ttydevice = $ARGV[3];
my $speed     = $ARGV[4];

my $filepath = "/private/var/log/auth-up";
($sec,$min,$hour,$mday,$mon,$year) = localtime(time);

my @list = split(/\n/, $in);
my $s;
my $u;
my $i;
my $checktty;

  open ( TEXT, ">", $filepath ) or die "$filepath cannot be opened: $!";
  printf TEXT "%4d-%02d-%02d %02d:%02d:%02d ",$year+1900,$mon+1,$mday,$hour,$min,$sec;

  printf TEXT "full list of VPN Users-------\n\n$in\n";

foreach $l (@list) {
   $s=index($l, "=");
   $line=substr($l,$s+3);
   my @array_index = split(/:/, $l);
   chop($u=$line);
   printf TEXT "\nlist split = '$l'\n";
   printf TEXT "index_array= $array_index[3]\n";
   printf TEXT "userfound  = '$u'\n";
   printf TEXT "interface  = '$interface'\n";
   printf TEXT "peername   = '$peername'\n";
   printf TEXT "username   = '$username'\n";
   printf TEXT "ttydevice  = '$ttydevice'\n";
   printf TEXT "TTY speed  = '$speed'\n";
   my $ttyarray = `/usr/sbin/serveradmin command vpn:command = getConnectedUsers | /usr/bin/grep -G "vpn:ConnectedUsers:_array_index:$array_index[3]:InterfaceName"`;
   $i=index($ttyarray, "=");
   $checktty=substr($ttyarray,$i+3);
   chomp($checktty);
   chop($checktty);
   printf TEXT "Checktty   = '$checktty' (Array_Index'$array_index[3]')\n";
   if ($u eq $peername) {
       printf TEXT "Username did match peername. Checking interface.\n";
       if ($checktty eq $interface) {
          printf TEXT "Checktty Equals Interface!\n";
          printf TEXT "Checktty   = '$checktty'\n";
          printf TEXT "Interface  = '$interface'\n";
       } else {
     printf TEXT "\n ***** Forcably killing $peername\@$interface\n\n";
          system("/bin/kill `/bin/cat /private/var/run/$interface.pid`");
     system("/usr/bin/logger -p authpriv.notice -t auth-up \"Multiple VPN Connections Denied for $peername\"");
       }
   } else {
       printf TEXT "Username did not match peername\n";
   }
}
   close (TEXT);


[ Reply to This | # ]