Page 1 of 1

client-connect /etc/openvpn/onconnect.sh

Posted: Tue Jan 24, 2017 3:51 am
by irvinyip
Tried to run the script with iptables command but failed with exit status: 3

script-security 2 has been set, permission of onconnect.sh has been set to 777.

onconnect.sh:
----------------------------------------------
#!/bin/bash

echo $ifconfig_pool_remote_ip>>/etc/openvpn/configfirewall.log
echo $X509_0_CN>>/etc/openvpn/configfirewall.log
echo "$ifconfig_pool_remote_ip Connected">>/etc/openvpn/configfirewall.log

iptables -I FORWARD 1 -i tun0 -s 192.168.168.6 -d 10.184.1.28/32 -j ACCEPT
----------------------------------------------

The first 3 lines are running properly and I can see the log, but if I include the last line, it comes with error on syslog:

WARNING: Failed running command (--learn-address): external program exited with error status: 3

I also created openvpn user, user openvpn in server.conf, put in visudo:
openvpn ALL=(ALL:ALL) NOPASSWD: /sbin/iptables
openvpn ALL=(ALL:ALL) NOPASSWD: /etc/openvpn/onconnect.sh

Still get the error status: 3, which is not found on the internet...

If I run with server config: user root / group root, it could run but I don't want openvpn run as root mode...

Please help... definitely is about the right of openvpn to run iptables.

Thanks.

Re: client-connect /etc/openvpn/onconnect.sh

Posted: Tue Jan 24, 2017 1:12 pm
by TinCanTech
irvinyip wrote:

Code: Select all

iptables -I FORWARD 1 -i tun0 -s 192.168.168.6 -d 10.184.1.28/32 -j ACCEPT
Must be:
  • Code: Select all

    /sbin/iptables -I FORWARD 1 -i tun0 -s 192.168.168.6 -d 10.184.1.28/32 -j ACCEPT
    Openvpn does not search $PATH

Re: client-connect /etc/openvpn/onconnect.sh

Posted: Wed Jan 25, 2017 7:13 am
by irvinyip
I'm sorry that /sbin/iptables does not help. Same error.

If I change server.conf to:
user root
group root

The script can run iptables, even without full path...

I believe there must be something missing to make openvpn account able to run iptables

Re: client-connect /etc/openvpn/onconnect.sh

Posted: Wed Jan 25, 2017 10:01 am
by TinCanTech
sudo in the script ..