| View previous topic :: View next topic |
| Author |
Message |
tuner23
Tux's lil' helper
Joined: 18 May 2006
Posts: 82
|
 Posted: Sat Aug 06, 2011 10:24 am Post subject: Make OpenVPN down.sh working |
 |
|
Hy,
i have the problem, that the down.sh-script does not do anything.
my down-script is very simple:
| Code: |
dev=$1
if [ -e /etc/resolv.conf-"${dev}".sv ] ; then
# Important that we copy instead of move incase resolv.conf is
# a symlink and not an actual file
cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf
rm -f /etc/resolv.conf-"${dev}".sv
fi
|
When i stop openvpn, i see in the messages:
| Code: |
...
Aug 6 12:15:35 fish openvpn[14768]: TCP/UDP: Closing socket
Aug 6 12:15:35 fish openvpn[14768]: /sbin/ip route del 192.168.23.65/32
Aug 6 12:15:35 fish openvpn[14768]: ERROR: Linux route delete command failed: external program exited with error status: 2
...
Aug 6 12:15:35 fish openvpn[14768]: /etc/openvpn/down.sh tun0 1500 1544 192.168.23.70 192.168.23.69 init
Aug 6 12:15:35 fish openvpn[14768]: Closing TUN/TAP interface
|
the /etc/resolv.conf-"${dev}".sv exists, and when i call the script on the cmd-line
| Code: |
/etc/openvpn/down.sh tun0
|
it works propperly.
oehm, so what am i doing wrong?
Thanks for your help,
Antonios. |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23101
|
| Posted: Sat Aug 06, 2011 5:13 pm Post subject: |
|
|
Add the following to the top of your downscript, then let OpenVPN run it. Afterward, check the generated log. | Code: | exec 2> $(mktemp openvpn-down.log.XXXXXX)
set -x |
|
|
| Back to top |
|
|
tuner23
Tux's lil' helper
Joined: 18 May 2006
Posts: 82
|
| Posted: Sun Aug 07, 2011 8:51 am Post subject: |
|
|
Hmm,
thank you..
i see the problem, but not the solution right now...
openvpn starts up as root and switches to user nobody..
| Code: |
+ dev=tun0
+ '[' -e /etc/resolv.conf-tun0.sv ']'
+ cp /etc/resolv.conf-tun0.sv /etc/resolv.conf
cp: cannot create regular file `/etc/resolv.conf': Permission denied
+ rm -f /etc/resolv.conf-tun0.sv
rm: cannot remove `/etc/resolv.conf-tun0.sv': Permission denied
+ exit 0
|
maybe i should put a line in the init-script, or is there a better way..? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23101
|
| Posted: Sun Aug 07, 2011 4:23 pm Post subject: |
|
|
| How do you create /etc/resolv.conf-tun0.sv? |
|
| Back to top |
|
|
tuner23
Tux's lil' helper
Joined: 18 May 2006
Posts: 82
|
| Posted: Mon Aug 08, 2011 5:30 am Post subject: |
|
|
Hello Hu,
the up-script is called as vpn-option by the gentoo init-script
| Code: |
...
if exist up.sh
openvpn --up up.sh
|
something like this..
It's the same with down.sh |
|
| Back to top |
|
|
marens
Apprentice
Joined: 05 Aug 2004
Posts: 173
|
| Posted: Fri Nov 16, 2012 11:19 pm Post subject: |
|
|
I think this problem still exists until today, did you manage to get things working? Otherwise opening a bug would be a good idea.
_________________
If English was good enough for Jesus, then it's good enough for you! |
|
| Back to top |
|
|
tuner23
Tux's lil' helper
Joined: 18 May 2006
Posts: 82
|
| Posted: Thu Nov 22, 2012 1:00 pm Post subject: |
|
|
Hello marens,
it's a long time ago, so i don't really know the actual status for that.
In my init-script are the following two lines, but i don't know if they are from me or from the original gentoo init-script..
| Code: | # When we get an authenticated packet from the peer then we run our script
# which configures our DNS if any and marks us as up.
if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \
grep -q "^[ ]*remote[ ].*" "${VPNCONF}" ; then
reenter="yes"
args="${args} --up-delay --up-restart"
args="${args} --script-security 2"
+++ args="${args} --up /etc/openvpn/up.sh"
+++ args="${args} --down-pre --down /etc/openvpn/down.sh"
|
Hope that helps.
Maybe you also have to checkup, if the file exists, before setting the options..
Antonios. |
|
| Back to top |
|
|
marens
Apprentice
Joined: 05 Aug 2004
Posts: 173
|
| Posted: Fri Nov 23, 2012 12:22 am Post subject: |
|
|
Well the problem is pretty clear, openvpn drops priviliges after changing routing/dns and so it can't change it back when we stop the service.
| Code: | # Warn about the inability to change ip/route/dns information when
# dropping privs
if grep -q "^[ ]*user[ ].*" "${VPNCONF}" ; then
ewarn "WARNING: You are dropping root privileges!"
ewarn "As such openvpn may not be able to change ip, routing"
ewarn "or DNS configuration."
fi |
But that isn't what i need for a quick vpn to the company and resetting it back again.
_________________
If English was good enough for Jesus, then it's good enough for you! |
|
| Back to top |
|
|
marens
Apprentice
Joined: 05 Aug 2004
Posts: 173
|
| Posted: Mon Nov 26, 2012 9:16 pm Post subject: |
|
|
installed openresolv, seems to be working properly now
_________________
If English was good enough for Jesus, then it's good enough for you! |
|
| Back to top |
|
|
|
Networking & Security
