One of the major differences between OpenVPN 2.0 and later versions is related to the security when running scripts. With OpenVPN 2.0, all scripts were executed using a system
call and the entire set of server environment variables was passed to each script. Starting with OpenVPN 2.1, the script-security
configuration directive is introduced and the default for executing scripts is now the execv
call, which is more secure. Also, it is advisable to log output of your scripts for security reasons. With script logging output, including timestamps, it becomes much easier to track down problems and possible security incidents. Starting with OpenVPN 2.3, it is no longer possible to add the system
option to the script-security
configuration directive.
In this recipe, we will focus on the different options for the script-security
configuration directive and on the methods to ease the logging of script output.
Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentSO 6 Linux and OpenVPN 2.3.10, and the client was running Fedora 22 and OpenVPN 2.3.10. For the server, keep the server configuration file, basic-udp-server.conf
, from the Server-side routing recipe, from Chapter 2, Client-server IP-only Networks.
[root@server]# openvpn --config basic-udp-server.conf
client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/client1.crt key /etc/openvpn/cookbook/client1.key tls-auth /etc/openvpn/cookbook/ta.key 1 remote-cert-tls server up "/etc/openvpn/cookbook/example5-7-up.sh arg1 arg2"
example5-7-client.conf
. Notice the lack of the script-security
directive.up
script:#!/bin/bash exec >> /etc/openvpn/cookbook/example5-7.log 2>&1 date +"%H:%M:%S: START $script_type script ===" echo "argv = [$0] [$1] [$2] [$3] [$4]" pstree $PPID date +"%H:%M:%S: END $script_type script ==="
example5-7-up.sh
and make sure that it is executable.[client]$ openvpn --config example5-7-client.conf
up
script needs to be executed:... /etc/openvpn/cookbook/example5-7-up.sh [arguments] ... WARNING: External program may not be called unless '-- script-security 2' or higher is enabled. See --help text or man page for detailed info. ... WARNING: Failed running command (--up/--down): external program fork failed ... Exiting due to fatal error
--script-security 2
, the client can connect successfully:[client]$ openvpn --config example5-7-client.conf --script-security 2
The /etc/openvpn/cookbook/example5-7.log
log file now shows the following:
05:25:33: START up script === argv = [/etc/openvpn/cookbook/example5-7-up.sh] [argument1] [argument2] [tun0] [1500] openvpn---example5-7-up.s---pstree 05:25:33: END up script ===
If we repeat this preceding exercise using --script-security 3
, we would get a similar output.
In order to execute the scripts on either the client or the server, the directive, script-security 2
(or 3) must be specified; otherwise, OpenVPN 2.1 or higher will refuse to start. The following parameters can be specified for the script-security
directive:
0
: This parameter specifies that no external programs can be called. This means that OpenVPN cannot successfully start up, except on Microsoft Windows under certain circumstances.1
: This parameter specifies that only built-in external programs (such as /sbin/ifconfig
, and /sbin/ip
on Linux, and netsh.exe
, and route.exe
on Windows) can be called.2
: This parameter specifies that built-ins and scripts can be called.3
: This is the same as 2
, but now here, passwords can be passed to scripts via environment variables as well.There are subtle differences between running scripts on Linux/NetBSD/Mac OS and on Windows. On Windows, the system call, CreateProcess
, is used by default. This makes it impossible to pass extra parameters to some scripts, such as the up
script, as the entire text enclosed with quotes after the up
directive is considered as the name of the executable or script.
3.129.194.180