模板
教程
环境
性能
功能
管理
OpenVPN中比较有用的一些脚本
这些脚本在很多情况下可以用到
主要是从openvpn的man中cp出来的
cmd certificate_depth X509_NAME_oneline
See the "Environmental Variables" section below for additional parameters passed as environmental variables.
Note that cmd can be a shell command with multiple arguments, in which case all OpenVPN-generated arguments will be appended to cmd to build a command line which will be passed to the script.
This feature is useful if the peer you want to trust has a certificate which was signed by a certificate authority who also signed a zillion other certificates. In this case you want to be selective about which peer certificate you aclearcase/" target="_blank" >ccept. This feature allows you to write a script which will test the X509 name on a certificate and decide whether or not it should be accepted. For a simple perl script which will test the common name field on the certificate, see the file verify-cn in the OpenVPN distribution.
If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by .
See the --client-config-dir option below for options which can be legally used in a dynamically generated config file.
Note that the return value of script is significant. If script returns a non-zero error status, it will cause the client to be disconnected without the --client-disconnect script being called.
This file can specify a fixed IP address for a given client using --ifconfig-push, as well as fixed subnets owned by the client using --iroute.
One of the useful properties of this option is that it allows client configuration files to be conveniently created, edited, or removed while the server is live, without needing to restart the server.
The following options are legal in a client-specific context: --push, --push-reset, --iroute, --ifconfig-push, and --config.
This is an imperfect solution however, because in a real DoS scenario, legitimate connections might also be refused.
For the best protection against DoS attacks in server mode, use --proto udp and --tls-auth.
SCRIPTING AND ENVIRONMENTAL VARIABLES
OpenVPN exports a series of environmental variables for use by user-defined scripts.
Script Order of Execution
- --up
- Executed after TCP/UDP socket bind and TUN/TAP open.
- --tls-verify
- Executed when we have a still untrusted remote peer.
- --ipchange
- Executed after connection authentication, or remote IP address change.
- --client-connect
- Executed in --mode server mode immediately after client authentication.
- --route-up
- Executed after connection authentication, either immediately after, or some number of seconds after as defined by the --route-delay option.
- --client-disconnect
- Executed in --mode server mode on client instance shutdown.
- --down
- Executed after TCP/UDP and TUN/TAP close.
- --learn-address
- Executed in --mode server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table.
- --auth-user-pass-verify
- Executed in --mode server mode on new client connections, when the client is still untrusted.
String Types and Remapping
In certain cases, OpenVPN will perform remapping of characters in strings. Essentially, any characters outside the set of permitted characters for each string type will be converted to underbar ('_').
Q: Why is string remapping necessary?
A: It's an important security feature to prevent the malicious coding of strings from untrusted sources to be passed as parameters to scripts, saved in the environment, used as a common name, translated to a filename, etc.
Here is a brief rundown of OpenVPN's current string types and the permitted character class for each string:
X509 Names: Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at ('@'), colon (':'), slash ('/'), and equal ('='). Alphanumeric is defined as a character which will cause the C library isalnum() function to return true.
Common Names: Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at ('@').
--auth-user-pass username: Same as Common Name.
--auth-user-pass password: Any "printable" character except CR or LF. Printable is defined to be a character which will cause the C library isprint() function to return true.
--client-config-dir filename as derived from common name or username: Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or ".." as standalone strings.
Environmental variable names: Alphanumeric or underbar ('_').
Environmental variable values: Any printable character.
For all cases, characters in a string which are not members of the legal character class for that string type will be remapped to underbar ('_').
Environmental Variables
Once set, a variable is persisted indefinitely until it is reset by a new value or a restart,
As of OpenVPN 2.0-beta12, in server mode, environmental variables set by OpenVPN are scoped according to the client objects they are associated with, so there should not be any issues with scripts having access to stale, previously set variables which refer to different client instances.
- bytes_received
- Total number of bytes received from client during VPN session. Set prior to execution of the --client-disconnect script.
- bytes_sent
- Total number of bytes sent to client during VPN session. Set prior to execution of the --client-disconnect script.
- common_name
- The X509 common name of an authenticated client. Set prior to execution of --client-connect, --client-disconnect, and --auth-user-pass-verify scripts.
- config
- Name of first --config file. Set on program initiation and reset on SIGHUP.
- dev
- The actual name of the TUN/TAP device, including a unit number if it exists. Set prior to --up or --down script execution.
- foreign_option_
- An option pushed via --push to a client which does not natively support it, such as --dhcp-option on a non-Windows system, will be recorded to this environmental variable sequence prior to --up script execution.
- ifconfig_broadcast
- The broadcast address for the virtual ethernet segment which is derived from the --ifconfig option when --dev tap is used. Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to --up script execution.
- ifconfig_local
- The local VPN endpoint IP address specified in the --ifconfig option (first parameter). Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to --up script execution.
- ifconfig_remote
- The remote VPN endpoint IP address specified in the --ifconfig option (second parameter) when --dev tun is used. Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to --up script execution.
