route-up script doesn't do anything

How to customize and extend your OpenVPN installation.
Post Reply
EddieA
OpenVPN User
Posts: 20
Joined: Thu Jul 02, 2015 6:52 pm

route-up script doesn't do anything

Post by EddieA » Mon Jan 29, 2018 3:04 am

OK, so I'm trying to modify an existing client configuration, to add a route-up script. But I am not able to get this to work. Notice I said "work" and not "run". The line I added to my config is: route-up /etc/openvpn/routeup.sh

If either that file is not present, or if it isn't executable, then (quite rightly) openvpn fails to start. Then when the script is present and executable, openvpn starts correctly, it appears to do nothing. In trying to narrow this down, this is what my script currently has:

Code: Select all

#!/bin/bash
echo -e "This ran" > /tmp/doflip
I have equivalent echo commands in both an up script and a down script which both produce the required files so I am really at loss as to why openvpn appears to insist that this script is present and executable, but then doesn't appear to execute it.

Any ideas.

Cheers.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7164
Joined: Fri Jun 03, 2016 1:17 pm

Re: route-up script doesn't do anything

Post by TinCanTech » Mon Jan 29, 2018 1:52 pm

What does your log say ?

EddieA
OpenVPN User
Posts: 20
Joined: Thu Jul 02, 2015 6:52 pm

Re: route-up script doesn't do anything

Post by EddieA » Mon Jan 29, 2018 6:09 pm

Nothing. Here's the full log at verb level 5:

