This recipe will demonstrate how to set up a learn-address
script that is executed on the server side when there is a change in the address of a connecting client. Learn-address scripts can be used to dynamically set up firewalling rules for specific clients or to adjust routing tables.
In this recipe, we will use a learn-address
script to open up a firewall and to set up masquerading for a client. When the client disconnects, the firewall is closed again and the iptables
masquerading rule is removed.
Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running Fedora 22 Linux and OpenVPN 2.3.10, and the client was running Windows 7 64 bit and OpenVPN 2.3.10. For the client, keep the client configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe, from Chapter 2, Client-server IP-only Networks.
proto udp port 1194 dev tun server 10.200.0.0 255.255.255.0 ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/server.crt key /etc/openvpn/cookbook/server.key dh /etc/openvpn/cookbook/dh2048.pem tls-auth /etc/openvpn/cookbook/ta.key 0 persist-key persist-tun keepalive 10 60 topology subnet daemon log-append /var/log/openvpn.log script-security 2 learn-address /etc/openvpn/cookbook/example5-3-learn-address.sh push "redirect-gateway def1"
example5-3-server.conf
. Note that this server configuration file does not have the lines user nobody
and group nobody
(nor group nogroup
).learn-address
script:#!/bin/bash # $1 = action (add, update, delete) # $2 = IP or MAC # $3 = client_common name if [ "$1" = "add" ] then /sbin/iptables -I FORWARD -i tun0 -s $2 -j ACCEPT /sbin/iptables -I FORWARD -o tun0 -d $2 -j ACCEPT /sbin/iptables -t nat -I POSTROUTING -s $2 -o wlan0 -j MASQUERADE elif [ "$1" = "delete" ] then /sbin/iptables -D FORWARD -i tun0 -s $2 -j ACCEPT /sbin/iptables -D FORWARD -o tun0 -d $2 -j ACCEPT /sbin/iptables -t nat -D POSTROUTING -s $2 -o wlan0 -j MASQUERADE fi
example5-3-learn-address.sh
.[root@server]# chmod 755 example5-3-learn-address.sh [root@server]# openvpn --config example5-3-server.conf
iptables
firewall rules on the server:[root@server]# iptables -L FORWARD -n -v Chain FORWARD (policy ACCEPT 4612K packets, 1761M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * tun0 0.0.0.0/0 10.200.0.2 0 0 ACCEPT all -- tun0 * 10.200.0.2 0.0.0.0/0 [root@server]# iptables -t nat -L POSTROUTING -n -v Chain POSTROUTING (policy ACCEPT 336K packets, 20M bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * wlan0 10.200.0.2 0.0.0.0/0
iptables
rules have been removed.When a client connects to the OpenVPN server or disconnects from it, the OpenVPN server executes the learn-address
script with several command-line arguments:
$1
: Action (add, update, delete).$2
: IP or MAC. For tun-based networks, this is the client IP address. For tap-based networks, this is the client (virtual) MAC address.$3
: client_common
name.In this recipe, the learn-address
script is used to open up the firewall for the connecting client and to set up the masquerading rules for the client so that the clients can reach the other machines on the server-side LAN.
In the following section, some details of the use of the user nobody
directive and the update
action of the learn-address
script are given.
As stated earlier, this server configuration does not include the following lines:
user nobody group nobody
Or, on some Linux distributions, it can be as follows:
group nogroup
If we had added these lines, then the OpenVPN server process would be running as user nobody
. This user does not have the required rights to open and close firewall ports using iptables
, hence they were removed in this example.
The learn-address
script is also called when the OpenVPN server detects an address change on the client side. This can happen most often in a TAP-based network when an external DHCP server is used. The learn-address
script can then adjust routing tables or firewalling rules based on the new client IP address, using the update
action.
Another method to generate a learn-address update
action is by triggering a soft-reset of the server; for example, by sending a USR1 signal to the server process. This will cause all clients to reconnect, this time triggering an update
action.
18.117.229.33