client-connect /etc/openvpn/onconnect.sh

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
irvinyip
OpenVpn Newbie
Posts: 2
Joined: Tue Jan 24, 2017 3:18 am

client-connect /etc/openvpn/onconnect.sh

Postby irvinyip » Tue Jan 24, 2017 3:51 am

Tried to run the script with iptables command but failed with exit status: 3

script-security 2 has been set, permission of onconnect.sh has been set to 777.

onconnect.sh:
----------------------------------------------
#!/bin/bash

echo $ifconfig_pool_remote_ip>>/etc/openvpn/configfirewall.log
echo $X509_0_CN>>/etc/openvpn/configfirewall.log
echo "$ifconfig_pool_remote_ip Connected">>/etc/openvpn/configfirewall.log

iptables -I FORWARD 1 -i tun0 -s 192.168.168.6 -d 10.184.1.28/32 -j ACCEPT
----------------------------------------------

The first 3 lines are running properly and I can see the log, but if I include the last line, it comes with error on syslog:

WARNING: Failed running command (--learn-address): external program exited with error status: 3

I also created openvpn user, user openvpn in server.conf, put in visudo:
openvpn ALL=(ALL:ALL) NOPASSWD: /sbin/iptables
openvpn ALL=(ALL:ALL) NOPASSWD: /etc/openvpn/onconnect.sh

Still get the error status: 3, which is not found on the internet...

If I run with server config: user root / group root, it could run but I don't want openvpn run as root mode...

Please help... definitely is about the right of openvpn to run iptables.

Thanks.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2240
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-connect /etc/openvpn/onconnect.sh

Postby TinCanTech » Tue Jan 24, 2017 1:12 pm

irvinyip wrote:

Code: Select all

iptables -I FORWARD 1 -i tun0 -s 192.168.168.6 -d 10.184.1.28/32 -j ACCEPT
Must be:

    Code: Select all

    /sbin/iptables -I FORWARD 1 -i tun0 -s 192.168.168.6 -d 10.184.1.28/32 -j ACCEPT
    Openvpn does not search $PATH

irvinyip
OpenVpn Newbie
Posts: 2
Joined: Tue Jan 24, 2017 3:18 am

Re: client-connect /etc/openvpn/onconnect.sh

Postby irvinyip » Wed Jan 25, 2017 7:13 am

I'm sorry that /sbin/iptables does not help. Same error.

If I change server.conf to:
user root
group root

The script can run iptables, even without full path...

I believe there must be something missing to make openvpn account able to run iptables

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2240
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-connect /etc/openvpn/onconnect.sh

Postby TinCanTech » Wed Jan 25, 2017 10:01 am

sudo in the script ..


Return to “Routing and Firewall Scripts”

Who is online

Users browsing this forum: No registered users and 1 guest