running route-up script fails with error status 2

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
nojohnny101
OpenVpn Newbie
Posts: 4
Joined: Sun Nov 12, 2017 7:42 pm

running route-up script fails with error status 2

Post by nojohnny101 » Sun Nov 12, 2017 7:51 pm

Hey everyone,
This is my first post but I have to say that I have been lurking here for sometime. I have found a ton of useful information and my current setup is largely due to the great information in these forums. So thank you already!

NOTE: this post is a little long, I know, but I like to be as thorough as possible in helping to diagnosis the problem.
I am having a slight problem though after examining some system logs. I am running a raspberry pi 3 with the latest raspbian OS. Here is my config file for my .ovpn connection that is called through crontab:

Code: Select all

client
dev tun
proto udp
script-security 2
route-up /etc/openvpn/route-up.sh
down /etc/openvpn/down.sh
remote chi.central.usa.torguardvpnaccess.com 1912
remote ny.east.usa.torguardvpnaccess.com 1912
remote la.west.usa.torguardvpnaccess.com 1912
remote lon.uk.torguardvpnaccess.com 1912
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
auth SHA256
cipher AES-128-CBC
remote-cert-tls server
auth-user-pass user.txt
comp-lzo
verb 1
reneg-sec 0
fast-io
# Uncomment these directives if you have speed issues
;sndbuf 393216
;rcvbuf 393216
;push "sndbuf 393216"
;push "rcvbuf 393216"
Here is my route-up.sh script:

Code: Select all

#!/bin/bash
sleep 5
sudo ip rule add from 192.168.0.134 table 10
sudo ip route add default via 192.168.0.1 table 10
sudo iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A INPUT -d mydns.duckdns.org -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -d mydns.duckdns.org -j DROP
if ! pgrep -x "deluged" > /dev/null
then
        sudo -u pi deluged
        PID=$!
        sleep 3
        kill -2 $PID 2>/dev/null
fi
When I check the logs after a boot-up, I find this:

Code: Select all

Nov 12 18:41:02 raspberrypi openvpn[443]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Nov 12 18:41:02 raspberrypi openvpn[443]: Initialization Sequence Completed
If I check the iptables, it seems to confirm that the route-up.sh script didn't run properly:

Code: Select all

pi@raspberrypi:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
When I run the script manually from the CLI, it runs properly with no errors. I then check the iptables again, which seems to confirm that the script did execute properly:

Code: Select all

pi@raspberrypi:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             cpe-174-97-56-22.cinci.res.rr.com  tcp dpt:ssh
DROP       all  --  anywhere             cpe-174-97-56-22.cinci.res.rr.com 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Sorry again for all the information, but I like to be thorough and give anyone who is willing to help as much information to go on as possible. If I need to clarify anything, please let me know. Thank you so much for your time and help!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4999
Joined: Fri Jun 03, 2016 1:17 pm

Re: running route-up script fails with error status 2

Post by TinCanTech » Sun Nov 12, 2017 10:52 pm

You must use absolute paths, eg: /usr/bin/sudo etc ..

nojohnny101
OpenVpn Newbie
Posts: 4
Joined: Sun Nov 12, 2017 7:42 pm

Re: running route-up script fails with error status 2

Post by nojohnny101 » Mon Nov 13, 2017 12:12 am

Thanks for the reply! I had initially thought that so that is why I have the full paths within the .ovpn file pointing to the scripts. Where else do I need them?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4999
Joined: Fri Jun 03, 2016 1:17 pm

Re: running route-up script fails with error status 2

Post by TinCanTech » Mon Nov 13, 2017 12:41 am

nojohnny101 wrote:
Mon Nov 13, 2017 12:12 am
I have the full paths within the .ovpn file pointing to the scripts, Where else do I need them?
In the script ..... :roll:

nojohnny101
OpenVpn Newbie
Posts: 4
Joined: Sun Nov 12, 2017 7:42 pm

Re: running route-up script fails with error status 2

Post by nojohnny101 » Mon Nov 13, 2017 12:56 am

@TinCanTech, I appreciate your help, I really do. I am a bit of a novice as you probably have noticed. Would you mind being a bit more specific?

The iptable rules don't need absolute paths do they or I can't figure out where they would apply.

"deluged" is just a process and therefore I don't know if there requires a full path. Also does this explain why it works if run manually? Does running it manually execute it differently then when it is triggered by openvpn?

Thank you.
Last edited by nojohnny101 on Mon Nov 13, 2017 1:49 am, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4999
Joined: Fri Jun 03, 2016 1:17 pm

Re: running route-up script fails with error status 2

Post by TinCanTech » Mon Nov 13, 2017 1:26 am

The environment which openvpn process shells out to does not have $PATH ..
So all calls to external binaries require absolute paths.
nojohnny101 wrote:
Mon Nov 13, 2017 12:56 am
The iptable rules don't need absolute paths
Yes they do ..

nojohnny101
OpenVpn Newbie
Posts: 4
Joined: Sun Nov 12, 2017 7:42 pm

Re: running route-up script fails with error status 2

Post by nojohnny101 » Mon Nov 13, 2017 2:06 am

Ok, thank you for that help.

I've been trying to read up on the location of where running route-up.sh writes the iptables to but have only come up with:
/sbin/ and there are a bunch of different files in there that look like this:

Code: Select all

iptables -> xtables-multi
iptables-restore -> xtables-multi
iptables-save -> xtables-multi
from what I understand, "iptables" and "iptables-restore" and "iptables-save" all point to the same file "xtables-multi"? however when I try to edit any of these (tried vi and nano) it is just gibberish and unreadable (like I don't have a font installed). Strange.

so when I run "sudo iptables -L" where is that parsing information from? @TinCanTech do you also have a raspberry pi with openvpn on it?

Post Reply