OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

script-security 1

https://forums.openvpn.net/viewtopic.php?t=29290

Page 1 of 1

script-security 1

Posted: Tue Dec 03, 2019 4:45 pm
by zorxd
Hello

I need to run the following command after my client connects:
/sbin/ip route add default via 10.8.0.1 dev tun0 table vpn

So I added the following to the client config:
route-up '/sbin/ip route add default via 10.8.0.1 dev tun0 table vpn'
script-security 2
Somehow, it doesn't work with script-security 1, even tough the reference manual says that "built-in" executables such as ifconfig, ip and route can be called with script-security 1.

The error message is
WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Am I doing something wrong? What can script-security 1 be used for if it's not calling the ip executable? Is there another way to add a route to a secondary table in openvpn?

thanks

Re: script-security 1

Posted: Tue Dec 03, 2019 5:02 pm
by TinCanTech
zorxd wrote:
Tue Dec 03, 2019 4:45 pm
 What can script-security 1 be used for if it's not calling the ip executable?
You are calling a script which requires --script-security 2

The script is called: --route-up "no matter what you put in the parameters"

Re: script-security 1

Posted: Wed Dec 04, 2019 2:19 pm
by zorxd
So is there a way to call the built-in executable "ip" as defined by the manual :
–script-security level
This directive offers policy-level control over OpenVPN’s usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level:0 — Strictly no calling of external programs.
1 — (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.

Re: script-security 1

Posted: Wed Dec 04, 2019 2:21 pm
by TinCanTech
You are miss-understanding the manual.

Level 1 means, openvpn binary can call built-in binaries but not external scripts.

You must use level 2 ..

Re: script-security 1

Posted: Wed Dec 04, 2019 2:23 pm
by zorxd
yes I (finally) understood that. But how do I configure what get passed to the built-in binary "ip" when called?
Any way to alter a secondary routing table without using script-security 2?
thanks

Re: script-security 1

Posted: Wed Dec 04, 2019 2:25 pm
by TinCanTech
zorxd wrote:
Wed Dec 04, 2019 2:23 pm
 how do I configure what get passed to the built-in binary "ip" when called?
The config file, without using any scripts.
zorxd wrote:
Wed Dec 04, 2019 2:23 pm
 Any way to alter a secondary routing table without using script-security 2?
Probably not.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/