openvpn --client-connect example script

Question

Good day all

I require a --client-connecting script and --client-disconnect script.

My issue: is that I am unable to find an example anywhere, I have been searching for the past 4 hours.

I have only come across this from the OpenVPN archive back in 2006 and a couple of requests for examples, but no recent example has been found.

Going through the doc pages and looking at the options and evironment variables, I feel lost.

If anyone is willing to share/impart their knowledge through an intuituve example, I would very much apppreciate it.

If you feel the need to downvote the post, please explain why. — CybeX, Dec 02 '18 at 06:20
Well I have used `client-connect` and `client-disconnect` in the past to update if an IPv6 subnet can be pinged. I can expand on my answer below when I am near my computer again. — Lasse Michael Mølgaard, Dec 21 '22 at 12:03

Lasse Michael Mølgaard · Answer 1 · 2022-12-24T15:45:50.353

Actually on server side inside the configuration file you can use:

# server vpn interface is up
up "/script/server_up.sh"

# server vpn interface is going down
down "/script/server_down.sh"

# client connected to VPN server
client-connect "script/client_connect.sh"

# client disconnected from VPN server
client-disconnect "script/client_disconnect.sh"

On client side you will use:

# Client connected to VPN server
up "script/connected.sh"

# Client disconnected from VPN server
down "script/disconnected.sh"

OpenVPN will pass a lot of environmental variables to your shell script that you can use for whatever you want.

I have in the past had a script called server_up.sh that setup a IPv6 tunnel to Hurricane Electric.

Assume the ip address 2001:db8::1 is Hurricane Electric ipv6 standard gateway and the subnet 2001:db8:cafe::/48 is the IPv6 subnet that is routed to me.

Then the content of script/server_up.dh would be a bit like this:

#!/bin/bash

ip tunnel add he-ipv6 mode sit remote TUNNELBROKER.IPV4.IP.ADDRESS local MY.IPV4.IP.ADDRESS ttl 255
ip link set he-ipv6 up
ip -6 route add default via 2001:db8::1 dev he-ipv6 table openvpn

# Reset ALL ipv6 routes
ip -6 rule flush

# Reinitialise the main IPv6 routing table (inbound traffic) because of reset above
ip -6 rule add priority 32766 from all table main

# Reset OpenVPN routing table (outbound traffic)
ip -6 route flush table openvpn

# Add default unreachable route for any ipv6 subnet not in use.
ip -6 route add unreachable 2001:db8:cafe::/48 table main
ip -6 route add unreachable 2001:db8:cafe::/48 table openvpn

# Add rule to lookup openvpn table if traffic originates from our subnet
ip -6 route add priority 32000 from 2001:db8:cafe::/48 table openvpn

The content of script/server_down.sh would tear down everything again in reverse order.

score 0 · Answer 2 · answered Dec 23 '20 at 12:14

Was that the question about --client-connect example scripts ? If so anything that follow bash

#!/bin/bash
message="$(echo -e "${common_name} connected      to: ${HOSTNAME} \\nRemote:  
${untrusted_ip} \\nVirtual: ${ifconfig_pool_remote_ip}")"
/usr/bin/create_notification -s news "${message}"
/usr/bin/notifier
exit 0

score 0 · Answer 3 · answered Nov 04 '16 at 15:03

Connect/disconnect script stuff in OpenVPN controlled by "up/down" operators in config file (plus "script-security 2", so OpenVPN daemon allows you execute 3rd party scripts). Here is an example (p2p connection):

remote 1.2.3.4
dev tun123
ifconfig 1.1.1.2 1.1.1.1
secret /etc/openvpn/test.key
proto udp
port 1234
comp-lzo
nobind
keepalive 10 60
script-security 2
up "/script/location/up.sh"
down "/script/location/down.sh"

Besides, you can use --up & --down options if use openvpn executable from cli.

openvpn --client-connect example script

3 Answers3