Pritunl client sends first mac address instead all active ones

Hi :slight_smile: I am using the “user_connect” callback of a pritunl plugin as described here Plugins, to check the client “mac_addr”.

Pritunl server version: v1.30.3333.72 18395a
Pritunl client version: v1.3.3477.58

Establishing the connection works fine. Also the “user_connect” callback of my plugin is called as expected.

However the “mac_addr” used as parameter of the “user_connect” callback appears to be the first mac address found in the list of the client’s list of network interfaces.

Pritunl client runs on an M1 MacBook. These are the network interfaces with MAC addresses

anpi1 # inactive, virtual USB-C DRD device
anpi0 # inactive, virtual USB-C DRD device
en9 # inactive
en10 # inactive
en1 # inactive
en2 # inactive
bridge0 # inactive
ap1 # inactive
en0 # ACTIVE, wifi connection
awdl0 # ACTIVE, airdrop
llw0 # inactive

The pritunl client sends the mac address of anpi1 to the pritunl server. I believe because of this assignment here: pritunl-client-electron/profile.go at master · pritunl/pritunl-client-electron · GitHub

I was wondering why the pritunl client does not send the mac addresses of all active network interfaces instead?

This would make it possible to verify the mac address of a connecting client on the current active network interfaces in use.

Thank you, BR

The user_connect plugin currently only sends one MAC address. The next release will include all the MAC addresses. The Pritunl server will check all MAC addresses for the MAC address verification. Only connections using HTTP authentication include the MAC address list. This would include all WireGuard connections and OpenVPN connections with either single sign-on connection authentication or dynamic firewall.

Thanks for the swift reply and the great news Zach!

I noticed there are actually two user_connect event callbacks. One with the first mac address (in my case of the interface anpi1) and another one for interface en0.

Did not notice this as my plugin was returning False in user_connect on the first callback. Looking at the parameters passed to user_connect the arguments only differ in

  • the mac_addr and
  • the password (which is empty for anpi1 and not empty for en0)

(I am using Google Workspace SSO for authentication.)

Do you know the reason for the two calls to user_connect? I am wondering whether I could use the presence of the password argument to get to the right mac address until pritunl client and server pass all mac addresses.

There is more information in the plugin documentation. The server will wait for a response from user_connect to determine if the user will have access. The server does not wait for a response from user_connection.

This is what I’d expect, yes. But why does the user_connect method get called twice, once without and once with password set?

For some configurations the authentication will be called multiple times. For an OpenVPN connection with connection single sign-on the client will authenticate with the Pritunl web server to obtain an authentication token. The token is then used when connecting with OpenVPN which will go through the authentication process again substituting the password with a token.

:+1: Thank you!