- ifconfig_netmask
- The subnet mask of the virtual ethernet segment that is specified as the second parameter to --ifconfig when --dev tap is being used. Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to --up script execution.
- ifconfig_pool_local_ip
- The local virtual IP address for the TUN/TAP tunnel taken from an --ifconfig-push directive if specified, or otherwise from the ifconfig pool (controlled by the --ifconfig-pool config file directive). Only set for --dev tun tunnels. This option is set on the server prior to execution of the --client-connect and --client-disconnect scripts.
- ifconfig_pool_netmask
- The virtual IP netmask for the TUN/TAP tunnel taken from an --ifconfig-push directive if specified, or otherwise from the ifconfig pool (controlled by the --ifconfig-pool config file directive). Only set for --dev tap tunnels. This option is set on the server prior to execution of the --client-connect and --client-disconnect scripts.
- ifconfig_pool_remote_ip
- The remote virtual IP address for the TUN/TAP tunnel taken from an --ifconfig-push directive if specified, or otherwise from the ifconfig pool (controlled by the --ifconfig-pool config file directive). This option is set on the server prior to execution of the --client-connect and --client-disconnect scripts.
- link_mtu
- The maximum packet size (not including the IP header) of tunnel data in UDP tunnel transport mode. Set prior to --up or --down script execution.
- local
- The --local parameter. Set on program initiation and reset on SIGHUP.
- local_port
- The local port number, specified by --port or --lport. Set on program initiation and reset on SIGHUP.
- password
- The password provided by a connecting client. Set prior to --auth-user-pass-verify script execution only when the via-env modifier is specified, and deleted from the environment after the script returns.
- proto
- The --proto parameter. Set on program initiation and reset on SIGHUP.
- remote_
- The --remote parameter. Set on program initiation and reset on SIGHUP.
- remote_port_
- The remote port number, specified by --port or --rport. Set on program initiation and reset on SIGHUP.
- route_net_gateway
- The pre-existing default IP gateway in the system routing table. Set prior to --up script execution.
- route_vpn_gateway
- The default gateway used by --route options, as specified in either the --route-gateway option or the second parameter to --ifconfig when --dev tun is specified. Set prior to --up script execution.
- route__
- A set of variables which define each route to be added, and are set prior to --up script execution.
parm will be one of "network", "netmask", "gateway", or "metric".
n is the OpenVPN route number, starting from 1.
If the network or gateway are resolvable DNS names, their IP address translations will be recorded rather than their names as denoted on the command line or configuration file.
- script_context
- Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for --up.
- script_type
- One of up, down, ipchange, route-up, tls-verify, auth-user-pass-verify, client-connect, client-disconnect, or learn-address. Set prior to execution of any script.
- signal
- The reason for exit or restart. Can be one of sigusr1, sighup, sigterm, sigint, inactive (controlled by --inactive option), ping-exit (controlled by --ping-exit option), ping-restart (controlled by --ping-restart option), connection-reset (triggered on TCP connection reset), error, or unknown (unknown signal). This variable is set just prior to down script execution.
- tls_id_
- A series of certificate fields from the remote peer, where n is the verification level. Only set for TLS connections. Set prior to execution of --tls-verify script.
- tls_serial_
- The serial number of the certificate from the remote peer, where n is the verification level. Only set for TLS connections. Set prior to execution of --tls-verify script.
- tun_mtu
- The MTU of the TUN/TAP device. Set prior to --up or --down script execution.
- trusted_ip
- Actual IP address of connecting client or peer which has been authenticated. Set prior to execution of --ipchange, --client-connect, and --client-disconnect scripts.
- trusted_port
- Actual port number of connecting client or peer which has been authenticated. Set prior to execution of --ipchange, --client-connect, and --client-disconnect scripts.
- untrusted_ip
- Actual IP address of connecting client or peer which has not been authenticated yet. Sometimes used to nmap the connecting host in a --tls-verify script to ensure it is firewalled properly. Set prior to execution of --tls-verify and --auth-user-pass-verify scripts.
- untrusted_port
- Actual port number of connecting client or peer which has not been authenticated yet. Set prior to execution of --tls-verify and --auth-user-pass-verify scripts.
- username
- The username provided by a connecting client. Set prior to --auth-user-pass-verify script execution only when the via-env modifier is specified.
SIGNALS
- SIGHUP
- Cause OpenVPN to close all TUN/TAP and network connections, restart, re-read the configuration file (if any), and reopen TUN/TAP and network connections.
- SIGUSR1
- Like SIGHUP, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP address/port, or preserve most recently authenticated remote IP address/port based on --persist-tun, --persist-key, --persist-local-ip, and --persist-remote-ip options respectively (see above).
This signal may also be internally generated by a timeout condition, governed by the --ping-restart option.
This signal, when combined with --persist-remote-ip, may be sent when the underlying parameters of the host's network interface change such as when the host is a DHCP client and is assigned a new IP address. See --ipchange above for more information.
- SIGUSR2
- Causes OpenVPN to display its current statistics (to the syslog file if --daemon is used, or stdout otherwise).
- SIGINT, SIGTERM
- Causes OpenVPN to exit gracefully.