Code: Select all

WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Current Parameter Settings:
  config = 'UK-VPN.conf'
  mode = 0
  persist_config = DISABLED
  persist_mode = 1
  show_ciphers = DISABLED
  show_digests = DISABLED
  show_engines = DISABLED
  genkey = DISABLED
  key_pass_file = '[UNDEF]'
  show_tls_ciphers = DISABLED
  connect_retry_max = 0
Connection profiles [0]:
  proto = udp
  local = '[UNDEF]'
  local_port = '[UNDEF]'
  remote = 'uk-berkshire-2-ca-version-2.expressnetw.com'
  remote_port = '1195'
  remote_float = DISABLED
  bind_defined = DISABLED
  bind_local = DISABLED
  bind_ipv6_only = DISABLED
  connect_retry_seconds = 5
  connect_timeout = 120
  socks_proxy_server = '[UNDEF]'
  socks_proxy_port = '[UNDEF]'
  tun_mtu = 1500
  tun_mtu_defined = ENABLED
  link_mtu = 1500
  link_mtu_defined = DISABLED
  tun_mtu_extra = 0
  tun_mtu_extra_defined = DISABLED
  mtu_discover_type = -1
  fragment = 1300
  mssfix = 1450
  explicit_exit_notification = 0
Connection profiles END
  remote_random = ENABLED
  ipchange = '[UNDEF]'
  dev = 'tun'
  dev_type = '[UNDEF]'
  dev_node = '[UNDEF]'
  lladdr = '[UNDEF]'
  topology = 1
  ifconfig_local = '[UNDEF]'
  ifconfig_remote_netmask = '[UNDEF]'
  ifconfig_noexec = DISABLED
  ifconfig_nowarn = DISABLED
  ifconfig_ipv6_local = '[UNDEF]'
  ifconfig_ipv6_netbits = 0
  ifconfig_ipv6_remote = '[UNDEF]'
  shaper = 0
  mtu_test = 0
  mlock = DISABLED
  keepalive_ping = 0
  keepalive_timeout = 0
  inactivity_timeout = 0
  ping_send_timeout = 0
  ping_rec_timeout = 0
  ping_rec_timeout_action = 0
  ping_timer_remote = DISABLED
  remap_sigusr1 = 0
  persist_tun = ENABLED
  persist_local_ip = DISABLED
  persist_remote_ip = DISABLED
  persist_key = ENABLED
  passtos = DISABLED
  resolve_retry_seconds = 1000000000
  resolve_in_advance = DISABLED
  username = '[UNDEF]'
  groupname = '[UNDEF]'
  chroot_dir = '[UNDEF]'
  cd_dir = '[UNDEF]'
  selinux_context = '[UNDEF]'
  writepid = '[UNDEF]'
  up_script = '/etc/openvpn/tunup.sh'
  down_script = '/etc/openvpn/tundown.sh'
  down_pre = DISABLED
  up_restart = DISABLED
  up_delay = DISABLED
  daemon = DISABLED
  inetd = 0
  log = ENABLED
  suppress_timestamps = ENABLED
  machine_readable_output = DISABLED
  nice = 0
  verbosity = 5
  mute = 0
  gremlin = 0
  status_file = '/var/log/openvpn/status-UK-VPN.log'
  status_file_version = 1
  status_file_update_freq = 60
  occ = ENABLED
  rcvbuf = 524288
  sndbuf = 524288
  mark = 0
  sockflags = 0
  fast_io = ENABLED
  comp.alg = 2
  comp.flags = 1
  route_script = '/etc/openvpn/routeup.sh'
  route_default_gateway = '[UNDEF]'
  route_default_metric = 0
  route_noexec = ENABLED
  route_delay = 2
  route_delay_window = 30
  route_delay_defined = ENABLED
  route_nopull = DISABLED
  route_gateway_via_dhcp = DISABLED
  allow_pull_fqdn = DISABLED
  management_addr = '[UNDEF]'
  management_port = '[UNDEF]'
  management_user_pass = '[UNDEF]'
  management_log_history_cache = 250
  management_echo_buffer_size = 100
  management_write_peer_info_file = '[UNDEF]'
  management_client_user = '[UNDEF]'
  management_client_group = '[UNDEF]'
  management_flags = 0
  shared_secret_file = '[UNDEF]'
  key_direction = 2
  ciphername = 'AES-256-CBC'
  ncp_enabled = ENABLED
  ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
  authname = 'SHA512'
  prng_hash = 'SHA1'
  prng_nonce_secret_len = 16
  keysize = 32
  engine = DISABLED
  replay = ENABLED
  mute_replay_warnings = DISABLED
  replay_window = 64
  replay_time = 15
  packet_id_file = '[UNDEF]'
  use_iv = ENABLED
  test_crypto = DISABLED
  tls_server = DISABLED
  tls_client = ENABLED
  key_method = 2
  ca_file = '[[INLINE]]'
  ca_path = '[UNDEF]'
  dh_file = '[UNDEF]'
  cert_file = '[[INLINE]]'
  extra_certs_file = '[UNDEF]'
  priv_key_file = '[[INLINE]]'
  pkcs12_file = '[UNDEF]'
  cipher_list = '[UNDEF]'
  tls_verify = '[UNDEF]'
  tls_export_cert = '[UNDEF]'
  verify_x509_type = 3
  verify_x509_name = 'Server'
  crl_file = '[UNDEF]'
  ns_cert_type = 1
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_eku = '[UNDEF]'
  ssl_flags = 0
  tls_timeout = 2
  renegotiate_bytes = -1
  renegotiate_packets = 0
  renegotiate_seconds = 3600
  handshake_window = 60
  transition_window = 3600
  single_session = DISABLED
  push_peer_info = DISABLED
  tls_exit = DISABLED
  tls_auth_file = '[[INLINE]]'
  tls_crypt_file = '[UNDEF]'
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_pin_cache_period = -1
  pkcs11_id = '[UNDEF]'
  pkcs11_id_management = DISABLED
  server_network = 0.0.0.0
  server_netmask = 0.0.0.0
  server_network_ipv6 = ::
  server_netbits_ipv6 = 0
  server_bridge_ip = 0.0.0.0
  server_bridge_netmask = 0.0.0.0
  server_bridge_pool_start = 0.0.0.0
  server_bridge_pool_end = 0.0.0.0
  ifconfig_pool_defined = DISABLED
  ifconfig_pool_start = 0.0.0.0
  ifconfig_pool_end = 0.0.0.0
  ifconfig_pool_netmask = 0.0.0.0
  ifconfig_pool_persist_filename = '[UNDEF]'
  ifconfig_pool_persist_refresh_freq = 600
  ifconfig_ipv6_pool_defined = DISABLED
  ifconfig_ipv6_pool_base = ::
  ifconfig_ipv6_pool_netbits = 0
  n_bcast_buf = 256
  tcp_queue_limit = 64
  real_hash_size = 256
  virtual_hash_size = 256
  client_connect_script = '[UNDEF]'
  learn_address_script = '[UNDEF]'
  client_disconnect_script = '[UNDEF]'
  client_config_dir = '[UNDEF]'
  ccd_exclusive = DISABLED
  tmp_dir = '/tmp'
  push_ifconfig_defined = DISABLED
  push_ifconfig_local = 0.0.0.0
  push_ifconfig_remote_netmask = 0.0.0.0
  push_ifconfig_ipv6_defined = DISABLED
  push_ifconfig_ipv6_local = ::/0
  push_ifconfig_ipv6_remote = ::
  enable_c2c = DISABLED
  duplicate_cn = DISABLED
  cf_max = 0
  cf_per = 0
  max_clients = 1024
  max_routes_per_client = 256
  auth_user_pass_verify_script = '[UNDEF]'
  auth_user_pass_verify_script_via_file = DISABLED
  auth_token_generate = DISABLED
  auth_token_lifetime = 0
  port_share_host = '[UNDEF]'
  port_share_port = '[UNDEF]'
  client = DISABLED
  pull = ENABLED
  auth_user_pass_file = '[UNDEF]'
OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
LZO compression initializing
Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1626 D:1450 EF:126 EB:407 ET:0 EL:3 ]
Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
TCP/UDP: Preserving recently used remote address: [AF_INET]217.147.89.17:1195
Socket Buffers: R=[212992->425984] S=[212992->425984]
UDP link local: (not bound)
UDP link remote: [AF_INET]217.147.89.17:1195
WRTLS: Initial packet from [AF_INET]217.147.89.17:1195, sid=1b9d4c6a 92a9fb71
WWRWRVERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
VERIFY OK: nsCertType=SERVER
VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1222-1a, emailAddress=support@expressvpn.com
VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1222-1a, emailAddress=support@expressvpn.com
WRWWRRWRWControl Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[Server-1222-1a] Peer Connection Initiated with [AF_INET]217.147.89.17:1195
SENT CONTROL [Server-1222-1a]: 'PUSH_REQUEST' (status=1)
WRRPUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.128.0.1,route 10.128.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.128.5.62 10.128.5.61'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Data Channel MTU parms [ L:1606 D:1450 EF:106 EB:407 ET:0 EL:3 ]
Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
ROUTE_GATEWAY 76.91.192.1/255.255.240.0 IFACE=eno1 HWADDR=00:25:90:a6:75:d0
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 250
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.128.5.62 peer 10.128.5.61
/etc/openvpn/tunup.sh tun0 1500 1606 10.128.5.62 10.128.5.61 init
WrWWARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Initialization Sequence Completed
rWevent_wait : Interrupted system call (code=4)
TCP/UDP: Closing socket
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 local 10.128.5.62 peer 10.128.5.61
/etc/openvpn/tundown.sh tun0 1500 1606 10.128.5.62 10.128.5.61 init
SIGTERM[hard,] received, process exiting
I just copied the config from my CentOS 7 system (OpenVPN 2.4.4) to a Slackware 14.2 (OpenVPN 2.3.17) and here it appeared do work:

