0

I've done quite a bit of searching but need help running scripts on clients when they connect. The end goal is for windows clients to map some drives when they connect, and disconnect the drives when disconnecting. The OpenVPN server is an Amazon Marketplace instance, and I do have access to the console via putty/sftp. Clients are able to connect using 2 Factor Auth successfully and get their correct IP's/Routing.

I've tried to place some scripts into the Group Permissions > Client Scripting as follows:

OpenVPN Windows User Connect Script

And the script up.sh is simply the following. 

net use Z: "\\server.domain.com\Share" /user:domain\username P@ssw0rd

The file up.sh has:

 -rwxrwxrwx  1 root root    70 Jan 23 15:45 up.sh

The directory permissions on /etc/openvpn are:

 drwxr-xr-x  2 root root    4096 Jan 23 15:45 openvpn

So as a test I am expecting to see something in the client logs found here on the client:

c:\program files (x86)\OpenVPN Technologies\OpenVPN Client\etc\log\capi.log

When the client connects the following pop up message occurs:

OpenVPN Warning

After clicking Yes, nothing happens and the client log has the following:

    2018-01-23 15:58:14-0800 [-] user_connect-PP ERR: "'--script-security' is not recognized as an internal or external command,\r"
2018-01-23 15:58:14-0800 [-] user_connect-PP ERR: 'operable program or batch file.\r'
2018-01-23 15:58:14-0800 [-] user_connect-PP ERR: "'--client-connect' is not recognized as an internal or external command,\r"
2018-01-23 15:58:14-0800 [-] user_connect-PP ERR: 'operable program or batch file.\r'

If I remove the two dashes (--) in front of each script line there is no difference in the client errors in the log.

Thanks for any and all input!

JasonC
  • 196
  • 6
  • 15
  • 1
    What happens if you change your user-level connect script to only have this line: `net use Z: "\\server.domain.com\Share" /user:domain\username P@ssw0rd` ? – sippybear Jan 24 '18 at 01:44
  • I ask because that error message looks suspiciously like what happens when you run `--script-security` in a cmd prompt and I believe the default interpreter for OpenVPN on Windows is cmd.exe – sippybear Jan 24 '18 at 03:49
  • @sippybear yes thanks that exactly is the issue. I simply added the command into the Windows User Connect gui dialog box and the drive map completed successfully. I did have to put the password in quotes. – JasonC Jan 24 '18 at 18:12
  • Huzzah! Good to know that the password has to be quoted. – sippybear Jan 24 '18 at 18:15
  • Yes it works fine and I can map multiple drives per line, but the problem is when the user connects, if they hit the details on the warning dialog box, it displays the entire script, including the pw in plaintext. – JasonC Jan 24 '18 at 18:28
  • Does each user have a valid username/password? If so, shouldn't they be using their own credentials to map the drive? Do you have an active directory domain for authentication? If so, are the client machines joined to that domain? – sippybear Jan 24 '18 at 18:36
  • In this instance no because of a transition to AWS, it is a separate domain and the VPN will be used only for DR/BCP purposes. I think we may use a dedicated account that is locked down to map the drives. Or find a way to hide the script warning. Since the script is essentially running cmd.exe, then if we want to call a .bat file, it would already have to reside on the client that is connecting, correct? – JasonC Jan 24 '18 at 18:58
  • Your batch file would have to be local or on an already accessible network drive, yes. On a side note, I think your original question is answered at this point. If you have questions about obfuscating passwords, I think we should start another question. – sippybear Jan 24 '18 at 20:31

1 Answers1

1

The default script interpreter for OpenVPN on Windows is cmd.exe. Modify your client-side script to only include net use Z: "\\server.domain.com\Share" /user:domain\username "P@ssw0rd" or other cmd appropriate commands and you should be good to go.

@JasonC also found that the password needed to be quoted.

Edit: If you want the end user to type in a password, use something like this instead:
powershell New-PSDrive -Name "Z" -PSProvider "FileSystem" -Root "\\Server\Share" -Persist -Credential (Get-Credential)

sippybear
  • 3,197
  • 1
  • 13
  • 12