The down-root plugin offers the possibilities with reduced process privileges (user, group, chroot) to run a script with root privileges during degradation of an connection. Here, the process is forked and is split into a parent and child process. During the root process goes to sleep, the actual OpenVPN process operates with reduced privileges on IPFire (nobody). Only when the process is going down (-- down) root will be called from a pipe again and executs each script with root privileges.
In this example, the tun interface will be closed and all routes of the connection will be deleted.
At first we will create a script which will be executed during the connection buildup and during the connection termination.
Moreover, the relevant directives for the Roadwarrior only in the server.conf and the network-to-network at the TLS server and the TLS client will be set.
/var/ipfire/ovpn/scripts, is named
down-root.shand has the following content:
#!/bin/sh if [ "$script_type" = "up" ] then touch /tmp/down-root.tempfile fi if [ "$1" = "--down" ] then rm /tmp/down-root.tempfile fi
chmod +x /var/ipfire/ovpn/scripts/down-root.sh
up /var/ipfire/ovpn/scripts/down-root.sh plugin /usr/lib/openvpn/openvpn-down-root.so /var/ipfire/ovpn/scripts/down-root.sh --down
/var/ipfire/ovpn/server.confshould be used. The Roadwarrior client requires no further configuration.