【发布时间】:2019-12-28 16:29:35
【问题描述】:
在 OpenVPN 上,我安装了脚本“post_auth_mac_address_checking.py”来在 vpn 连接期间检查客户端的 MAC 地址。 https://openvpn.net/vpn-server-resources/access-server-post-auth-script-host-checking/ 它适用于 Mac 地址的本地 MySQL 数据库。
我的问题是当我在 mysql 数据库中进行一些更改(添加或删除 mac 地址)时,OpenVPN(sacli?)看不到更改。
如何“强制”openvpn 为每个连接执行脚本? 是否有我需要刷新的脚本缓存?
感谢您的帮助!
脚本:
#!/usr/bin/env python
import uuid
import re
import MySQLdb
import sys
from pyovpn.plugin import *
# f this is set to "NONE" or "DISABLED" then the server administrator must
# always manually register each MAC/UUID address by hand on the command line.
first_login_ip_addr="NONE"
# If False or undefined, AS will call us asynchronously in a worker thread.
# If True, AS will call us synchronously (server will block during call),
# however we can assume asynchronous behavior by returning a Twisted
# Deferred object.
SYNCHRONOUS=False
# Get authorized MAC addresses in the mysql database
conn = MySQLdb.connect(host='127.0.0.1',user='xxx',passwd='xxx',db='xxx')
with conn as cur:
cur = conn.cursor()
cur.execute("SET SESSION TRANSACTION ISOLATION LEVEL READ COMMITTED")
result_iso = cur.fetchall()[0]
cur.execute("SELECT mac_address FROM whitelist_mac;")
results = cur.fetchall()
whitelistmac = [row[0] for row in results]
# this function is called by the Access Server after normal VPN or web authentication
def post_auth(authcred, attributes, authret, info):
print "********** POST_AUTH", authcred, attributes, authret, info
#get the phone's MAC address
from uuid import getnode
MAC_phone = (':'.join(re.findall('..', '%012x' % uuid.getnode())))
# get user's property list, or create it if absent
proplist = authret.setdefault('proplist', {})
# user properties to save - we will use this to pass the hw_addr_save property to be
# saved in the user property database.
proplist_save = {}
error = ""
# The 'error' text goes to the VPN client and is shown to the user.
# The 'print' lines go to the log file at /var/log/openvpnas.log (by default).
if attributes.get('vpn_auth'): # only do this for VPN authentication
hw_addr = authcred.get('client_hw_addr') # MAC address reported by the VPN client
username = authcred.get('username') # User name of the VPN client login attempt
clientip = authcred.get('client_ip_addr') # IP address of VPN client login attempt
if hw_addr or MAC_phone:
if (hw_addr or MAC_phone) in whitelistmac:
print "***** POST_AUTH MAC CHECK: account user name : %s" % username
print "***** POST_AUTH MAC CHECK: client IP address : %s" % clientip
if hw_addr:
print "***** POST_AUTH MAC CHECK: PC MAC address : %s" % hw_addr
else:
print "***** POST_AUTH MAC CHECK: Phone MAC address : %s" % MAC_phone
print "***** POST_AUTH MAC CHECK: connection attempt : SUCCESS"
else:
error = "Le client n'est pas autorisé à se connecter."
print "***** POST_AUTH MAC CHECK: account user name : %s" % username
print "***** POST_AUTH MAC CHECK: client IP address : %s" % clientip
if hw_addr:
print "***** POST_AUTH MAC CHECK: PC MAC address : %s" % hw_addr
else:
print "***** POST_AUTH MAC CHECK: Phone MAC address : %s" % MAC_phone
print "***** POST_AUTH MAC CHECK: connection attempt : FAILED"
else:
error = "L'adresse MAC du client n'a pas été diffusé."
print "***** POST_AUTH MAC CHECK: account user name : %s" % username
print "***** POST_AUTH MAC CHECK: client IP address : %s" % clientip
print "***** POST_AUTH MAC CHECK: Phone MAC address : %s" % MAC_phone
print "***** POST_AUTH MAC CHECK: PC MAC address : NONE REPORTED"
print "***** POST_AUTH MAC CHECK: action taken : VPN connection denied with a suitable error message."
print "***** POST_AUTH MAC CHECK: connection attempt : FAILED"
# process error, if one occurred
if error:
authret['status'] = FAIL
authret['reason'] = error # this error string is written to the server log file
authret['client_reason'] = error # this error string is reported to the client user
return authret, proplist_save
if conn:
conn.close()
【问题讨论】:
-
没人知道吗?...
-
也许我的问题不够清楚? :(