问题描述
如何将脚本与OpenVPN关联,以便在VPN成功连接时运行?
最佳解决方案
network-manager-openvpn不提供此类功能,您必须直接使用openvpn。
连接时将--script-security 2 --up /path/to/your/script传递给它。如果您正在使用位于/etc/openvpn/的配置文件,请将下一行附加到配置文件中:
script-security 2
# run /etc/openvpn/up.sh when the connection is set up
up /etc/openvpn/up.sh
--script-security level [method]
This directive offers policy-level control over OpenVPN’s usage
of external programs and scripts. Lower level values are more
restrictive, higher values are more permissive. Settings for
level:
0 -- Strictly no calling of external programs.
1 -- (Default) Only call built-in executables such as ifconfig,
ip, route, or netsh.
2 -- Allow calling of built-in executables and user-defined
scripts.
3 -- Allow passwords to be passed to scripts via environmental
variables (potentially unsafe).
--up cmd
Shell command to run after successful TUN/TAP device open (pre
--user UID change). The up script is useful for specifying
route commands which route IP traffic destined for private
subnets which exist at the other end of the VPN connection into
the tunnel.
Script Order of Execution
--up Executed after TCP/UDP socket bind and TUN/TAP open.
--down Executed after TCP/UDP and TUN/TAP close.
有更多的脚本执行事件,可以在manual page上找到。
创建/etc/openvpn/up.sh,并赋予其执行权限(例如,755或700)。添加IPv6地址和路由的示例内容(出于教育目的显示,不要直接复制):
#!/bin/sh
# add an IPv6 address to device $dev (environment variable)
ip -6 addr add 2001:db8::1:2/112 dev $dev
# and the IPv6 route for this net using gateway 2001:db8::1
ip -6 route add 2001:db8::1:0/112 via 2001:db8::1 dev $dev
请注意,此up脚本以root身份运行。如果您尚未指定User和Group设置,OpenVPN也将以root身份运行down等脚本。
次佳解决方案
问题是:“如何将脚本与OpenVPN关联,以便在VPN成功连接时运行?”我想指出,Lekensteyn提供了一个优秀的answer。但是,当他的答案被编写时,它在如何提供openvpn命令行参数以在ubuntu机器上启动openvpn时缺乏一点清晰度,特别是在重启后它的工作方式相同。
Ubuntu上的Openvpn命令行参数:
当然,可以从任何可用的法律选项的命令行启动openvpn。但是,在Ubuntu机器上,如果想要在重启后使用相同的命令行参数启动openvpn,则应考虑编辑文件/etc/default/openvpn。检查以下几行:
# Optional arguments to openvpn's command line
OPTARGS=""
来自--script-security上的community openvpn man page
--script-security level
This directive offers policy-level control over OpenVPN's usage of external
programs and scripts. Lower level values are more restrictive, higher
values are more permissive. Settings for level:
0 -- Strictly no calling of external programs.
1 -- (Default) Only call built-in executables such as ifconfig, ip, route,
or netsh.
2 -- Allow calling of built-in executables and user-defined scripts.
3 -- Allow passwords to be passed to scripts via environmental variables
(potentially unsafe).
OpenVPN releases before v2.3 also supported a method flag which indicated how
OpenVPN should call external commands and scripts. This could be either execve
or system. As of OpenVPN v2.3, this flag is no longer accepted. In most *nix
environments the execve() approach has been used without any issues.
Some directives such as --up allow options to be passed to the external script.
In these cases make sure the script name does not contain any spaces or the
configuration parser will choke because it can't determine where the script
name ends and script options start.
结合--up的缩写部分
--up cmd
Run command cmd after successful TUN/TAP device open (pre --user UID change).
cmd consists of a path to script (or executable program), optionally followed
by arguments. The path and arguments may be single- or double-quoted and/or
escaped using a backslash, and should be separated by one or more spaces.例:
在我的带有openpvn server.conf的机器上,我的/etc/default/openvpn文件中有以下几行:
OPTARGS="
--script-security 2
--up /etc/openvpn/nat.sh
"
不过,nat.sh设置网络地址转换,用于将私有网络流量从openvpn客户端路由到公共互联网;当一个人不信任公共WIFI接入点时,这是有益的。
除了允许在重新启动后按预期重新启动,当正确配置/etc/openvpn/[client or server].conf和/etc/default/openvpn文件时,可以使用以下命令启动或停止openvpn:
sudo service openvpn start
sudo service openvpn stop
service openvpn的其他有用选项包括cond-restart,force-reload,reload, restart,soft-restart, start, status, stop。