[Solved] client-connect/disconnect script and sudo iptables

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
aleksander
OpenVpn Newbie
Posts: 3
Joined: Mon Mar 13, 2017 6:54 am

[Solved] client-connect/disconnect script and sudo iptables

Post by aleksander » Mon Mar 13, 2017 8:58 am

Hi, all.
I want a script with firewall rules to be used when connecting/disconnecting. If the server is not running under the root, then the rules are not executed with an error Permission denied.

OS

Code: Select all

Linux mk103-LNX-VM3 4.8.13-1-ARCH #1 SMP PREEMPT Fri Dec 9 07:24:34 CET 2016 x86_64 GNU/Linux
server.conf

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/ATestSrv.crt
key /etc/openvpn/ATestSrv.key  # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user testuser
group testuser
persist-key
persist-tun
status openvpn-status.log
verb 3
script-security 2 system
client-connect "test.sh"
;client-disconnect "down.sh"
management localhost 7777
duplicate-cn
ls -il

Code: Select all

-rwxr-xr-x 1 testuser testuser   167 Mar 13 11:30 test.sh
-rw------- 1 root     root      4403 Mar  9 10:05 alex1.crt
-rw------- 1 root     root      4428 Mar  9 09:52 ATestSrv.crt
-rw------- 1 root     root      1708 Mar  9 09:52 ATestSrv.key
-rw------- 1 root     root      1212 Mar  9 08:51 ca.crt
-rw------- 1 root     root       424 Mar  9 08:56 dh.pem
-rw-r--r-- 1 root     root     20038 Mar 13 09:05 error
-rw------- 1 root     root         0 Mar 13 11:37 ipp.txt
-rw------- 1 root     root       432 Mar 13 11:36 openvpn-status.log
-rw-r--r-- 1 root     root      1238 Mar 13 11:37 server.conf
-rw------- 1 root     root       636 Mar  9 09:58 ta.key
tesh.sh

Code: Select all

#!/bin/bash
[b]sudo[/b] iptables -I FORWARD -p tcp -s $ifconfig_pool_remote_ip -d 10.100.150.1 -j ACCEPT
echo $?" - status test iptables" >> /etc/openvpn/error
visudo (temporaly all access)

Code: Select all

testuser ALL=(ALL) NOPASSWD: ALL
log on client connect

Code: Select all

Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 TLS: Initial packet from [AF_INET]192.168.110.54:59593, sid=96b473d5 0642dcc4
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 VERIFY OK: depth=1, CN=EasyRSA-TEST AlexServ
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 VERIFY OK: depth=0, CN=alex1
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 [alex1] Peer Connection Initiated with [AF_INET]192.168.110.54:59593
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_3513f118b1bcf879490fb4bf2da43676.tmp
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 MULTI: Learn: 10.8.0.6 -> alex1/192.168.110.54:59593
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 MULTI: primary virtual IP for alex1/192.168.110.54:59593: 10.8.0.6
Mar 13 11:49:16 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 PUSH: Received control message: 'PUSH_REQUEST'
Mar 13 11:49:16 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 send_push_reply(): safe_cap=940
Mar 13 11:49:16 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 SENT CONTROL [alex1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Why can not a OpenVPN run a command with sudo? I do not understand. Please, help.
echo $? after iptables command on test.sh returned code 1
When you run the script test.sh manually under the user testuser everything works!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-connect/disconnect script and sudo iptables

Post by TinCanTech » Mon Mar 13, 2017 1:10 pm

Openvpn process does not have $PATH environment variable.

aleksander
OpenVpn Newbie
Posts: 3
Joined: Mon Mar 13, 2017 6:54 am

Re: client-connect/disconnect script and sudo iptables

Post by aleksander » Tue Mar 14, 2017 11:27 am

I have a stupid head. I saw the same in the documentation "Openvpn process does not have $PATH environment variable". Thank you. Everything is working.
Another question: i have

Code: Select all

keepalive 10 120
in my server.conf. When the client does disconnect, the script from "client-disconnect" is only extracted after 120 * 2=240 seconds, that is, second value of keepalive. How to configure the script on "client-disconnect" to run immediately?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-connect/disconnect script and sudo iptables

Post by TinCanTech » Tue Mar 14, 2017 12:38 pm

See --explicit-exit-notify in The Manual v24x

aleksander
OpenVpn Newbie
Posts: 3
Joined: Mon Mar 13, 2017 6:54 am

Re: client-connect/disconnect script and sudo iptables

Post by aleksander » Tue Mar 14, 2017 1:58 pm

Excellent support. Thank you

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-connect/disconnect script and sudo iptables

Post by TinCanTech » Tue Mar 14, 2017 5:10 pm

Thank you 8-)

Locked