Hello, I was wondering whether anyone has found a way to kill clients in such a manner that they are prevented from reconnecting to the server automatically, with either the client being re-prompted for their passphrase to unlock their secret key, or for the server to instruct the client to terminate OpenVPN process on the client side, so that it must be re-executed?
*## What we're running* Server and Clients: OpenVPN 2.4.7 x86_64-pc-linux-gnu *## What we want* To kill clients with CN [ client_cn ] by doing the following using the management interface on the server side: ``` telnet localhost 7505 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info kill [ client_cn ] SUCCESS: common name '[ client_cn ]' found, 1 client(s) killed ``` *### Resulting in either of the following on the client side:* ``` SIGINT[hard,] received, process exiting ``` or a `SIGHUP`, which would hopefully prompt the client for the password again. *## What happens instead* Client restarts on it's own, with no prompt for the password again. >From the server OpenVPN logs after a kill command is issued: ``` Thu Dec 30 11:36:25 2021 us=751622 MANAGEMENT: CMD 'kill [ client_cn ]' Thu Dec 30 11:36:25 2021 us=751691 [ client_cn ]/[ client_ip ]:[ port ] SIGTERM[soft,] received, client-instance exiting ``` Followed by: ``` Thu Dec 30 11:38:30 2021 us=534107 MULTI: multi_create_instance called Thu Dec 30 11:38:30 2021 us=534186 [ client_cn ]/[ client_ip ]:[ port ] Re-using SSL/TLS context ... Thu Dec 30 11:38:31 2021 us=648872 [ client_cn ]/[ client_ip ]:[ port ] Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Dec 30 11:38:31 2021 us=649025 [ client_cn ]/[ client_ip ]:[ port ] Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key ``` >From the client OpenVPN logs after a kill command is issued: ``` Thu Dec 30 11:38:25 2021 [vpn01] Inactivity timeout (--ping-restart), restarting ... Thu Dec 30 11:38:25 2021 Closing TUN/TAP interface ... Thu Dec 30 11:38:25 2021 SIGUSR1[soft,ping-restart] received, process restarting Thu Dec 30 11:38:25 2021 Restart pause, 5 second(s) ... Thu Dec 30 11:38:31 2021 Initialization Sequence Completed ``` *## What we've tried### Explicitly disabling persist-key* None of the following options work for explicitly disabling `--persist-key` in the server config file, i.e. the server will not start with no error message: ``` persist-key=false no persist-key persist-key false persist-key no persist-key=0 persist-key 0 ``` Also, removing the `perist-key` option on both the server and client config files altogether has had no effect. *### Remapping SIGUSR1 signals* This was attempted to see we could force a reset of the existing state between the client and server. ``` remap-usr1 SIGHUP remap-usr1 SIGTERM ``` However, adding this to our server conf file has had no effect either, with the client similarly, as before where these options were not remapped, restarting automatically after being 'killed' by the server. Is there anything I may have missed in my attempts thus far, or is there a different way to kill OpenVPN clients from the OpenVPN server host so that they do not restart automatically? Kind regards, Paul
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
