down-root plugin

The down-root plugin offers the possibilities with reduced process privileges (user, group, chroot) to run a script with root privileges during degradation of an connection. Here, the process is forked and is split into a parent and child process. During the root process goes to sleep, the actual OpenVPN process operates with reduced privileges on IPFire (nobody). Only when the process is going down (-- down) root will be called from a pipe again and executs each script with root privileges.

In this example, the tun interface will be closed and all routes of the connection will be deleted.
At first we will create a script which will be executed during the connection buildup and during the connection termination.

Moreover, the relevant directives for the Roadwarrior only in the server.conf and the network-to-network at the TLS server and the TLS client will be set.

1. The script in this example is placed under /var/ipfire/ovpn/scripts, is named down-root.sh and has the following content:

#!/bin/sh
if [ "$script_type" = "up" ]
then
    touch /tmp/down-root.tempfile
fi
if [ "$1" = "--down" ]
then
    rm /tmp/down-root.tempfile
fi

• The script should be made executable with a:

chmod +x /var/ipfire/ovpn/scripts/down-root.sh

2. The additional directives in the configuration file using the example of a network-to-network connection:
   

up /var/ipfire/ovpn/scripts/down-root.sh
plugin /usr/lib/openvpn/openvpn-down-root.so /var/ipfire/ovpn/scripts/down-root.sh --down

• The plugin should be available for the Roadwarrior server and the directory path /var/ipfire/ovpn/server.conf should be used. The Roadwarrior client requires no further configuration.

3. Additional configuration entries can be done via the "Advances Server Configuration" under "Additional configuration" and appropriate manual entries under /var/ipfire/ovpn/scripts/server.conf.local and/or client.conf.local

Links

• openvpn.net - down-root synopsis on OpenVPN