Script order

With all the possible scripts that can be configured on the OpenVPN server, it becomes important to determine the order in which these scripts are executed. In this recipe, we will find out what the order is, as well as the command-line parameters for each of these scripts.

Getting ready

Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentSO 6 Linux and OpenVPN 2.3.10., and the client was running Fedora 22 and OpenVPN 2.3.10. For the server, keep the server configuration file, basic-udp-server.conf, from the Server-side routing recipe, from Chapter 2Client-server IP-only Networks. For the client, keep the client configuration file from the previous recipe at hand.

How to do it...

  1. Append the following lines to the server configuration file, basic-udp-server.conf:
            script-security 2 
            cd /etc/openvpn/cookbook 
            up                   example5-6-script.sh 
            route-up             example5-6-script.sh 
            down                 example5-6-script.sh 
            client-connect       example5-7-script.sh 
            client-disconnect    example5-6-script.sh 
            learn-address        example5-6-script.sh 
            tls-verify           example5-6-script.sh 
            auth-user-pass-verify      example5-6-script.sh via-env 
    
  2. Save it as example5-6-server.conf.
  3. Create the following script:
            #!/bin/bash 
     
            exec >> /tmp/example5-6.log 2>&1 
            date +"%H:%M:%S: START $script_type script ===" 
            echo "argv = $0 $@" 
            echo "user = `id -un`/`id -gn`" 
            date +"%H:%M:%S: END $script_type script ===" 
    
  4. Save it as example5-6-script.sh.
  5. Make sure that the script is executable and then start the server:
    [root@server]# chmod 755 example5-6-script.sh
    [root@server]# openvpn --config example5-6-server.conf
    
  6. Next, start the client:
    [root@client]# openvpn --config example5-5-client.conf
    

    The Auth username and password can be chosen arbitrarily, as they are not used.

  7. After successfully connecting to the server, disconnect the client and wait for a few minutes until the server recognizes that the client has disconnected. Now, stop the OpenVPN server as well.

    A log file will be created in /tmp/example5-6.log, parts of which are shown here:

            13:34:45: START up script === 
            13:34:45: START route-up script === 
            13:36:26: START tls-verify script === 
            18:36:26: START tls-verify script === 
            18:36:27: START user-pass-verify script === 
            18:36:27: START client-connect script === 
            18:36:27: START learn-address script === 
            argv = example5-6-script.sh add 10.200.0.2 client1 
            18:37:14: START client-disconnect script === 
            18:37:20: START learn-address script === 
            argv = example5-6-script.sh delete 10.200.0.2 
            18:37:20: START down script === 
    

How it works...

There are many script hooks built into OpenVPN. When the OpenVPN server starts up and when a client connects and then disconnects, these scripts are executed one by one. The order (for OpenVPN 2.3) is as follows:

  • The up script as user root.
  • The route-up script as user root; afterwards, root privileges are dropped and OpenVPN switches to the user nobody as specified in the server configuration.
  • The tls-verify script. The CA certificate that was used to sign the client certificate is passed for verification.
  • The tls-verify script. The client certificate itself is passed.
  • The user-pass-verify script.
  • The client-connect script.
  • The learn-address script with the action, add.

At this point, the client has successfully established a VPN connection. Now, when the client disconnects:

  • The client-disconnect script
  • The learn-address script with the action, delete

And when the server shuts down:

  • The down command; note that this is run as the user nobody!

There's more...

When writing scripts, it is very important to keep the script execution time in mind. The design of OpenVPN 2 is very monolithic: everything (except plugins, which we will come to later in this chapter) is run under a single thread. This means that while a script is executing, the whole OpenVPN server is temporarily unavailable for all other clients: the routing of packets stops, other clients cannot connect or disconnect, and even the management interface will not respond. So, it is very important to ensure that all the server-side scripts execute very quickly.

This design flaw has been recognized, but it is not expected that there will be a major change until the arrival of OpenVPN 3.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.247.9