In this recipe, we will use very simple up
and down
scripts on the client side to show how OpenVPN calls these scripts. By logging messages to a file, as well as the environment variables, we can easily see which information OpenVPN provides to the up
and down
scripts.
Set up the client and server certificates using the Setting up the public and private keys recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running Fedora 22 Linux and OpenVPN 2.3.10. The client was running Windows 7 64 bit and OpenVPN 2.3.10. Keep the server configuration file, basic-udp-server.conf
, from the Server-side routing recipe, from Chapter 2, Client-server IP-only Networks.
[root@server]# openvpn --config basic-udp-server.conf
client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca "c:/program files/openvpn/config/ca.crt" cert "c:/program files/openvpn/config/client2.crt" key "c:/program files/openvpn/config/client2.key" tls-auth "c:/program files/openvpn/config/ta.key"" 1 remote-cert-tls server script-security 2 up "c:\program files\openvpn\scripts\updown.bat" down "c:\program files\openvpn\scripts\updown.bat"
Save the file as example5-1.ovpn
. Note the backslashes: when specifying the ca
, cert
, key
, and tls-auth
directives, forward slashes can be used, but not for the up
and down
scripts!
updown.bat
batch file in the C:Program FilesOpenVPNscripts
directory:@echo off echo === BEGIN '%script_type%' script === >> c: empopenvpn.log echo Script name: [%0] >> c: empopenvpn.log echo Command line argument 1: [%1] >> c: empopenvpn.log echo Command line argument 2: [%2] >> c: empopenvpn.log echo Command line argument 3: [%3] >> c: empopenvpn.log echo Command line argument 4: [%4] >> c: empopenvpn.log echo Command line argument 5: [%5] >> c: empopenvpn.log echo Command line argument 6: [%6] >> c: empopenvpn.log echo Command line argument 7: [%7] >> c: empopenvpn.log echo Command line argument 8: [%8] >> c: empopenvpn.log echo Command line argument 9: [%9] >> c: empopenvpn.log set >> c: empopenvpn.log echo === END '%script_type%' script === >> c: empopenvpn.log
After the client successfully connects to the OpenVPN server, the c: empopenvpn.log
log file will contain an output similar to the following:
=== BEGIN 'up' script === Script name: ["c:program filesopenvpnscriptsupdown.bat"] Command line argument 1: [Local Area Connection 2] Command line argument 2: [1500] Command line argument 3: [1541] Command line argument 4: [10.200.0.2] Command line argument 5: [255.255.255.0] Command line argument 6: [init] Command line argument 7: [] Command line argument 8: [] Command line argument 9: [] ... script_type=up [dump of environment variables] ... === END 'up' script ===
When the client disconnects from the server, the script is called again, with the exact same command-line parameters, but now the script_type
is set to down
.
Note that the first command-line argument contains the name of the TUN
device. On Linux and Mac OS systems, this will generally be tun0
or tun1
, but on Windows platforms, it is the actual name of the TAP-Win32 adapter.
After the initial connection is made with the OpenVPN server, but before the VPN is fully established, the OpenVPN client calls the up
script. If the up
script returns with an exit code not equal to zero, the connection sequence is aborted.
Similarly, when the connection is shut down the down
script is executed after the VPN connection has been stopped.
Note the use of the double backslashes (\
) in the up
and down
directives: OpenVPN translates the backslash character internally and hence it needs to be specified twice. The backslash between c:\program
and files
is required as otherwise OpenVPN cannot find the up
and down
scripts without it.
In this section, we will see some more advanced tricks when using the up
and down
scripts, including a sample script to verify the remote hostname of a VPN server.
The script used in this recipe merely writes out all the environment variables to a file. These environment variables contain useful information about the remote server, such as the common_name
certificate. An extension to this script would be to check whether the common_name
certificate matches the remote hostname. The IP address of the remote hostname is available as trusted_ip
.
The down
script is executed after the actual connection to the OpenVPN server has been stopped. It is also possible to execute the script during the disconnect phase before the connection to the server is dropped. To do this, add the following directive to the client configuration file:
down-pre
A more advanced usage of an up
script would be to verify that the remote hostname matches the remote IP address, similar to the way that a web browser verifies the address of secure websites. On Linux systems, this can easily be done using a shell script as an up
script:
#!/bin/bash # reverse DNS lookup server_name=`host $untrusted_ip | sed -n 's/.*name pointer (.*)./1/p' if [ "$server_name" != "$common_name" ] then echo "Server certificate does not match hostname." echo "Aborting" exit 1 fi
But on Windows, this is trickier to achieve without resorting to tools such as PowerShell or Cygwin.
18.118.217.124