Re: [Radiusplugin-users] Framed-IP-Address problem

[Ralf Lübben]

Which script configures the randomized IPs? I thought the script which sets the 
iptables rules also configures the IPs.

If the randomized IPs are configured before CLIENT-CONNECT I'm wondering why 
the plugin and the script see different IPs. (this would be problem of OpenVPN 
)

Your idea to modify parseStatusFile is right, but the accounting START packet 
would have the wrong IP, but also the packet contains a unique identifier, 
which you can use to identify your connections.



Am Mittwoch, 15. Juni 2011, um 12:59:12 schrieb Stuart Stevenson:
> Yes, the environmental variable that client-connect script sees is the
> correct (randomized) IP address, so there is no problem setting iptables
> rules.
> 
> Like I was saying, the problem I have is that the RADIUS plugin doesn't get
> updated with the new (randomized) IP address, and thus, doesn't pass it
> along to my RADIUS server to update the database with.
> 
> Surely number 2 (the suggestion I made) would be the easiest? From what I
> understand from the source, the sendUpdatePacket and sendStopPacket methods
> pull the Framed-IP-Address by:
> 
>       ra2(ATTRIB_Framed_IP_Address,this->getFramedIp()),
> 
> So the simplest thing to do would be edit the parseStatusFile method, or
> add a new method to pull the correct (randomized) IP address from the
> status file, which would then be used in AcctScheduler::doAccounting and
> AcctScheduler::delUser by calling setFramedIP? This would remove your
> specified problem of the IP not existing in the first account packet,
> because the randomized IP address is added/updated after client-connect has
> been run (or so I hope!).
> 
> Thanks,
> Stuart.
> 
> -----Original Message-----
> From: Ralf Lübben [mailto:address@hidden
> Sent: 15 June 2011 08:04
> To: Stuart Stevenson
> Cc: address@hidden
> Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> 
> Hi,
> 
> the accounting happens in a parallel proccess (AccountingProcess.cpp) based
> on the Interim-Update value. The values are send to the process during
> CLIENT_CONNECT.
> 
> Possible implementations (plugin):
> 1) Update the IP when a renegotiation occurs (event AUTH_USER_PASS_VERIFY)
> based on the OpenVPN option "reneg-sec". Problem: The the first accounting
> packets would contain the wrong IP.
> 
> 2) Read the ip from the status file. Problem: Does is already exists for
> the first ACCOUNTING packet?
> 
> 3) Implement the IPCHANGE event in the plugin. But I don't know if it is
> triggered when the IP is changed during CLIENT_CONNECT.
> 
> 
> Can't you use the ENVP variables in your script? They contain the IP
> addresses, so you could still set the iptables rules.
> 
> Ralf
> 
> Am Mittwoch, 15. Juni 2011, um 00:38:05 schrieben Sie:
> > Correct, it appears that the plugin is called before client-connect
> 
> script.
> 
> > I'm a little lost in the source code, but where do you specify the data
> > that goes into each accounting call (CLIENT_CONNECT / CLIENT_DISCONNECT)?
> > Would it not be possible to update the Framed-IP-Address that gets sent
> > as part of the CLIENT_DISCONNECT call from the value defined in ENVP, or
> > even modifying the parseStatusFile method to include pulling the
> > Framed-IP-Address, similar to how it pulls the in/out bytes.
> > 
> > Don't get me wrong, I'm not asking you to code me a hack to get this
> > working! I'm just curious if that is how it could be done. As randomized
> > IPs in the client-connect script isn't essential for me (I can implement
> > dynamic iptables commands in the client-connect script, rather than
> > persistent SNAT and DNAT entries tied to each client's VPN IP address).
> > 
> > Cheers,
> > Stuart.
> > 
> > -----Original Message-----
> > From: Ralf Lübben [mailto:address@hidden
> > Sent: 14 June 2011 21:23
> > To: Stuart Stevenson
> > Cc: address@hidden
> > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > 
> > Ok, now I see the problem. The script is called after the plugin
> > CLIENT_CONNECT, so the plugin is not aware of the randomized IP-address.
> > 
> > The plugin does not track the IP-address after CLIENT-CONNECT, and it is
> > difficult to implement.
> > 
> > My suggestions are:
> > 1) Let the RADIUS server set the IP address (Framed IP option)
> > 2) Create the client config file with a "--auth-user-pass-verify" script,
