1

If I start the openvpn client and then run dhclient tap0 to obtain an IP address, everything works fine.

When the same command is called by openvpn from a script (up option):

#!/bin/sh
/sbin/dhclient tap0 || exit 1
exit 0

It fails:

dhclient[30524]: Sending on   LPF/tap0/aa:aa:aa:12:23:e9
dhclient[30524]: Can't bind to dhcp address: Permission denied
dhclient[30524]: Please make sure there is no other dhcp server
dhclient[30524]: running and that there's no entry for dhcp or
dhclient[30524]: bootp in /etc/inetd.conf.   Also make sure you
dhclient[30524]: are not running HP JetAdmin software, which
openvpn[30517]: WARNING: Failed running command (--up/--down): external program exited with error status: 1
openvpn[30517]: Exiting due to fatal error
dhclient[30524]: includes a bootp server.
dhclient[30524]: 
dhclient[30524]: If you think you have received this message due to a bug rather
dhclient[30524]: than a configuration issue please read the section on submitting
dhclient[30524]: bugs on either our web page at www.isc.org or in the README file
dhclient[30524]: before submitting a bug.  These pages explain the proper
dhclient[30524]: process and the information we find helpful for debugging..
dhclient[30524]: 
dhclient[30524]: exiting.
systemd[1]: openvpn-client.service: Main process exited, code=exited, status=1/FAILURE

Everything run as root so it should not be a permission issue.

Improve this question

1 Answer 1

Reset to default
0

Try putting "sudo" in your script... and allow dhclient from sudoers without a password for the user openvpn is running as.

Also, did you specify 'script-security 2' in your conf?

--script-security level [method]
          This  directive offers policy-level control over OpenVPN’s usage
          of external programs and scripts.  Lower level values  are  more
          restrictive,  higher  values  are more permissive.  Settings for
          level:

          0 -- Strictly no calling of external programs.
          1 -- (Default) Only call built-in executables such as  ifconfig,
          ip, route, or netsh.
          2  --  Allow  calling  of  built-in executables and user-defined
          scripts.
          3 -- Allow passwords to be passed to scripts  via  environmental
          variables (potentially unsafe).`
Improve this answer
3
  • I printed whoami in the script and it was root. I also put script-security to 2
    – dblouis
    Commented Aug 26, 2017 at 18:36
  • I tested again this morning and it really makes no sense. The up script is running as root, ifconfig shows that the tap0 interface has been created and ls / shows that the process is not chrooted.
    – dblouis
    Commented Aug 27, 2017 at 8:40
  • openvpn actually does some filtering of the "up" commands and has an allowed list. If you're calling a script of your very own... you must tell openvpn to allow your own custom scripts. That's what the "script-security" does.
    – TheCompWiz
    Commented Aug 29, 2017 at 17:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .