OpenVPN --up script - "could not execute external program"

Question

After a few days on Google, I'm not able to find the right answer to my question. After reading a lot of scripting possibilities, then OpenVPN is up.

I have a client running Debian 7.8, with OpenVPN 2.2.1 x86_64-linux-gnu.

The connection is working great, and everything is fine. But - I need to mount some NFS-drives then the connection is initiated ("up" - I guess).

But - then I'm trying to start a script, I'm running into this error:

 Tue Jun 23 10:44:55 2015 /usr/share/openvpn/script-to-start.sh tun0 1500 1542 192.168.2.6 192.168.2.5 init
 Tue Jun 23 10:44:55 2015 WARNING: Failed running command (--up/--down): could not execute external program
 Tue Jun 23 10:44:55 2015 Exiting

I have added the settings in the config-file:

script-security 2
up /usr/share/openvpn/script-to-start.sh
down /usr/share/openvpn/script-to-stop.sh

See the full settings file here.

The script I'm trying to run (just for testing right now) is:

#/bin/bash

grep vpn /var/log/syslog > /home/USERNAME/test.txt

clear
echo "Good morning, world."

(Update 2017: - The "!" mark is missing in the #/bin/bash-line. Don't copy/paste above line, cause it was the problem)

I have tested with "#!/bin/sh" as well, just to be sure. After all, i tested the permissions and ownership:

As you can see, I have added "script-security 2" before the "up" and "down" commands. OpenVPN is running as root, and started by a init.d script, but even if I'm trying to run it with the full command, I get the same error.

Se the example below (with and without sudo):

sudo openvpn --remote SERVERDOMAIN --dev tun1 --ifconfig 192.168.2.2 192.168.2.1 --tls-client --ca /etc/openvpn/easy-rsa/keys/ca.crt --cert /etc/openvpn/easy-rsa/keys/TITLE.crt --key /etc/openvpn/easy-rsa/keys/TITLE.key --reneg-sec 60 --verb 5 --script-security 2 --up /usr/share/openvpn/script-to-start.sh

If I'm running the damn small script by myself, with both SU and Sudo, everything is going smooth without any issues.

The point is that I need to run this command, to mount a few NFS-drives, but right now I'm locked down. So I need some help here - I did try on a Danish forum with no luck.

sudo mount 192.168.2.1:/media/usb1/sync /home/USERNAME/sync

The online manuels is not that helpful - and now I need your help.

Answer 1

I ran into the same issue, luckily I found a solution.

Here are things I checked:

1. permission of folder
2. permission of openvpn to access script
3. the script must list the full path of any commands used (ex. grep should be /bin/grep; you can find the full path by typing which in front of your command)
4. use script-security 2 system instead

Answer 2

Just to make it clear: I forgot the "!" (exclamation mark). That's explain everything.

#!/bin/bash

Answer 3

I ran into a similar issue. In my case, it seems that down /etc/openvpn/update-resolv-conf lacks a prviledge to update DNS. It gives the following errors:

error: os x route delete command failed: external program exited with error status: 77

After a careful search, I update two lines in .ovpn file:

# Downgrade privileges after initialization (non-Windows only)
user your_user_name
group your_group_name 
# I write admin here. But I also believe that a lower privilege might also work.

Answer 4

Check username under which openvp daemon is running and chown your script folder or file to it.