Using a learn-address script

This recipe will demonstrate how to set up a learn-address script that is executed on the server side when there is a change in the address of a connecting client. Learn-address scripts can be used to dynamically set up firewalling rules for specific clients or to adjust routing tables.

In this recipe, we will use a learn-address script to open up a firewall and to set up masquerading for a client. When the client disconnects, the firewall is closed again and the iptables masquerading rule is removed.

Getting ready

Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running Fedora 22 Linux and OpenVPN 2.3.10, and the client was running Windows 7 64 bit and OpenVPN 2.3.10. For the client, keep the client configuration file, basic-udp-client.ovpn, from the Using an ifconfig-pool block recipe, from Chapter 2Client-server IP-only Networks.

How to do it...

  1. Create the server configuration file:
            proto udp 
            port 1194 
            dev tun 
     
            server 10.200.0.0 255.255.255.0 
     
            ca       /etc/openvpn/cookbook/ca.crt 
            cert     /etc/openvpn/cookbook/server.crt 
            key      /etc/openvpn/cookbook/server.key 
            dh       /etc/openvpn/cookbook/dh2048.pem 
            tls-auth /etc/openvpn/cookbook/ta.key 0 
     
            persist-key 
            persist-tun 
            keepalive 10 60 
     
            topology subnet 
     
            daemon 
            log-append /var/log/openvpn.log 
            script-security 2 
            learn-address /etc/openvpn/cookbook/example5-3-learn-address.sh 
            push "redirect-gateway def1" 
    
  2. Save it as example5-3-server.conf. Note that this server configuration file does not have the lines user nobody and group nobody (nor group nogroup).
  3. Next, create the learn-address script:
            #!/bin/bash 
     
            # $1 = action (add, update, delete) 
            # $2 = IP or MAC 
            # $3 = client_common name 
     
            if [ "$1" = "add" ] 
            then 
                /sbin/iptables -I FORWARD -i tun0 -s $2 -j ACCEPT 
                /sbin/iptables -I FORWARD -o tun0 -d $2 -j ACCEPT 
                /sbin/iptables -t nat -I POSTROUTING -s $2 -o wlan0 -j 
                MASQUERADE 
            elif [ "$1" = "delete" ] 
            then 
                /sbin/iptables -D FORWARD -i tun0 -s $2 -j ACCEPT 
                /sbin/iptables -D FORWARD -o tun0 -d $2 -j ACCEPT 
                /sbin/iptables -t nat -D POSTROUTING -s $2 -o wlan0 -j 
                MASQUERADE 
            fi 
    
  4. Save this file as example5-3-learn-address.sh.
  5. Make sure that the script is executable and start the OpenVPN server:
    [root@server]# chmod 755 example5-3-learn-address.sh
    [root@server]# openvpn --config example5-3-server.conf
    
  6. Start the client using the Windows GUI using the basic configuration file:
    How to do it...
  7. After the client connects to the server, check the iptables firewall rules on the server:
            [root@server]# iptables -L FORWARD -n -v 
            Chain FORWARD (policy ACCEPT 4612K packets, 1761M bytes) 
             pkts bytes target     prot opt in     out     source                       destination 
                0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0                    10.200.0.2 
                0     0 ACCEPT     all  --  tun0   *       10.200.0.2                0.0.0.0/0 
     
            [root@server]# iptables -t nat -L POSTROUTING -n -v 
            Chain POSTROUTING (policy ACCEPT 336K packets, 20M bytes) 
             pkts bytes target     prot opt in     out     source                       destination 
                0     0 MASQUERADE  all  --  *      wlan0   10.200.0.2                0.0.0.0/0 
    
  8. Disconnect the client, wait for a few minutes, and then verify that the iptables rules have been removed.

How it works...

When a client connects to the OpenVPN server or disconnects from it, the OpenVPN server executes the learn-address script with several command-line arguments:

  • $1: Action (add, update, delete).
  • $2: IP or MAC. For tun-based networks, this is the client IP address. For tap-based networks, this is the client (virtual) MAC address.
  • $3client_common name.

In this recipe, the learn-address script is used to open up the firewall for the connecting client and to set up the masquerading rules for the client so that the clients can reach the other machines on the server-side LAN.

There's more...

In the following section, some details of the use of the user nobody directive and the update action of the learn-address script are given.

User nobody

As stated earlier, this server configuration does not include the following lines:

user nobody 
group nobody 

Or, on some Linux distributions, it can be as follows:

group 
nogroup 

If we had added these lines, then the OpenVPN server process would be running as user nobody. This user does not have the required rights to open and close firewall ports using iptables, hence they were removed in this example.

The update action

The learn-address script is also called when the OpenVPN server detects an address change on the client side. This can happen most often in a TAP-based network when an external DHCP server is used. The learn-address script can then adjust routing tables or firewalling rules based on the new client IP address, using the update action.

Another method to generate a learn-address update action is by triggering a soft-reset of the server; for example, by sending a USR1 signal to the server process. This will cause all clients to reconnect, this time triggering an update action.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.229.33