[SOLVED] Openvpn, runing up/down scripts in a pppd like maner.

agkbill · 2011-10-22 09:06:43

Hi,

I have changed VPN supplier to a new one that are using openvpn, previous used PPTP.

With PPTP I could use the function that pppd when coming up run script "ip-up" and when coming down pppd run script "ip-down"

In that way I could use thouse two scripts to start/stop applications, write loggs etc.

I found that in openvpn you should be able to start scripts by adding:

script-security 2
up /usr/share/openvpn/scrip-to-start
down /usr/share/openvpn/script-to-stop

But every time I add thouse line to my .conf file openvpn refuse to start. If I take them away no problem.

My .conf file.

float
client
dev tap
proto udp
nobind

; CERT
ca /etc/openvpn/keys/ca.crt
ns-cert-type server
cipher BF-CBC

;HOST
remote-random
remote anna.---------
remote anna.---------
remote anna.---------

resolve-retry infinite

; AUTH
auth-user-pass
persist-key
persist-tun

comp-lzo
verb 1
script-security 2
up /usr/share/openvpn/up-openvpn
down /usr/share/openvpn/down-openvpn

Any ideas what is wrong?

Best regards,
/Christer

Last edited by agkbill (2011-10-23 13:26:16)

stqn · 2011-10-22 13:19:50

What does the log say?

agkbill · 2011-10-22 15:12:41

with:

script-security 2
up /usr/share/openvpn/scrip-to-start
down /usr/share/openvpn/script-to-stop

My log say

Oct 22 16:55:12 localhost openvpn[1988]: OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Oct 22 16:55:32 localhost openvpn[1988]: NOTE: the current --script-security setting may allow this configuration to call user-defined scri
pts
Oct 22 16:55:32 localhost openvpn[1988]: LZO compression initialized
Oct 22 16:55:32 localhost openvpn[1989]: UDPv4 link local: [undef]
Oct 22 16:55:32 localhost openvpn[1989]: UDPv4 link remote: 178.73.212.235:10010
Oct 22 16:55:32 localhost openvpn[1989]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to preven
t this
Oct 22 16:55:32 localhost openvpn[1989]: WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Oct 22 16:55:32 localhost openvpn[1989]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1542'
Oct 22 16:55:32 localhost openvpn[1989]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Oct 22 16:55:32 localhost openvpn[1989]: [server] Peer Connection Initiated with 178.73.212.235:10010
Oct 22 16:55:35 localhost openvpn[1989]: TUN/TAP device tap0 opened
Oct 22 16:55:35 localhost openvpn[1989]: /usr/sbin/ip link set dev tap0 up mtu 1500
Oct 22 16:55:35 localhost openvpn[1989]: /usr/sbin/ip addr add dev tap0 178.73.221.114/26 broadcast 178.73.221.127
Oct 22 16:55:35 localhost openvpn[1989]: /usr/share/openvpn/up-openvpn tap0 1500 1574 178.73.221.114 255.255.255.192 init
Oct 22 16:55:35 localhost openvpn[1989]: Exiting

And without.

Oct 22 16:59:42 localhost openvpn[2025]: OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Oct 22 17:00:01 localhost openvpn[2025]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executa
bles
Oct 22 17:00:01 localhost openvpn[2025]: LZO compression initialized
Oct 22 17:00:01 localhost openvpn[2026]: UDPv4 link local: [undef]
Oct 22 17:00:01 localhost openvpn[2026]: UDPv4 link remote: 178.73.212.231:10020
Oct 22 17:00:01 localhost openvpn[2026]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to preven
t this
Oct 22 17:00:01 localhost openvpn[2026]: [server] Peer Connection Initiated with 178.73.212.231:10020
Oct 22 17:00:03 localhost openvpn[2026]: TUN/TAP device tap0 opened
Oct 22 17:00:03 localhost openvpn[2026]: /usr/sbin/ip link set dev tap0 up mtu 1500
Oct 22 17:00:03 localhost openvpn[2026]: /usr/sbin/ip addr add dev tap0 178.73.219.210/24 broadcast 178.73.219.255
Oct 22 17:00:03 localhost openvpn[2026]: Initialization Sequence Completed

stqn · 2011-10-22 15:25:29

I'm no expert on this and the configuration for my VPN looks slightly different than yours, but you could try "dev tun" instead of "dev tap" (I think we're supposed to use tun with udp), or increase verb to 3 to get more debug information in the log.

