Hi I am using the “user_connect” callback of a pritunl plugin as described here Plugins, to check the client “mac_addr”.
Pritunl server version: v1.30.3333.72 18395a
Pritunl client version: v1.3.3477.58
Establishing the connection works fine. Also the “user_connect” callback of my plugin is called as expected.
However the “mac_addr” used as parameter of the “user_connect” callback appears to be the first mac address found in the list of the client’s list of network interfaces.
Pritunl client runs on an M1 MacBook. These are the network interfaces with MAC addresses
The user_connect plugin currently only sends one MAC address. The next release will include all the MAC addresses. The Pritunl server will check all MAC addresses for the MAC address verification. Only connections using HTTP authentication include the MAC address list. This would include all WireGuard connections and OpenVPN connections with either single sign-on connection authentication or dynamic firewall.
Thanks for the swift reply and the great news Zach!
I noticed there are actually two user_connect event callbacks. One with the first mac address (in my case of the interface anpi1) and another one for interface en0.
Did not notice this as my plugin was returning False in user_connect on the first callback. Looking at the parameters passed to user_connect the arguments only differ in
the mac_addr and
the password (which is empty for anpi1 and not empty for en0)
(I am using Google Workspace SSO for authentication.)
Do you know the reason for the two calls to user_connect? I am wondering whether I could use the presence of the password argument to get to the right mac address until pritunl client and server pass all mac addresses.
There is more information in the plugin documentation. The server will wait for a response from user_connect to determine if the user will have access. The server does not wait for a response from user_connection.
For some configurations the authentication will be called multiple times. For an OpenVPN connection with connection single sign-on the client will authenticate with the Pritunl web server to obtain an authentication token. The token is then used when connecting with OpenVPN which will go through the authentication process again substituting the password with a token.