[Clug-tech] OpenVPN scripting

John Jardine john_e_jardine at spamcop.net
Thu Mar 12 06:01:02 PDT 2009 

Hi Shawn,

What are the permissions and ownership of
route-up /home/sgrover/Documents/vpn/setup
down /home/sgrover/Documents/vpn/teardown?

I'm guessing you're running your OpenVPN server as root.  If those
scripts are writable by other than root that may be triggering the
problem.

Cheers,
J.J.


On Thu, 2009-03-12 at 05:15 -0600, Shawn Grover wrote:
> Hi All.
> 
> I've searched Google for quite a while on this and am not finding the 
> magic bullet.  I'm trying to execute a script after the VPN connection 
> is up, and another when the connection ends.
> 
> I'm connecting manually with "openvpn --config myconfig.opvn".  My 
> config file looks like this:
> 
> #OpenVPN Server conf
> tls-client
> client
> dev tun
> proto udp
> tun-mtu 1400
> remote 111.222.111.222 1194
> pkcs12 /home/sgrover/Documents/vpn/mykeyfile.p12
> cipher BF-CBC
> verb 3
> ns-cert-type server
> route-up /home/sgrover/Documents/vpn/setup
> down /home/sgrover/Documents/vpn/teardown
> 
> The last two lines seem like the *should* work.  The setup script works 
> fine if I run it manually.  But putting it into the config file fails. 
> I've tried "up" and "route-up" here with similar results.  I'm seeing 
> the following in the output:
> 
> openvpn_execve: external program may not be called due to setting of 
> --script-security level
> Route script failed: external program fork failed
> 
> I see this for both the up and down scripts.
> 
> I found a reference that suggested I had to "return control to openvpn 
> immediately after calling my script", and this hinted that the 
> setup/teardown scripts should call a second script then exit.  I revised 
>   my setup script to be something like this:
> 
> #!/bin/bash
> /home/sgrover/Documents/vpn/doSetup &
> 
> But that made no difference.
> 
> The idea here is to mount remote directories when the VPN connection is 
> made, and unmount them when the VPN goes away.
> 
> Any tips/suggestions?  Thanks.
> 
> Shawn
> 
> _______________________________________________
> clug-tech mailing list
> clug-tech at clug.ca
> http://clug.ca/mailman/listinfo/clug-tech_clug.ca

More information about the clug-tech mailing list