Code: Select all

root@The-Tardis:~/ExpreessVPN# cat /tmp/doflip
# Tun-up
# Route-up
# Tun-down
root@The-Tardis:~/ExpreessVPN#
Cheers.

EddieA
OpenVPN User
Posts: 20
Joined: Thu Jul 02, 2015 6:52 pm

Re: route-up script doesn't do anything

Post by EddieA » Mon Jan 29, 2018 8:12 pm

OK, this is really strange. At the front of the scripts up, down, and route-up I put echo's to both /tmp and /etc/openvpn:

Code: Select all

echo -e "# tun-up" >> /etc/openvpn/doflip
echo -e "# tun-up" >> /tmp/doflip

echo -e "# route-up" >> /etc/openvpn/doflip
echo -e "# route-up" >> /tmp/doflip

echo -e "# tun-down" >> /etc/openvpn/doflip
echo -e "# tun-down" >> /tmp/doflip
Here's what happened after running:

Code: Select all

[root@Nethserver openvpn]# systemctl start openvpn-client@UK-VPN
[root@Nethserver openvpn]# systemctl stop openvpn-client@UK-VPN
[root@Nethserver openvpn]# ls -l /tmp/doflip
ls: cannot access /tmp/doflip: No such file or directory
[root@Nethserver openvpn]# ls -l /etc/openvpn/doflip
-rw-r--r-- 1 root root 31 Jan 29 12:05 /etc/openvpn/doflip
[root@Nethserver openvpn]# cat /etc/openvpn/doflip
# tun-up
# route-up
# tun-down
[root@Nethserver openvpn]#
Now why the F isn't anything being written to /tmp.

Cheers.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7164
Joined: Fri Jun 03, 2016 1:17 pm

Re: route-up script doesn't do anything

Post by TinCanTech » Tue Jan 30, 2018 8:57 pm

systemd assigns a private tmp which cannot(tm) be accessed outside the process ..

EddieA
OpenVPN User
Posts: 20
Joined: Thu Jul 02, 2015 6:52 pm

Re: route-up script doesn't do anything

Post by EddieA » Tue Jan 30, 2018 9:22 pm

Grrrrrrrr.

Thank you.

Cheers.

Post Reply