Last edited by stqn (2011-10-22 15:25:51)

agkbill · 2011-10-22 16:57:07

Thank you,

But no luck.

With tun I got following in my log:

Oct 22 18:44:03 localhost openvpn[1404]: OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 1
3 2011
Oct 22 18:44:22 localhost openvpn[1404]: NOTE: the current --script-security setting may allow this configuration to ca
ll user-defined scripts
Oct 22 18:44:23 localhost openvpn[1404]: LZO compression initialized
Oct 22 18:44:23 localhost openvpn[1405]: UDPv4 link local: [undef]
Oct 22 18:44:23 localhost openvpn[1405]: UDPv4 link remote: 178.73.212.231:1194
Oct 22 18:44:23 localhost openvpn[1405]: WARNING: this configuration may cache passwords in memory -- use the auth-noca
che option to prevent this
Oct 22 18:44:23 localhost openvpn[1405]: WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-
type tap'
Oct 22 18:44:23 localhost openvpn[1405]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='lin
k-mtu 1574'
Oct 22 18:44:23 localhost openvpn[1405]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-m
tu 1532'
Oct 22 18:44:23 localhost openvpn[1405]: [server] Peer Connection Initiated with 178.73.212.231:1194
Oct 22 18:44:25 localhost openvpn[1405]: WARNING: Since you are using --dev tun with a point-to-point topology, the sec
ond argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netma
sk. (silence this warning with --ifconfig-nowarn)
Oct 22 18:44:25 localhost openvpn[1405]: TUN/TAP device tun0 opened
Oct 22 18:44:25 localhost openvpn[1405]: /usr/sbin/ip link set dev tun0 up mtu 1500
Oct 22 18:44:25 localhost openvpn[1405]: /usr/sbin/ip addr add dev tun0 local 178.73.219.55 peer 255.255.255.0
Oct 22 18:44:25 localhost openvpn[1405]: /usr/share/openvpn/up-openvpn tun0 1500 1542 178.73.219.55 255.255.255.0 init
Oct 22 18:44:25 localhost openvpn[1405]: Exiting

agkbill · 2011-10-23 13:25:56

At http://openvpn.net I found following.

The --script-security option was introduced in OpenVPN 2.1_rc9.
For configuration file compatibility with previous OpenVPN versions, use: --script-security 3 system

That looked to be the case, my VPN supplyers script (They supply the .conf script to use) are not compatible with OpenVPN 2.1_rc9 and later.

I changed to:

--script-security 3 system

Now no problem, it works perfect.

All the best!
/Christer

Arch Linux

#1 2011-10-22 09:06:43

[SOLVED] Openvpn, runing up/down scripts in a pppd like maner.

#2 2011-10-22 13:19:50

Re: [SOLVED] Openvpn, runing up/down scripts in a pppd like maner.

#3 2011-10-22 15:12:41

Re: [SOLVED] Openvpn, runing up/down scripts in a pppd like maner.

#4 2011-10-22 15:25:29

Re: [SOLVED] Openvpn, runing up/down scripts in a pppd like maner.

#5 2011-10-22 16:57:07

Re: [SOLVED] Openvpn, runing up/down scripts in a pppd like maner.

#6 2011-10-23 13:25:56

Re: [SOLVED] Openvpn, runing up/down scripts in a pppd like maner.

Board footer