Skip to main content

Tutorial: Restrict by IP address with the Post-auth IP Restrict Script

Abstract

How to use Access Server's post-auth programming hook to restrict users by IP addresses with a Python script.

Overview

Access Server's post-auth programming hook allows you to extend Access Server's possibilities for authenticating against a source of credentials. This document provides examples for creating a post-auth script that restricts users based on their IP addresses.

Authentication and the post-auth script role

Access Server's authentication system

Access Server supports several robust authentication systems without using a post-auth script — whether you manage it from the Admin Web UI or authenticate against a third-party system. These are the systems already supported:

  1. Local: Access Server's authentication system, which uses a SQLite3 database to store user properties and credentials with management handled in the Admin Web UI.

  2. PAM: Linux system that requires console management or an SSH session on the OS.

  3. LDAP: Once you set up the connection in the Admin Web UI, Access Server can authenticate against an LDAP server.

  4. RADIUS: Once you set up the connection in the Admin Web UI, the Access Server can authenticate against a RADIUS server.

  5. SAML: Once you set up the connection in the Admin Web UI, Access Server can use SAML single sign-on (SSO) by authenticating through an identity provider (IdP).

For more information about these authentication methods, refer to this detailed topic: Authentication System.

The post-auth script process

  1. The user signs in with a VPN client or on the Client Web UI.

  2. They successfully authenticate with their credentials.

  3. The post-auth script runs (hence, post-auth — after authentication).

The post-auth script is a text file in the programming language Python. It can do all sorts of interesting things, like automating assigning users to groups based on specific criteria, implementing a custom authentication system, adding an extra filter to the login process, or checking the user device’s hardware address.

Prerequisites

Step 1: Understand how the IP restrict script works

You can create an IP restriction script to enhance the security of your authentication by registering an IP address to a user and restricting that user's access to the registered IP address.

Our sample script automatically registers an IP address for a user when they first authenticate and restricts their access to the registered IP address. They're denied access if they sign in from a new IP address. The post-auth script learns and locks the IP address for a user who doesn't already have one registered.

Note

Optionally, you can register IP addresses manually. We provide the steps for that in the optional section below.

From a user perspective

When a new user signs in and you're using the default settings for this post-auth script, here's the process:

  1. The new user signs in with valid credentials.

    • Their IP address isn't in your Access Server's user properties database.

  2. Access Server learns and locks the user's IP address.

  3. The next time the user signs in, their IP address must match the value stored in the user properties database.

Step 2: Install/update the script

  1. Sign in through SSH or your Access Server server console.

  2. Obtain root privileges.

  3. Retrieve the example Python script from our website (https://swupdate.openvpn.net/scripts/post_auth_ip_address_checking.py):

    wget https://swupdate.openvpn.net/scripts/post_auth_ip_address_checking.py -O /root/ip.py1

    1

    This saves the script to the /root/ directory with the name ip.py.

    Tip

    If you have problems downloading the script this way, you may need to install/update the wget and/or ca-certificates package(s) on your system.

  4. (Optional) Edit the script for your specific needs:

    nano /root/ip.py

    • Make your changes to the script, then save and exit.

  5. Load the script into the Access Server configuration and reload Access Server:

    cd /usr/local/openvpn_as/scripts
./sacli --key "auth.module.post_auth_script" --value_file=/root/ip.py ConfigPut
./sacli start

Important

When you change the ip.py file, you must use the above commands to load the script again and reload Access Server.

Optional: Uninstall the script

After you’ve loaded the script into the configuration database, you can remove it, if needed, using the following commands.

cd /usr/local/openvpn_as/scripts
./sacli -k auth.module.post_auth_script ConfigDel
./sacli start

Note

This action doesn't remove the IP addresses already saved in the database, but Access Server will ignore these. You can clean those up manually if you wish with the sacli command, and we provide instructions for that in the next section.

Optional: Unregister or reset an IP address

If the user account is being used from another IP address or the IP address has changed, you need to remove the IP address stored and locked for that particular user. You can use the following commands to remove the saved value for the user "exampleuser" and reload the server.

Remove saved IP address for exampleuser:

cd /usr/local/openvpn_as/scripts
./sacli -u "exampleuser" -k "pvt_clientip" UserPropDel
./sacli start

Optional: Manually register IP addresses

If you want to register IP addresses manually, you can turn off the automatic IP address registration and then manually register them from the command-line interface.

  1. Open the script for editing:

    nano /root/ip.py

  2. Edit the first_login_ip_address parameter and set it to NONE or DISABLED (either works fine):

    first_login_ip_addr = "NONE"

    or

    first_login_ip_addr = "DISABLED"

  3. Save and exit the script.

  4. Reload the script and restart the Access Server service:

    cd /usr/local/openvpn_as/scripts
./sacli --key "auth.module.post_auth_script" --value_file=/root/ip.py ConfigPut
./sacli start

    • When users sign in, they will be denied access until you register their IP address.

  5. Manually register a user's IP address. For our command, "exampleuser" is the user account name, and 192.0.2.13 is the client's IP address:

    cd /usr/local/openvpn_as/scripts
./sacli -u "exampleuser" -k "pvt_clientip" -v "192.0.2.13" UserPropPut
./sacli start

    Tip

    Depending on your authentication system, you may need to pay attention to lowercase/uppercase with the username.

Troubleshoot with log files

The post-auth script outputs information to the log file, /var/log/openvpnas.log , on most Access Server setups. You can review the log to help you troubleshoot if you encounter issues.

Filter for specific log messages from post-auth:

egrep "POST_AUTH" /var/log/openvpnas.log

Note

You can also edit the ip.py file on your server and add print lines to it to dump more information into the log file.

In this section:
See also: