OpenVPN Support Forum

Posted: **Wed Aug 24, 2011 11:17 am**

I'm running
OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul 1 2011
installed from a deb provided on openvpn.net.

Upon client connect, I see "WARNING: Failed running command (--client-connect): could not execute external program". The relevant lines from the config are:

Code: Select all

 30 script-security 3
 31 client-connect "/usr/local/bin/ovpn_connect.sh"
 32 client-disconnect "/usr/local/bin/ddns.sh delete"

If I remove the client-connect line, the client connects successfully. OpenVPN is running as root:

Code: Select all

root     21460     1  0 12:04 ?        00:00:00 /usr/sbin/openvpn --writepid /var/run/openvpn.vpn.flash.org.uk-server.pid ...

The script exists, and anyone can run it. All it does is return 0:

Code: Select all

root@arthur:~# ls -l /usr/local/bin | grep ovpn
-rwxr-xr-x 1 root   root       192 2011-08-24 12:12 ovpn_connect.sh
root@arthur:~# cat /usr/local/bin/ovpn_connect.sh 
exit 0

Permissions on /usr/local/bin allow anyone to read and execute, and anyway, OpenVPN is running as root. Here's where it gets weird: if I run OpenVPN under strace, there is no mention of the script. It looks like there is no attempt to run the script. Yet clearly it decided it couldn't run it, implying it did try. Can anyone make a suggestion?

Thanks.

Posted: **Wed Aug 24, 2011 3:26 pm**

for debugging, try using

Code: Select all

script-security 3 system

if that works then openvpn has a problem execv'ing the script, but the older system() call works.

Note that the client-disconnect script will not work as posted, as you've put quotes around the entire command - most likely the server will treat it as a single command.

Posted: **Sat Aug 27, 2011 2:09 pm**

Thanks very much for that suggestion. That has indeed fixed the problem (and with system the disconnect command works too - I can understand that that wouldn't work with exec). What might cause the exec to fail?

Posted: **Mon Aug 29, 2011 10:10 am**

it depends a lot on the first line (#!) of the script - the full path to the correct scripting tool needs be specified , otherwise the 'exec' method will fail. For a regular shell/bash script you'd need to add

Code: Select all

#!/bin/bash

as the first line of the script.

The system() call is a little less strict when it comes to this.

Posted: **Wed Aug 31, 2011 9:26 am**

OK. The reason (historically) I hadn't done that (which I normally do routinely) is that the variables OVPN fills on connect (like $common_name) are not available if you use a shebang line (starts a new shell). But perhaps there's a way around that that I don't know about.

Posted: **Wed Aug 31, 2011 9:33 am**

the env vars are not there in a shebang script? I've never seen that before, and I've used plenty of client-connect and other types of scripts... check the .bashrc and .bash_profile files for the user which is used to launch the 'client-connect' script.

[Edit]
Just verified this : all env vars are present inside the 'client-connect' script when running openvpn 2.2.1 as user 'root', including stuff like $common_name

OpenVPN Support Forum

Server makes no attempt to run connect script

Server makes no attempt to run connect script

Re: Server makes no attempt to run connect script

Re: Server makes no attempt to run connect script

Re: Server makes no attempt to run connect script

Re: Server makes no attempt to run connect script

Re: Server makes no attempt to run connect script