I have been asked by some friends, (not very Linux proficient friends) to share this. I thought I would create a blog post and share with all. We all had to start somewhere and sometimes we forget that not everyone is an avid Linux user. Just like I’m not an avid beer maker….. (yet!)
I was hanging out with a couple of my old Admin friends about a month ago and the question of VPN’s came up. Everyone commented on what VPN they use at work and at home. OpenVPN was mentioned as it is a great software solution and found to be rather easy to implement. One of them mentioned that they wish they would implement a scheduling solution so that they could limit access during updates and also have the flexibility to allow interns only access during certain hours. We all got a good laugh out of that but then realized he was serious. This lead to a deep discussion about the companies that everyone works or had worked for and the red tape that seems to run along with them. Did I mention that I love BHIS! I think that if there was red tape it got handed out at a conference somewhere with one of our awesome T-shirts.
Keep fighting my friends, keep fighting!
After I got home I thought about the comment of limiting access and the ability to have a schedule in place for the OpenVPN solution. For some reason I have this curse which causes my mind to run crazy with small trivial things that I somehow twist into a challenge. I believe that my friends do this to me on purpose sometimes because they are just evil like that. I have to admit that a lot of the stuff that they come up with is really trivial but sometimes it poses as a challenge far more than just solving a solution, in which it could include solutions for other problems.
The next day I decided to look further into the scheduling solution since I have an OpenVPN server installed in my lab at home. With a little research on the OpenVPN website I found command line syntax to disable user access as well as suspend their account. The following commands were found on the OpenVPN website https://docs.openvpn.net/docs/access-server/openvpn-access-server-command-line-tools.html#session-management
Ban a User Command Line Syntax for OpenVPN Server
Disconnect a User Command Line Syntax for OpenVPN Server
Now that I know the command line syntax it was time to create a bash script so that it could be called later to disconnect and ban a user. Notice there is a nice addition to the disconnect user command which lets you give them a reason for the disconnect.
In my past life I used to work for a contract manufacture of printed circuit boards which consisted of computer motherboards, telephone equipment, SCSI controllers, medical devices and so on. Most of the functional bench testing was done with cron jobs because almost always the first part of the test was to set the time to the default (again with a script) so that times it took to test could be caught and utilized to determine if there were propagation delay issues, especially in CPU and Ram timing. Therefore, we would run bash scripts to launch various tests at specific points in time. This was very affective in finding timing issues with the bus speeds of the devices and seemed to be the easiest way to implement them at that time. Now I am sure there are far better ways to do this.
Creating a bash script is really easy. Login via SSH, escalate to root (sudo su), then create a directory to hold your bash scripts. Then cd into that directory. Root access is needed since it is required to run the OpenVPN scripts.
medic@openvpnas:~# mkdir ~/scripts medic@openvpnas:~# cd scripts medic@openvpnas:~/scripts#
Then use VI or Nano to create the name of the bash script (e.g. vi discbanuser.sh or nano discbanuser.sh). This will open a blank file called discbanuser.sh in the current directory.
medic@openvpnas:~/scripts# nano discbanuser.sh
Then input the information below in order to run the commands you have to be in the scripts directory below. This is a different directory than the directory you just created.
Batch Script to Disconnect and Ban the User
Now we have our batch script for disconnecting and banning a user from our OpenVPN lets create another Bash Script to unban or allow them to connect again to the VPN Server. This will be created in the same ~/scripts directory as the discbanuser.sh and we will call it unbanuser.sh.
Bash Script to Allow User to Connect to VPN
We now have our bash scripts created therefore it is time to make sure the permissions are correct for these files to be executed. Not that it is: ls –(lowercase L).
medic@openvpnas:~/scripts# ls –l Total 8 -rw-r--r-- 1 root root 1010 Aug 8 15:30 discbanuser.sh -rw-r--r-- 1 root root 428 Aug 8 15:33 unbanuser.sh medic@openvpnas:~/scripts#
Note that the files are not allowed to be executed so we need to change that.
medic@openvpnas:~/scripts# chmod 755 discbanuser.sh medic@openvpnas:~/scripts# chmod 755 unbanuser.sh medic@openvpnas:~/scripts# ls –l Total 8 -rwxr-xr-x 1 root root 1010 Aug 8 15:30 discbanuser.sh -rwxr-xr-x 1 root root 428 Aug 8 15:33 unbanuser.sh medic@openvpnas:~/scripts#
Now the bash scripts are executable we can work to schedule them with crontab.
Crontab or you may have heard of them as Cron Job or Cron. Is a scheduler for Linux. All Linux users have used them for one task or another as it may be used for scheduling reboots, updating and various other tasks. There is a short funny read about an individual who created different scripts to automate his most mundane tasks which can be found here: https://what.thedailywtf.com/topic/17997/now-that-s-what-i-call-hacker In fact I am still waiting for BHIS to get us a coffee maker that hooks up to the network…….
I have an OpenVPN virtual machine running so to schedule a task just type following command:
medic@openvpnas:~/scripts# crontab -e
This will open up crontab file for the current user which is what the –e means.
The crontab file it gives you information about what syntax to utilize as you can see below:
Crontab File with Calls to Bash Scripts
As you can see by the file I have already placed calls to my discbanuser.sh and unbanuser.sh scripts. These tasks will run at 10:00pm and 10:30pm respectively on the first day of the week. Now we can save the file and then check to see if it works.
I logged into the VPN as ricktest, a user I created earlier. I waited for the message to arrive that I had been disconnected from the server.
I got the message that I was disconnected as well as the message that I included in the command within the bash script. That worked well.
Now to try and connect to the VPN Server again:
Just what was expected!
I then tested again after the script had unbanned the account and I was again able to login.
Even though this is simple example, hopefully it will give those newbies to Linux and my friends a foothold into the world of crontab. As you can see the sky is the limit as what scheduled tasks and bash scripting can be used for.
Make sure you check out the link mentioned previously in this blog for some more fun and advanced examples.