OpenVPN Support Forum

Posted: **Sun Nov 12, 2017 7:51 pm**

Hey everyone,
This is my first post but I have to say that I have been lurking here for sometime. I have found a ton of useful information and my current setup is largely due to the great information in these forums. So thank you already!

NOTE: this post is a little long, I know, but I like to be as thorough as possible in helping to diagnosis the problem.
I am having a slight problem though after examining some system logs. I am running a raspberry pi 3 with the latest raspbian OS. Here is my config file for my .ovpn connection that is called through crontab:

Code: Select all

client
dev tun
proto udp
script-security 2
route-up /etc/openvpn/route-up.sh
down /etc/openvpn/down.sh
remote chi.central.usa.torguardvpnaccess.com 1912
remote ny.east.usa.torguardvpnaccess.com 1912
remote la.west.usa.torguardvpnaccess.com 1912
remote lon.uk.torguardvpnaccess.com 1912
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
auth SHA256
cipher AES-128-CBC
remote-cert-tls server
auth-user-pass user.txt
comp-lzo
verb 1
reneg-sec 0
fast-io
# Uncomment these directives if you have speed issues
;sndbuf 393216
;rcvbuf 393216
;push "sndbuf 393216"
;push "rcvbuf 393216"

Here is my route-up.sh script:

Code: Select all

#!/bin/bash
sleep 5
sudo ip rule add from 192.168.0.134 table 10
sudo ip route add default via 192.168.0.1 table 10
sudo iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A INPUT -d mydns.duckdns.org -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -d mydns.duckdns.org -j DROP
if ! pgrep -x "deluged" > /dev/null
then
        sudo -u pi deluged
        PID=$!
        sleep 3
        kill -2 $PID 2>/dev/null
fi

When I check the logs after a boot-up, I find this:

Code: Select all

Nov 12 18:41:02 raspberrypi openvpn[443]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Nov 12 18:41:02 raspberrypi openvpn[443]: Initialization Sequence Completed

If I check the iptables, it seems to confirm that the route-up.sh script didn't run properly:

Code: Select all

pi@raspberrypi:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

When I run the script manually from the CLI, it runs properly with no errors. I then check the iptables again, which seems to confirm that the script did execute properly:

Code: Select all

pi@raspberrypi:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             cpe-174-97-56-22.cinci.res.rr.com  tcp dpt:ssh
DROP       all  --  anywhere             cpe-174-97-56-22.cinci.res.rr.com 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Sorry again for all the information, but I like to be thorough and give anyone who is willing to help as much information to go on as possible. If I need to clarify anything, please let me know. Thank you so much for your time and help!

Posted: **Sun Nov 12, 2017 10:52 pm**

You must use absolute paths, eg: /usr/bin/sudo etc ..

Posted: **Mon Nov 13, 2017 12:12 am**

Thanks for the reply! I had initially thought that so that is why I have the full paths within the .ovpn file pointing to the scripts. Where else do I need them?

Posted: **Mon Nov 13, 2017 12:41 am**

nojohnny101 wrote: ↑
Mon Nov 13, 2017 12:12 am
I have the full paths within the .ovpn file pointing to the scripts, Where else do I need them?

In the script .....

Posted: **Mon Nov 13, 2017 12:56 am**

@TinCanTech, I appreciate your help, I really do. I am a bit of a novice as you probably have noticed. Would you mind being a bit more specific?

The iptable rules don't need absolute paths do they or I can't figure out where they would apply.

"deluged" is just a process and therefore I don't know if there requires a full path. Also does this explain why it works if run manually? Does running it manually execute it differently then when it is triggered by openvpn?

Thank you.

Posted: **Mon Nov 13, 2017 1:26 am**

The environment which openvpn process shells out to does not have $PATH ..
So all calls to external binaries require absolute paths.

nojohnny101 wrote: ↑
Mon Nov 13, 2017 12:56 am
The iptable rules don't need absolute paths

Yes they do ..

Posted: **Mon Nov 13, 2017 2:06 am**

Ok, thank you for that help.

I've been trying to read up on the location of where running route-up.sh writes the iptables to but have only come up with:
/sbin/ and there are a bunch of different files in there that look like this:

Code: Select all

iptables -> xtables-multi
iptables-restore -> xtables-multi
iptables-save -> xtables-multi

from what I understand, "iptables" and "iptables-restore" and "iptables-save" all point to the same file "xtables-multi"? however when I try to edit any of these (tried vi and nano) it is just gibberish and unreadable (like I don't have a font installed). Strange.

so when I run "sudo iptables -L" where is that parsing information from? @TinCanTech do you also have a raspberry pi with openvpn on it?

OpenVPN Support Forum

running route-up script fails with error status 2

running route-up script fails with error status 2

Re: running route-up script fails with error status 2

Re: running route-up script fails with error status 2

Re: running route-up script fails with error status 2

Re: running route-up script fails with error status 2

Re: running route-up script fails with error status 2

Re: running route-up script fails with error status 2