Tutorial: Restrict by IP address with the Post-auth IP Restrict Script
How to use Access Server's post-auth programming hook to restrict users by IP addresses with a Python script.
Overview
Access Server's post-auth programming hook allows you to extend Access Server's possibilities for authenticating against a source of credentials. This document provides examples for creating a post-auth script that restricts users based on their IP addresses.
Authentication and the post-auth script role
Access Server's authentication system
Access Server supports several robust authentication systems without using a post-auth script — whether you manage it from the Admin Web UI or authenticate against a third-party system. These are the systems already supported:
Local: Access Server's built-in authentication system storing user credential hashes in the user properties database, with management handled in the Admin Web UI.
PAM: Linux system that requires console management or an SSH session on the OS.
LDAP: Once you set up the connection in the Admin Web UI, Access Server can authenticate against an LDAP server.
RADIUS: Once you set up the connection in the Admin Web UI, the Access Server can authenticate against a RADIUS server.
SAML: Once you set up the connection in the Admin Web UI, Access Server can use SAML single sign-on (SSO) by authenticating through an identity provider (IdP).
For more information about these authentication methods, refer to this detailed topic: Authentication System.
The post-auth script process
The user signs in with a VPN client or on the Client Web UI.
They successfully authenticate with their credentials.
The post-auth script runs (hence, post-auth — after authentication).
The post-auth script is a text file in the programming language Python. It can do all sorts of interesting things, like automating assigning users to groups based on specific criteria, implementing a custom authentication system, adding an extra filter to the login process, or checking the user device’s hardware address.
Python script knowledge.
Root access on the server.
You can create an IP restriction script to enhance the security of your authentication by registering an IP address to a user and restricting that user's access to the registered IP address.
Our sample script automatically registers an IP address for a user when they first authenticate and restricts their access to the registered IP address. They're denied access if they sign in from a new IP address. The post-auth script learns and locks the IP address for a user who doesn't already have one registered.
Note
Optionally, you can register IP addresses manually. We provide the steps for that in the optional section below.
From a user perspective
When a new user signs in and you're using the default settings for this post-auth script, here's the process:
The new user signs in with valid credentials.
Their IP address isn't in your Access Server's user properties database.
Access Server learns and locks the user's IP address.
The next time the user signs in, their IP address must match the value stored in the user properties database.
Sign in through SSH or your Access Server server console.
Obtain root privileges.
Retrieve the example Python script from our website (https://packages.openvpn.net/as/scripts/post_auth_ip_address_checking.py):
wget https://packages.openvpn.net/as/scripts/post_auth_ip_address_checking.py -O /root/ip.py1
This saves the script to the /root/ directory with the name ip.py.
Tip
If you have problems downloading the script this way, you may need to install/update the wget and/or ca-certificates package(s) on your system.
(Optional) Edit the script for your specific needs:
nano /root/ip.py
Make your changes to the script, then save and exit.
Load the script into the Access Server configuration and reload Access Server:
cd /usr/local/openvpn_as/scripts ./sacli --key "auth.module.post_auth_script" --value_file=/root/ip.py ConfigPut ./sacli start
Important
When you change the ip.py file, you must use the above commands to load the script again and reload Access Server.
After you’ve loaded the script into the configuration database, you can remove it, if needed, using the following commands.
cd /usr/local/openvpn_as/scripts ./sacli -k auth.module.post_auth_script ConfigDel ./sacli start
Note
This action doesn't remove the IP addresses already saved in the database, but Access Server will ignore these. You can clean those up manually if you wish with the sacli command, and we provide instructions for that in the next section.
If the user account is being used from another IP address or the IP address has changed, you need to remove the IP address stored and locked for that particular user. You can use the following commands to remove the saved value for the user "exampleuser" and reload the server.
Remove saved IP address for exampleuser:
cd /usr/local/openvpn_as/scripts ./sacli -u "exampleuser" -k "pvt_clientip" UserPropDel ./sacli start
If you want to register IP addresses manually, you can turn off the automatic IP address registration and then manually register them from the command-line interface.
Open the script for editing:
nano /root/ip.py
Edit the
first_login_ip_address
parameter and set it to NONE or DISABLED (either works fine):first_login_ip_addr = "NONE"
or
first_login_ip_addr = "DISABLED"
Save and exit the script.
Reload the script and restart the Access Server service:
cd /usr/local/openvpn_as/scripts ./sacli --key "auth.module.post_auth_script" --value_file=/root/ip.py ConfigPut ./sacli start
When users sign in, they will be denied access until you register their IP address.
Manually register a user's IP address. For our command, "exampleuser" is the user account name, and
192.0.2.13
is the client's IP address:cd /usr/local/openvpn_as/scripts ./sacli -u "exampleuser" -k "pvt_clientip" -v "192.0.2.13" UserPropPut ./sacli start
Tip
Depending on your authentication system, you may need to pay attention to lowercase/uppercase with the username.
The post-auth script outputs information to the log file, /var/log/openvpnas.log , on most Access Server setups. You can review the log to help you troubleshoot if you encounter issues.
Filter for specific log messages from post-auth:
egrep "POST_AUTH" /var/log/openvpnas.log
Note
You can also edit the ip.py file on your server and add print
lines to it to dump more information into the log file.