OpenVPN Support Forum

I have a server listening on multiple IP addresses. Depending on which IP a client connects to I want to run specific commands in the client-connect script.

Unfortunately there doesn't seem to be an environment variable that tells the client-connect script which local IP the client connected to. Instead, I'm now resorting to running a separate OpenVPN process for each IP address. This has the significant disadvantage that it uses up a lot of resources unnecessarily. If you have 4 different OpenVPN configurations on 32 IP addresses you end up with 128 OpenVPN processes instead of just 4.

Does anyone here have any suggestions on how to do this more efficiently?

niels wrote:environment variable that tells the client-connect script which local IP the client connected

See --setenv in The Manual v23x

Unfortunately the setenv option allows me to provide a value at configuration time only. I'm currently using it so I need only 1 connect script instead of many, but I still need 128 config files and OpenVPN processes, which is what I really want to get rid off.

Any variables defined by --setenv are available at all times to the OpenVPN process (*except for --learn-address delete) so you can define a server name and your script will know which server the client has connected to ..

As for managing your network .. you could probably get down to the four instances you want (I presume they are on different proto/port) with iptables doing the load balancing.

I realise that. I think I didn't explain my objective properly:

What I do now is, as you suggest, use setenv:
This allows the client-connect script to figure out which OpenVPN process (or which public IP) the client connected to by looking at $local_ip. However this solution means I have to run multiple OpenVPN processes, one for each public IP address. Double that if I want to run both UDP and TCP versions.

With other VPN methods (e.g. pptpd, strongswan, etc.) the client-connect script is passed a local_ip variable (or something similar) generated by the VPN software itself, based on the actual connection made by the client. This allows you to use just 1 single process that binds on all public IP addresses and still differentiate in the client-connect script depending on which public IP the client connected to.

niels wrote:use just 1 single process that binds on all public IP addresses

If you do not define --local x.x.x.x in your server config OpenVPN will bind to all local addresses .. But I do not know how that will effect your VPN. Also, it will probably mean that the --client-connect script will not be aware of the server IP address in use.

Proto is TCP or UDP though, so no matter what, you will require at least two instances.

Traffic wrote:Also, it will probably mean that the --client-connect script will not be aware of the server IP address in use.

Right! This is exactly what I was trying to work around. My initial method was to run a separate process for every IP, but that's costly.

I've found a fairly easy solution now: I search for $trusted_ip and $trusted_port in /proc/net/ip_conntrack. That tells me exactly which server IP the client is connected to.

Thank you for suggestions.