client-connect does not run script

[dinosm]

Hi everyone, I am trying to get my OpenVPN server to email me every time a client connects.
This is Ubuntu 18.04.
I have tried several different permutations of online advice, but the script is not being executed.
I have tried client-connect, up and route-up, none of them make the script run.
I have tested the script on its own and it runs successfully, the email is sent fine.

I have removed this from the .service files:

Code: Select all

PrivateTmp=True

The script belongs to 'nobody' (same user as openvpn runs under) and 'nogroup'. Its permissions are 755.
With the client-connect set, it makes my VPN unusable (client can't connect).
I have also tried to include the --script security and --client-connect options in the exec command in the .service file, no luck.

UPDATE: I have added 'exit 0' to my script, and now the client connects to the VPN successfully. But the script still doesn't run (no email).

Also one of the many things I am not very clear on is - options set in server.conf need to be matched in my ovpn file, right? So these should go in both files:

Code: Select all

script-security 2
client-connect /etc/openvpn/server/connect-email-simple.sh

Any ideas will be most welcome!

My server.conf:

Code: Select all

local x.x.x.x
port xx
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
script-security 2
client-connect /etc/openvpn/server/connect-email-simple.sh
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
management localhost 6666
explicit-exit-notify 0
duplicate-cn

My connect-email-simple.sh script:

Code: Select all

#!/bin/bash

echo "VPN is connected" | mail -s "OpenVPN Connected!" my@email.address

[TinCanTech]

Any ideas will be most welcome!

Server log.

[dinosm]

Of course.

(Redacted) log right after daemon-reload:

Code: Select all

OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:6666
WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Diffie-Hellman initialized with 2048 bit key
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local (bound): [AF_INET]x.x.x.x.:xx
UDPv4 link remote: [AF_UNSPEC]
GID set to nogroup
UID set to nobody
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
IFCONFIG POOL LIST
Initialization Sequence Completed

Redacted log after successful connection attempt (script was not run):

Code: Select all

TLS: Initial packet from [AF_INET]x.x.x.x.:xxxxx, sid=ad4bdd3d 743db773
 VERIFY OK: depth=1, CN=ChangeMe
VERIFY OK: depth=0, CN=xxxxx
 peer info: IV_GUI_VER=OC30Android
peer info: IV_VER=3.git::728733ae:Release
 peer info: IV_PLAT=android
peer info: IV_NCP=2
 peer info: IV_TCPNL=1
 peer info: IV_PROTO=2
 peer info: IV_IPv6=0
 peer info: IV_AUTO_SESS=1
 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
 [xxxxx] Peer Connection Initiated with [AF_INET]x.x.x.x.:xxxxx
 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_34511ea3e1dffabb3bb3a127a0356e79.tmp
 MULTI: Learn: 10.8.0.2 -> xxxxx/x.x.x.x.:xxxxx
 MULTI: primary virtual IP for xxxxx/x.x.x.x.:xxxxx: 10.8.0.2
PUSH: Received control message: 'PUSH_REQUEST'
SENT CONTROL [aether]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
 Data Channel: using negotiated cipher 'AES-256-GCM'
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
send-mail: account default not found: no configuration file available

[TinCanTech]

You see now right, or do i got to point out your mistake ?

[dinosm]

Yes. It's got to do with mailx/msmtp.
I've spent some more time looking into it.
OpenVPN is owned by root, but runs as nobody. msmtp is owned by me, so when I run it manually, it works, but when openvpn runs it, it doesn't. I assume this has to do with these permissions, but not sure how to fix it.
I tried changing the owner of msmtp and mailx to nobody, but it still doesn't work with the same error message.

[TinCanTech]

OpenVPN is owned by root, but runs as nobody

We know.

when I run it manually, it works

We guessed ..

Openvpn runs in a very restrictive environment and you are restricting it even further, so you need to make sure these restrictions do not conflict with the needs of your script.