I want a script with firewall rules to be used when connecting/disconnecting. If the server is not running under the root, then the rules are not executed with an error Permission denied.
OS
Code: Select all
Linux mk103-LNX-VM3 4.8.13-1-ARCH #1 SMP PREEMPT Fri Dec 9 07:24:34 CET 2016 x86_64 GNU/Linux
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/ATestSrv.crt
key /etc/openvpn/ATestSrv.key # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user testuser
group testuser
persist-key
persist-tun
status openvpn-status.log
verb 3
script-security 2 system
client-connect "test.sh"
;client-disconnect "down.sh"
management localhost 7777
duplicate-cn
Code: Select all
-rwxr-xr-x 1 testuser testuser 167 Mar 13 11:30 test.sh
-rw------- 1 root root 4403 Mar 9 10:05 alex1.crt
-rw------- 1 root root 4428 Mar 9 09:52 ATestSrv.crt
-rw------- 1 root root 1708 Mar 9 09:52 ATestSrv.key
-rw------- 1 root root 1212 Mar 9 08:51 ca.crt
-rw------- 1 root root 424 Mar 9 08:56 dh.pem
-rw-r--r-- 1 root root 20038 Mar 13 09:05 error
-rw------- 1 root root 0 Mar 13 11:37 ipp.txt
-rw------- 1 root root 432 Mar 13 11:36 openvpn-status.log
-rw-r--r-- 1 root root 1238 Mar 13 11:37 server.conf
-rw------- 1 root root 636 Mar 9 09:58 ta.key
Code: Select all
#!/bin/bash
[b]sudo[/b] iptables -I FORWARD -p tcp -s $ifconfig_pool_remote_ip -d 10.100.150.1 -j ACCEPT
echo $?" - status test iptables" >> /etc/openvpn/error
Code: Select all
testuser ALL=(ALL) NOPASSWD: ALL
Code: Select all
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 TLS: Initial packet from [AF_INET]192.168.110.54:59593, sid=96b473d5 0642dcc4
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 VERIFY OK: depth=1, CN=EasyRSA-TEST AlexServ
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 VERIFY OK: depth=0, CN=alex1
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: 192.168.110.54:59593 [alex1] Peer Connection Initiated with [AF_INET]192.168.110.54:59593
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_3513f118b1bcf879490fb4bf2da43676.tmp
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 MULTI: Learn: 10.8.0.6 -> alex1/192.168.110.54:59593
Mar 13 11:49:14 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 MULTI: primary virtual IP for alex1/192.168.110.54:59593: 10.8.0.6
Mar 13 11:49:16 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 PUSH: Received control message: 'PUSH_REQUEST'
Mar 13 11:49:16 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 send_push_reply(): safe_cap=940
Mar 13 11:49:16 mk103-LNX-VM3 openvpn@server[11486]: alex1/192.168.110.54:59593 SENT CONTROL [alex1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
echo $? after iptables command on test.sh returned code 1
When you run the script test.sh manually under the user testuser everything works!