From patchwork Thu Oct 6 09:37:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2804 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WKUoNMc8P2MjJgAAIUCqbw (envelope-from ) for ; Thu, 06 Oct 2022 16:38:31 -0400 Received: from proxy10.mail.iad3b.rsapps.net ([172.31.255.6]) by director15.mail.ord1d.rsapps.net with LMTP id yLj/M8c8P2NbdgAAIcMcQg (envelope-from ) for ; Thu, 06 Oct 2022 16:38:31 -0400 Received: from smtp15.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3b.rsapps.net with LMTPS id sFiZK8c8P2NcOgAA/F5p9A (envelope-from ) for ; Thu, 06 Oct 2022 16:38:31 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp15.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: d617ccfa-45b6-11ed-b308-5254003d6d3a-1-1 Received: from [216.105.38.7] ([216.105.38.7:48430] helo=lists.sourceforge.net) by smtp15.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8C/01-15227-6CC3F336; Thu, 06 Oct 2022 16:38:30 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ogXcy-0002Wh-0Q; Thu, 06 Oct 2022 20:37:56 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ogXcw-0002Wa-BM for openvpn-devel@lists.sourceforge.net; Thu, 06 Oct 2022 20:37:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zDxufD4nBIH25CqZyPWUl6l1n7v9Hnf4U2roebMqXbk=; b=XNr+51ojKiGrAB5YBooCSEINCM icp3wae5YP1B9xZtZYCR5yXqPWV3TGz2pgonPiGfsZbRJZSPzHpjCH9yLE8s+A11SE5iY92wEltEW PXnlLVCOx6+WoX8W0KqBRRZGM0nrkxLApSE2WzaDmLcjVvFgXs+/1TDB6v5vej4dWKuk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zDxufD4nBIH25CqZyPWUl6l1n7v9Hnf4U2roebMqXbk=; b=kXTvlqsi9H92HJWhDEQDxM54D+ zshe6dWQvHnq4QXb4jDYDWXhy9zP38R00krx8vtl2P5mEI+KHBnuhEiLtNVDV+ZDIOgT05UCDRYk4 R08tSPYZwtEphh4w/D9o8lTYIkcpf69l4rZkYa6b/keubFqUClU+xnF1tn/vj6YL/6e0=; Received: from mailout-l3b-97.contactoffice.com ([212.3.242.97]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1ogXcm-0007sN-Gm for openvpn-devel@lists.sourceforge.net; Thu, 06 Oct 2022 20:37:53 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by mailout-l3b-97.contactoffice.com (Postfix) with ESMTP id 9FE092213; Thu, 6 Oct 2022 22:37:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1665088657; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding; l=7129; bh=zDxufD4nBIH25CqZyPWUl6l1n7v9Hnf4U2roebMqXbk=; b=BXxxe8hJ83G6eid1uKcV9ucjZ78Ehif4C3tUr17CrQ/m4CPI5rRV5Czgh/+LFa6Q BSe5XD8aE6bZnQmJv1XwpQUF9uGuFKgPLUnp+kIbXAW5Md7QJW5mpWV40tC3r65Fv/0 LDOyoUF6zMsgQN8JDkmDzOI41zmp73QKmgH7l6PB9BCJeYWTNDL4SamSf5U7DvRpg90 O/xwfbWRZqxwhvWGEWSJjO1m5iNtLP4nI/QSZvsN1PFkxpVE2neajXU8zocDWKLIJMc 5JXcTevmRMyYDyawKII3uGYBkU3UDXarZABflVHr+F3mGY/UpaOlxyCWn/fFiGGScyR 080avBIqSg== Received: by smtp.mailfence.com with ESMTPSA ; Thu, 6 Oct 2022 22:37:31 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 6 Oct 2022 22:37:31 +0200 Message-Id: <20221006203731.13529-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220919134108.31316-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00 device=10.2.0.1 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Dmitry Zelenkovsky Disconnect clients after session-timeout expires. session-timeout can be defined in ccd files in order to limit per-user connection time. Signed-off-by: Dmitry Zelenkovsky --- Changes from v2: * improve manpage wording * improve session_timeout comment Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.97 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1ogXcm-0007sN-Gm Subject: [Openvpn-devel] [PATCH v3] implement --session-timeout X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dmitry Zelenkovsky Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Dmitry Zelenkovsky Disconnect clients after session-timeout expires. session-timeout can be defined in ccd files in order to limit per-user connection time. Signed-off-by: Dmitry Zelenkovsky Acked-by: Gert Doering --- Changes from v2: * improve manpage wording * improve session_timeout comment Changes from v1: * added documentation to manpage * added entry in Changes.rst --- Changes.rst | 6 ++++++ doc/man-sections/link-options.rst | 16 ++++++++++++++++ doc/man-sections/server-options.rst | 2 +- src/openvpn/forward.c | 22 ++++++++++++++++++++++ src/openvpn/init.c | 7 +++++++ src/openvpn/openvpn.h | 2 ++ src/openvpn/options.c | 7 +++++++ src/openvpn/options.h | 2 ++ 8 files changed, 63 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 2daa97fb..7c45a042 100644 --- a/Changes.rst +++ b/Changes.rst @@ -93,6 +93,12 @@ Inline auth username and password missing OpenVPN will prompt for input via stdin. This applies to inline'd http-proxy-user-pass too. +Session timeout + It is now possible to terminate a session (or all) after a specified amount + of seconds has passed session commencement. This behaviour can be configured + using ``--session-timeout``. This option can be configured on the server, on + the client or can also be pushed. + Deprecated features ------------------- diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 373193aa..fe7760d7 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -427,6 +427,22 @@ the local and the remote host. default) and you are using either ``--secret`` (shared-secret key mode) or TLS mode with ``--tls-auth``. +--session-timeout n + Raises :code:`SIGTERM` for the client instance after ``n`` seconds since + the beginning of the session, forcing OpenVPN to disconnect. + In client mode, OpenVPN will disconnect and exit, while in server mode + all client sessions are terminated. + + This option can also be specified in a client instance config file + using ``--client-config-dir`` or dynamically generated using a + ``--client-connect`` script. In these cases, only the related client + session is terminated. + + If this option is used on the server (main config or per-client), + this works better if ``--explicit-exit-notify`` is also specified + in the server config, so clients are not just silently disconnected + but they are also informed about it. + --socket-flags flags Apply the given flags to the OpenVPN transport socket. Currently, only :code:`TCP_NODELAY` is supported. diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 54ea8b66..9d0c73b6 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -426,7 +426,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, - ``--rcvbuf`` + ``--rcvbuf``, ``--session-timeout`` --push-remove opt Selectively remove all ``--push`` options matching "opt" from the option diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index e5cee665..810cb8a7 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -630,6 +630,21 @@ encrypt_sign(struct context *c, bool comp_frag) buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf); } +/* + * Should we exit due to session timeout? + */ +static void +check_session_timeout(struct context *c) +{ + if (c->options.session_timeout + && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval, + ETT_DEFAULT)) + { + msg(M_INFO, "Session timeout, exiting"); + register_signal(c, SIGTERM, "session-timeout"); + } +} + /* * Coarse timers work to 1 second resolution. */ @@ -681,6 +696,13 @@ process_coarse_timers(struct context *c) return; } + /* kill session if time is over */ + check_session_timeout(c); + if (c->sig->signal_received) + { + return; + } + /* restart if ping not received */ check_ping_restart(c); if (c->sig->signal_received) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 22a0e9c6..439ea010 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1324,6 +1324,13 @@ do_init_timers(struct context *c, bool deferred) event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now); } + /* initialize inactivity timeout */ + if (c->options.session_timeout) + { + event_timeout_init(&c->c2.session_interval, c->options.session_timeout, + now); + } + /* initialize pings */ if (dco_enabled(&c->options)) { diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 00cd652f..f74125aa 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -288,6 +288,8 @@ struct context_2 struct event_timeout inactivity_interval; int64_t inactivity_bytes; + struct event_timeout session_interval; + /* the option strings must match across peers */ char *options_string_local; char *options_string_remote; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 93db0865..4566172b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -261,6 +261,7 @@ static const char usage_message[] = " for m seconds.\n" "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n" " produces a combined in/out byte count < bytes.\n" + "--session-timeout n: Limit connection time to n seconds.\n" "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n" "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n" "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n" @@ -1823,6 +1824,7 @@ show_settings(const struct options *o) SHOW_INT(keepalive_ping); SHOW_INT(keepalive_timeout); SHOW_INT(inactivity_timeout); + SHOW_INT(session_timeout); SHOW_INT64(inactivity_minimum_bytes); SHOW_INT(ping_send_timeout); SHOW_INT(ping_rec_timeout); @@ -6598,6 +6600,11 @@ add_option(struct options *options, } } } + else if (streq(p[0], "session-timeout") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_TIMER); + options->session_timeout = positive_atoi(p[1]); + } else if (streq(p[0], "proto") && p[1] && !p[2]) { int proto; diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 6449dcdf..3d1d37d0 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -324,6 +324,8 @@ struct options int inactivity_timeout; /* --inactive */ int64_t inactivity_minimum_bytes; + int session_timeout; /* Force-kill session after n seconds */ + int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */ int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */ bool ping_timer_remote; /* Run ping timer only if we have a remote address */