I'm trying to configure UP/DOWN scripts on the server based on the users CCD.
I already have CCD working and giving the correct IPs and routes based on each user, but I can't find an option to add a UP/DOWN script on the server inside the user CCD config
Is this possible?
Regards
Kadu
Server UP/DOWN script based on CCD
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
- kadu
- OpenVpn Newbie
- Posts: 6
- Joined: Wed May 25, 2011 10:54 am
- dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Re: Server UP/DOWN script based on CCD
--up and --down is normally used on the client side, unless you want to run scripts on the server side when the OpenVPN process initiates the TUN/TAP device.
From what it sounds like you are trying to do, you should look at --tls-verify, --client-connect and/or --learn-address. Please read carefully through the man page [1] section called "SCRIPTING AND ENVIRONMENTAL VARIABLES". This section describes the details related to OpenVPN's script hooks.
[1] http://openvpn.net/index.php/open-sourc ... pn-22.html
From what it sounds like you are trying to do, you should look at --tls-verify, --client-connect and/or --learn-address. Please read carefully through the man page [1] section called "SCRIPTING AND ENVIRONMENTAL VARIABLES". This section describes the details related to OpenVPN's script hooks.
[1] http://openvpn.net/index.php/open-sourc ... pn-22.html
- kadu
- OpenVpn Newbie
- Posts: 6
- Joined: Wed May 25, 2011 10:54 am
Re: Server UP/DOWN script based on CCD
Thanks for the reply Dazo,
To clarify, I have a script to bring up a sit interface which tunnels IPv6 over the openvpn TUN link.
At the moment this brings a separate interface for each client that connects, but I only need this on one of the clients.
Yes, I do have a client side script to do the same on the client side, that part is sorted because only this one client has the client side UP/DOWN scripts.
I'll look into the man page sections you mentioned.
Regards
To clarify, I have a script to bring up a sit interface which tunnels IPv6 over the openvpn TUN link.
At the moment this brings a separate interface for each client that connects, but I only need this on one of the clients.
Yes, I do have a client side script to do the same on the client side, that part is sorted because only this one client has the client side UP/DOWN scripts.
I'll look into the man page sections you mentioned.
Regards
- dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Re: Server UP/DOWN script based on CCD
Two things comes to mind with this info. First, uou might find it valuable to also look at the --setenv-safe option. This is pushable (also via ccd) and is used to transfer dynamic data to scripts running on the client side. It's also described in the man page.
The second thing is, as you seem to do quite some IPv6 hackery. Please consider to test out the latest master branch in our git tree, or development snapshot. That implements complete IPv6 support, both for transport (openvpn-openvpn communication) and payload (IPv6 inside the tunnel).
More info:
https://community.openvpn.net/openvpn/w ... umentation
http://www.greenie.net/ipv6/openvpn.html
The second thing is, as you seem to do quite some IPv6 hackery. Please consider to test out the latest master branch in our git tree, or development snapshot. That implements complete IPv6 support, both for transport (openvpn-openvpn communication) and payload (IPv6 inside the tunnel).
More info:
https://community.openvpn.net/openvpn/w ... umentation
http://www.greenie.net/ipv6/openvpn.html
- kadu
- OpenVpn Newbie
- Posts: 6
- Joined: Wed May 25, 2011 10:54 am
Re: Server UP/DOWN script based on CCD
I have considered using the test release and having native IPv6 on the tunnel. Only problem is one of my clients is a router using custom firmware (DD-WRT), I believe it will take some time to see the implementation of IPv6 on the openvpn there.
Whilst I don't yet require the IPv6 support over openvpn on this client (as it has it's own v6 tunnel to he.net) I might want to add it in the future.
I'll have a play with this when I get a chance
In the mean time I've found a work around to my problem by adding a line to the script to check the desired client is connecting and if not exiting (ie. not bringing up the sit interface)
As I'm using CCD to control the IP the client gets I know this will only be true if the desired client is connecting.
Many thanks,
Whilst I don't yet require the IPv6 support over openvpn on this client (as it has it's own v6 tunnel to he.net) I might want to add it in the future.
I'll have a play with this when I get a chance
In the mean time I've found a work around to my problem by adding a line to the script to check the desired client is connecting and if not exiting (ie. not bringing up the sit interface)
Code: Select all
V6NET=$(echo ${ifconfig_pool_remote_ip} | awk -F. '{print $NF}')
[ ! $V6NET == 4 ] && exit 0
Many thanks,