OpenVPN and client-connect scripts

debian-wheezyopenvpn

I have an OpenVPN server (2.3.2) on Debian Wheezy operating in bridged mode. Everything's working fine in terms of the client connecting and getting access to the network(s) it needs.
Im trying to add a few bells and whistles through use of the client-connect option. This is the pertinent part of the openvpn config file:

script-security 3 system
client-connect /etc/openvpn/scripts/clientconnect.sh

In an attempt to check that the script is actually run, clientconnect.sh
consists of this:

#!/bin/bash
echo "testing">>/etc/openvpn/scripts/test
exit 0

Simple enough.

If I run the script from the command line, as expected "testing" is appended
to /etc/openvpn/scripts/test every time, and 0 returned.

When I connect from my client, then I get a "testing" in
/etc/openvpn/scripts/test. Great!

But when I disconnect, and connect again, I don't get another "testing"

So, to check its actually being run I changed the exit value in clientconnect.sh to 1

sure enough, every attempt to connect from the client then failed because
the script returns a non 0 value.

Why does it look like the script isn't being run?

BTW, if I restart the openvpn service on the server then I get "testing" once
more, but again, nothing is written on subsequent connections.

Any pointers / Help / Mystic Incantations are all gratefully received!
Dylan

Best Answer

OpenVPN is made to be very resilient to network outages (and it really excells at it), so unless you have something like explicit-exit-notify [n] in your client's configuration, disconnecting that client will look like a network outage to the server.

Then, depending on how you did configue timeouts/keepalives etc, it could be a hefly amount of time before the server decides the client is really gone. You might just have not reached this condition in your tests.

A way to verify this is to enable the management interface in your server then do telnet localhost 1194 there and verify the client is really disconnected — after disconnecting on the client side — by executing the "status" command and inspecting its output.

Another, more low-tech, approach to testing this is hooking a script to the client-disconnect event and see whether it runs when the client disconnects.

Related Solutions

OpenVPN: ERROR: could not read Auth username from stdin

Have you tried providing the script-security 3 option to allow openvpn to run external programs?

Although a better solution for requesting a password would probably be to setup OpenVPN to listen on a management port and to be hold. You can write a script/interface that will collect the credentials from the user and then you can make a socket connection and provide the credentials and release the hold.

OpenVPN – Configure Multiple Clients on the Same Host

You would need to elaborate somewhat further what it is you are trying to do. A rough sketch with IP addresses of the hosts involved and a listing of your routing table(s) would help a lot understanding your problem.

my server doesn't seem to configure the tun0 device properly

It is possible for an ifconfig command to fail - maybe you should check the logs for that and post the relevant excerpts.

I want to set up the dual client box such that a computer whose gateway is set to eth0:0 gets all their traffic routed through one OpenVPN tunnel, and a computer whose gateway is set to eth0:1 gets all their traffic routed through a different OpenVPN tunnel

ip rule add from $IP_ETH00 table us_table

That's probably not the best way to achieve what you really want - which seems to be different routes for different clients. While it is possible to add iptables -t mangle rules to mark packets for different criteria, there would be no set of criteria being able to distinguish between eth0:0 and eth0:1 as the input interface (which is due to the way IP aliasing is implemented).

What you can do however is simply set up something like

ip rule add from <ip-of-your-client-for-the-us-table> table us_table

which would eliminate the need for IP aliases in your configuration entirely since the routing decision would be done based on source and destination IP addresses, no matter which interface the packet came in at.

copy_routing_table "us_table"

You've omitted the source of copy_routing_table - if it does what I suspect it does, you would end up with your entire main routing table in us_table. If your main routing table already contains routes potentially conflicting with what you're defining in the script, you might end up using them instead of your newly-added routes. This is especially a concern since you are adding a new default route in your up-script:

 ip route add default via $4 table us_table

As you already have a default route in your "main" table and add another one "via $4" (which is wrong BTW, as $4 would represent a local IP address of the router's own tun interface - you should use "dev $1" instead) without deleting the old route. You should prepend ip route del default table us_table here - and probably something similar for the other routes you add as well.

And this here:

From 192.168.1.133: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.1)

is a message from 192.168.1.133 which is getting the packet for 98.137.149.56 (yahoo.com) and routing it out through 192.168.1.1. Since 192.168.1.133 knows (by evaluation of the interface netmask) that your host is in the same network as 192.168.1.1, you get notified to use 192.168.1.1 directly in the first place.

Best Answer

Related Solutions

OpenVPN: ERROR: could not read Auth username from stdin

OpenVPN – Configure Multiple Clients on the Same Host

Related Topic