> > probably the new IP address is known before CLIENT_CONNECT event is
> 
> called.
> 
> > 3) Use OpenVPN option "--topology subnet"
> > 
> > Am Dienstag, 14. Juni 2011, um 21:01:58 schrieb Stuart Stevenson:
> > > The client-connect script adds the ifconfig-push command into the
> > > client config file location sent to the client-connect script as
> > > variable $1.
> > 
> > This
> > 
> > > pushes a random IP between 10.8.0.2 and 10.8.0.254 to the client.
> > > 
> > > The RADIUS server sets nothing but the interim acct interval (60
> > > seconds).
> > > 
> > > The problem is, according to the ENVP list on CLIENT_CONNECT, the
> > > ifconfig_pool_remote_ip is 10.8.0.2 (the first available IP in the pool
> > > specified in the OpenVPN config file). But this is wrong, as the
> > > correct
> > 
> > IP
> > 
> > > is a randomized IP which is set through the client-connect script as it
> > > pushes the randomized IP as an ifconfig-push command.
> > > 
> > > On CLIENT_DISCONNECT, ENVP reports the ifconfig_pool_remote_ip as the
> > > correct (randomized) IP address of the client. But, when RADIUS runs
> > > the SQL query to stop the accounting, the Framed-IP-Address sent to
> > > the RADIUS server is 10.8.0.2 -- not the ENVP value of
> > > ifconfig_pool_remote_ip. As I am sure the SQL side is working
> > > correctly, I can only assume something in the radius plugin is sending
> > > the old ifconfig_pool_remote_ip value.
> > > 
> > > Not that it is a bug in the radius plugin, but perhaps my setup is just
> > > unique (or wrong)?
> > > 
> > > -----Original Message-----
> > > From: Ralf Lübben [mailto:address@hidden
> > > Sent: 14 June 2011 19:49
> > > To: Stuart Stevenson
> > > Cc: address@hidden
> > > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > > 
> > > Hi,
> > > 
> > > which is the IP address (10.8.0.2 or 10.8.0.209) of the tun interface
> > > of the client?
> > > 
> > > Which address is configured by your script? I gues 10.8.0.209 .
> > > 
> > > Does your RADIUS server set a Framed-IP option? (If not, there is no
> > > conflict.)
> > > 
> > > The address of the interface should be the address the plugin returns
> > > to the server ((see RFC2866, chapter 4.1 for more information)).
> > > 
> > > The code snippet is not repeated in CLIENT_DISCONNECT because in
> > > CLIENT_CONNECT the internal database of the plugin is updated.
> > > 
> > > Also I assume the "ifconfig_pool_remote_ip" should not change between
> > > CLIENT_CONNECT and CLIENT_DISCONNECT, maybe this is wrong .
> > > 
> > > What entries are in your client config file?
> > > Does any value of the ENVP list contains the correct IP?
> > > 
> > > It is strange that "ifconfig_pool_remote_ip" changes.
> > > 
> > > Am Dienstag, 14. Juni 2011, um 20:18:41 schrieb Stuart Stevenson:
> > > > Not quite sure what you mean by this.
> > > > 
> > > > What I would like to happen is for the accounting update packets, or
> > > > the accounting stop packets to contain the correct Framed-IP-Address.
> > > > 
> > > > On a CLIENT_CONNECT, the ENVP output shows:
> > > >         Tue Jun 14 19:01:45 2011 us=737790 bob/192.168.10.8:49121 
> > > > ENVP[3] =
> > > > 
> > > > 'ifconfig_pool_remote_ip=10.8.0.2'
> > > > 
> > > > Which is actually incorrect, but from what you are saying, this is a
> > > > conflict between my client-connect script and the client configs file
> > > > the radius plugin creates?
> > > > 
> > > > However, on a CLIENT_DISCONNECT, ENVP shows the correct
> > > > ifconfig_pool_remote_ip, which I would like to be entered into my
> > > 
> > > database.
> > > 
> > > > But the problem I have is that the radius plugin must still be
> > > > sending the old ifconfig_pool_remote_ip from the initial
> > > > CLIENT_CONNECT.
> > > > 
> > > >         Tue Jun 14 19:02:10 2011 us=362334 ENVP[6] =
> > > > 
> > > > 'ifconfig_pool_remote_ip=10.8.0.209'
> > > > 
> > > > I assume this is because of radiusplugin.cpp, Line 465:
> > > >         if (get_env ( "ifconfig_pool_remote_ip", envp ) !=NULL)
> > > >         {
> > > >         
> > > >                 newuser->setFramedIp ( string ( get_env (
> > > 
> > > "ifconfig_pool_remote_ip",
> > > 
> > > > envp ) ) );
> > > > 
> > > >         }
> > > > 
> > > > The setFramedIp method is never called again during the
> > > > CLIENT_DISCONNECT stage, so I assume this is why the
