Server UP/DOWN script based on CCD

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
User avatar
kadu
OpenVpn Newbie
Posts: 6
Joined: Wed May 25, 2011 10:54 am

Server UP/DOWN script based on CCD

Post by kadu » Wed May 25, 2011 11:19 am

I'm trying to configure UP/DOWN scripts on the server based on the users CCD.

I already have CCD working and giving the correct IPs and routes based on each user, but I can't find an option to add a UP/DOWN script on the server inside the user CCD config

Is this possible?

Regards
Kadu

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: Server UP/DOWN script based on CCD

Post by dazo » Wed May 25, 2011 11:34 am

--up and --down is normally used on the client side, unless you want to run scripts on the server side when the OpenVPN process initiates the TUN/TAP device.

From what it sounds like you are trying to do, you should look at --tls-verify, --client-connect and/or --learn-address. Please read carefully through the man page [1] section called "SCRIPTING AND ENVIRONMENTAL VARIABLES". This section describes the details related to OpenVPN's script hooks.


[1] http://openvpn.net/index.php/open-sourc ... pn-22.html

User avatar
kadu
OpenVpn Newbie
Posts: 6
Joined: Wed May 25, 2011 10:54 am

Re: Server UP/DOWN script based on CCD

Post by kadu » Wed May 25, 2011 12:21 pm

Thanks for the reply Dazo,

To clarify, I have a script to bring up a sit interface which tunnels IPv6 over the openvpn TUN link.

At the moment this brings a separate interface for each client that connects, but I only need this on one of the clients.

Yes, I do have a client side script to do the same on the client side, that part is sorted because only this one client has the client side UP/DOWN scripts.

I'll look into the man page sections you mentioned.

Regards

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: Server UP/DOWN script based on CCD

Post by dazo » Wed May 25, 2011 12:45 pm

Two things comes to mind with this info. First, uou might find it valuable to also look at the --setenv-safe option. This is pushable (also via ccd) and is used to transfer dynamic data to scripts running on the client side. It's also described in the man page.

The second thing is, as you seem to do quite some IPv6 hackery. Please consider to test out the latest master branch in our git tree, or development snapshot. That implements complete IPv6 support, both for transport (openvpn-openvpn communication) and payload (IPv6 inside the tunnel).

More info:
https://community.openvpn.net/openvpn/w ... umentation
http://www.greenie.net/ipv6/openvpn.html

User avatar
kadu
OpenVpn Newbie
Posts: 6
Joined: Wed May 25, 2011 10:54 am

Re: Server UP/DOWN script based on CCD

Post by kadu » Wed May 25, 2011 1:15 pm

I have considered using the test release and having native IPv6 on the tunnel. Only problem is one of my clients is a router using custom firmware (DD-WRT), I believe it will take some time to see the implementation of IPv6 on the openvpn there.

Whilst I don't yet require the IPv6 support over openvpn on this client (as it has it's own v6 tunnel to he.net) I might want to add it in the future.

I'll have a play with this when I get a chance

In the mean time I've found a work around to my problem by adding a line to the script to check the desired client is connecting and if not exiting (ie. not bringing up the sit interface)

Code: Select all

V6NET=$(echo ${ifconfig_pool_remote_ip} | awk -F. '{print $NF}')
[ ! $V6NET == 4 ] && exit 0
As I'm using CCD to control the IP the client gets I know this will only be true if the desired client is connecting.

Many thanks,

Post Reply