client-connect /etc/openvpn/onconnect.sh
Posted: Tue Jan 24, 2017 3:51 am
Tried to run the script with iptables command but failed with exit status: 3
script-security 2 has been set, permission of onconnect.sh has been set to 777.
onconnect.sh:
----------------------------------------------
#!/bin/bash
echo $ifconfig_pool_remote_ip>>/etc/openvpn/configfirewall.log
echo $X509_0_CN>>/etc/openvpn/configfirewall.log
echo "$ifconfig_pool_remote_ip Connected">>/etc/openvpn/configfirewall.log
iptables -I FORWARD 1 -i tun0 -s 192.168.168.6 -d 10.184.1.28/32 -j ACCEPT
----------------------------------------------
The first 3 lines are running properly and I can see the log, but if I include the last line, it comes with error on syslog:
WARNING: Failed running command (--learn-address): external program exited with error status: 3
I also created openvpn user, user openvpn in server.conf, put in visudo:
openvpn ALL=(ALL:ALL) NOPASSWD: /sbin/iptables
openvpn ALL=(ALL:ALL) NOPASSWD: /etc/openvpn/onconnect.sh
Still get the error status: 3, which is not found on the internet...
If I run with server config: user root / group root, it could run but I don't want openvpn run as root mode...
Please help... definitely is about the right of openvpn to run iptables.
Thanks.
script-security 2 has been set, permission of onconnect.sh has been set to 777.
onconnect.sh:
----------------------------------------------
#!/bin/bash
echo $ifconfig_pool_remote_ip>>/etc/openvpn/configfirewall.log
echo $X509_0_CN>>/etc/openvpn/configfirewall.log
echo "$ifconfig_pool_remote_ip Connected">>/etc/openvpn/configfirewall.log
iptables -I FORWARD 1 -i tun0 -s 192.168.168.6 -d 10.184.1.28/32 -j ACCEPT
----------------------------------------------
The first 3 lines are running properly and I can see the log, but if I include the last line, it comes with error on syslog:
WARNING: Failed running command (--learn-address): external program exited with error status: 3
I also created openvpn user, user openvpn in server.conf, put in visudo:
openvpn ALL=(ALL:ALL) NOPASSWD: /sbin/iptables
openvpn ALL=(ALL:ALL) NOPASSWD: /etc/openvpn/onconnect.sh
Still get the error status: 3, which is not found on the internet...
If I run with server config: user root / group root, it could run but I don't want openvpn run as root mode...
Please help... definitely is about the right of openvpn to run iptables.
Thanks.