> > > > Framed-IP-Address that is updated in to my database is incorrect? I
> > > > haven't tested this myself yet, but I would hazard a guess that the
> > > > addition of the above code snippet into radiusplugin.cpp above Line
> > > > 563 would solve this for me?
> > > > 
> > > > Thanks,
> > > > Stuart.
> > > > 
> > > > -----Original Message-----
> > > > From: Ralf Lübben [mailto:address@hidden
> > > > Sent: 14 June 2011 18:00
> > > > To: address@hidden
> > > > Cc: Stuart Stevenson
> > > > Subject: Re: [Radiusplugin-users] Framed-IP-Address problem
> > > > 
> > > > Hi,
> > > > 
> > > > the plugin just writes the Framed-IP address to the client config
> > > > file (maybe as your client config script does) if it gets one from
> > > > the radius server.
> > > > 
> > > > One option could be not to send to the Framed IP option another
> > > > option could be to do the address selection at the radius.
> > > > 
> > > > Overall, I think the behavior of a script and a plugin a very
> > > > similar.
> > > > 
> > > > If you have further question please let me know.
> > > > 
> > > > Ralf
> > > > 
> > > > Am Dienstag, 14. Juni 2011, um 18:38:35 schrieb Stuart Stevenson:
> > > > > Hi,
> > > > > 
> > > > > 
> > > > > 
> > > > > I'm trying to get the correct Framed-IP-Address stored into the
> > > > > database, but it won't update with the new value.
> > > > > 
> > > > > 
> > > > > 
> > > > > First, I connect to OpenVPN, and by default, it tries to assign an
> > > > > IP from the range 10.8.0.0/24 (hence the 10.8.0.2) the
> > > > > RADIUS-PLUGIN sees
> > > > 
> > > > below:
> > > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND:
> > > > > OPENVPN_PLUGIN_CLIENT_CONNECT is called.
> > > > > 
> > > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> > > > > 192.168.10.8:47386.
> > > > > 
> > > > > Tue Jun 14 17:23:09 2011 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
> > > > > the IP
> > > > > (10.8.0.2) OpenVPN assigned to the user bob
> > > > > 
> > > > > 
> > > > > 
> > > > > However, I have a client-connect script which pulls a random IP
> > > > > from the
> > > > > 10.8.0.0/24 range and puts the random Framed-IP-Address into this
> > > > > dynamic config file. As can be seen below, OpenVPN recognises this
> > > > > and updates according (including in the status file):
> > > > > 
> > > > > 
> > > > > 
> > > > > Tue Jun 14 17:23:09 2011 us=553408 bob/192.168.10.8:47386 OPTIONS
> > > 
> > > IMPORT:
> > > > > reading client specific options from:
> > > > > /tmp/openvpn/ifconfig/openvpn_cc_3745795b4223cfddef61f0260b52ec84.t
> > > > > m p
> > > > > 
> > > > > Tue Jun 14 17:23:09 2011 us=742109 bob/192.168.10.8:47386 OPTIONS
> > > 
> > > IMPORT:
> > > > > reading client specific options from:
> > > > > /tmp/openvpn/ifconfig/openvpn_cc_eb3789928b91000666b54c31ecbcc26b.t
> > > > > m p
> > 
> > > > > Tue Jun 14 17:23:09 2011 us=742409 bob/192.168.10.8:47386 MULTI:
> > Learn:
> > > > > 10.8.0.211 -> bob/192.168.10.8:47386
> > > > > 
> > > > > Tue Jun 14 17:23:09 2011 us=742449 bob/192.168.10.8:47386 MULTI:
> > > > > primary virtual IP for bob/192.168.10.8:47386: 10.8.0.211
> > > > > 
> > > > > 
> > > > > 
> > > > > My problem is that the RADIUS-PLUGIN does not pick up on the fact
> > > > > that there is an updated Framed-IP-Address, and still updates the
> > > > > database with the old Framed-IP-Address. Even with accounting
> > > > > updates like below, (not knowing C/C++ well enough to make sense of
> > > > > the source code), I would assume that when the plugin reads the
> > > > > status file, it would update any new information, including the
> > > > > updated Framed-IP-Address, but it still updated the database with
> > > 
> > > 10.8.0.2.
> > > 
> > > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Scheduler:
> > > > > Read Statusfile.
> > > > > 
> > > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
> > > > > ACCOUNTING_RESPONSE-Packet.
> > > > > 
> > > > > Tue Jun 14 17:27:09 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
> > > > > Update packet for User bob was send.
> > > > > 
> > > > > 
> > > > > 
> > > > > Perhaps I am just doing something wrong, or maybe the plugin just
> > > > > isn't written to pull and update the Framed-IP-Address from the
> > > > > status file on every accounting update?
> > > > > 
> > > > > 
> > > > > 
> > > > > Regards,
> > > > > 
> > > > > Stuart.