With all the possible scripts that can be configured on the OpenVPN server, it becomes important to determine the order in which these scripts are executed. In this recipe, we will find out what the order is, as well as the command-line parameters for each of these scripts.
Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentSO 6 Linux and OpenVPN 2.3.10., and the client was running Fedora 22 and OpenVPN 2.3.10. For the server, keep the server configuration file, basic-udp-server.conf
, from the Server-side routing recipe, from Chapter 2, Client-server IP-only Networks. For the client, keep the client configuration file from the previous recipe at hand.
basic-udp-server.conf
:script-security 2 cd /etc/openvpn/cookbook up example5-6-script.sh route-up example5-6-script.sh down example5-6-script.sh client-connect example5-7-script.sh client-disconnect example5-6-script.sh learn-address example5-6-script.sh tls-verify example5-6-script.sh auth-user-pass-verify example5-6-script.sh via-env
example5-6-server.conf
.#!/bin/bash exec >> /tmp/example5-6.log 2>&1 date +"%H:%M:%S: START $script_type script ===" echo "argv = $0 $@" echo "user = `id -un`/`id -gn`" date +"%H:%M:%S: END $script_type script ==="
example5-6-script.sh
.[root@server]# chmod 755 example5-6-script.sh [root@server]# openvpn --config example5-6-server.conf
[root@client]# openvpn --config example5-5-client.conf
The Auth username and password can be chosen arbitrarily, as they are not used.
A log file will be created in /tmp/example5-6.log
, parts of which are shown here:
13:34:45: START up script === 13:34:45: START route-up script === 13:36:26: START tls-verify script === 18:36:26: START tls-verify script === 18:36:27: START user-pass-verify script === 18:36:27: START client-connect script === 18:36:27: START learn-address script === argv = example5-6-script.sh add 10.200.0.2 client1 18:37:14: START client-disconnect script === 18:37:20: START learn-address script === argv = example5-6-script.sh delete 10.200.0.2 18:37:20: START down script ===
There are many script hooks built into OpenVPN. When the OpenVPN server starts up and when a client connects and then disconnects, these scripts are executed one by one. The order (for OpenVPN 2.3) is as follows:
up
script as user root
.route-up
script as user root
; afterwards, root privileges are dropped and OpenVPN switches to the user nobody
as specified in the server configuration.tls-verify
script. The CA certificate that was used to sign the client certificate is passed for verification.tls-verify
script. The client certificate itself is passed.user-pass-verify
script.client-connect
script.learn-address
script with the action, add
.At this point, the client has successfully established a VPN connection. Now, when the client disconnects:
client-disconnect
scriptlearn-address
script with the action, delete
And when the server shuts down:
down
command; note that this is run as the user nobody
!When writing scripts, it is very important to keep the script execution time in mind. The design of OpenVPN 2 is very monolithic: everything (except plugins, which we will come to later in this chapter) is run under a single thread. This means that while a script is executing, the whole OpenVPN server is temporarily unavailable for all other clients: the routing of packets stops, other clients cannot connect or disconnect, and even the management interface will not respond. So, it is very important to ensure that all the server-side scripts execute very quickly.
This design flaw has been recognized, but it is not expected that there will be a major change until the arrival of OpenVPN 3.
3.14.247.9