script-security 1

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
zorxd
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 03, 2019 4:40 pm

script-security 1

Post by zorxd » Tue Dec 03, 2019 4:45 pm

Hello

I need to run the following command after my client connects:
/sbin/ip route add default via 10.8.0.1 dev tun0 table vpn

So I added the following to the client config:
route-up '/sbin/ip route add default via 10.8.0.1 dev tun0 table vpn'
script-security 2
Somehow, it doesn't work with script-security 1, even tough the reference manual says that "built-in" executables such as ifconfig, ip and route can be called with script-security 1.

The error message is
WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Am I doing something wrong? What can script-security 1 be used for if it's not calling the ip executable? Is there another way to add a route to a secondary table in openvpn?

thanks
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: script-security 1

Post by TinCanTech » Tue Dec 03, 2019 5:02 pm

zorxd wrote:
Tue Dec 03, 2019 4:45 pm
 What can script-security 1 be used for if it's not calling the ip executable?
You are calling a script which requires --script-security 2

The script is called: --route-up "no matter what you put in the parameters"
Top
zorxd
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 03, 2019 4:40 pm

Re: script-security 1

Post by zorxd » Wed Dec 04, 2019 2:19 pm

So is there a way to call the built-in executable "ip" as defined by the manual :
–script-security level
This directive offers policy-level control over OpenVPN’s usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level:0 — Strictly no calling of external programs.
1 — (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: script-security 1

Post by TinCanTech » Wed Dec 04, 2019 2:21 pm

You are miss-understanding the manual.

Level 1 means, openvpn binary can call built-in binaries but not external scripts.

You must use level 2 ..
Top
zorxd
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 03, 2019 4:40 pm

Re: script-security 1

Post by zorxd » Wed Dec 04, 2019 2:23 pm

yes I (finally) understood that. But how do I configure what get passed to the built-in binary "ip" when called?
Any way to alter a secondary routing table without using script-security 2?
thanks
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: script-security 1

Post by TinCanTech » Wed Dec 04, 2019 2:25 pm

zorxd wrote:
Wed Dec 04, 2019 2:23 pm
 how do I configure what get passed to the built-in binary "ip" when called?
The config file, without using any scripts.
zorxd wrote:
Wed Dec 04, 2019 2:23 pm
 Any way to alter a secondary routing table without using script-security 2?
Probably not.
Top
Post Reply

Return to “Scripting and Customizations”