How do I run a script before OpenVPN client connection is started?



  • I need to generate OTP user/pass needed for auth-user-pass on OpenVPN client and I need to run a script that saves these to a file before the connection attempt is made.

    How can I do this on pfSense (2.4.1)?

    PS. This needs to run on reconnects too. I was able to do this on Linux and even on Viscosity MacOS clients but I don't know how to do it on pfsense…. preferably in such a way that these changes would not be lost on a system update.

    Update: as I was unable to find an answer, I ended I as raising a bug at https://redmine.pfsense.org/issues/8122



  • @ssbarnea:

    I need to generate OTP user/pass needed for auth-user-pass on OpenVPN client and I need to run a script that saves these to a file before the connection attempt is made.

    How can I do this on pfSense (2.4.1)?

    PS. This needs to run on reconnects too. I was able to do this on Linux and even on Viscosity MacOS clients but I don't know how to do it on pfsense…. preferably in such a way that these changes would not be lost on a system update.

    Update: as I was unable to find an answer, I ended I as raising a bug at https://redmine.pfsense.org/issues/8122

    Have you tried using OpenVPN's auth-user-pass-verify parameter?

    From the manpage :

    –auth-user-pass-verify script method
    Require the client to provide a username/password (possibly in addition to a client certificate) for authentication.
    OpenVPN will execute script as a shell command to validate the username/password provided by the client.

    If method is set to "via-env", OpenVPN will call script with the environmental variables username and password set to the username/password strings provided by the client. Be aware that this method is insecure on some platforms which make the environment of a process publicly visible to other unprivileged processes.

    If method is set to "via-file", OpenVPN will write the username and password to the first two lines of a temporary file. The filename will be passed as an argument to script, and the file will be automatically deleted by OpenVPN after the script returns. The location of the temporary file is controlled by the --tmp-dir option, and will default to the current directory if unspecified. For security, consider setting --tmp-dir to a volatile storage medium such as /dev/shm (if available) to prevent the username/password file from touching the hard drive.

    The script should examine the username and password, returning a success exit code (0) if the client's authentication request is to be accepted, or a failure code (1) to reject the client.

    This directive is designed to enable a plugin-style interface for extending OpenVPN's authentication capabilities.

    To protect against a client passing a maliciously formed username or password string, the username string must consist only of these characters: alphanumeric, underbar (''), dash ('-'), dot ('.'), or at ('@'). The password string can consist of any printable characters except for CR or LF. Any illegal characters in either the username or password string will be converted to underbar ('').

    Care must be taken by any user-defined scripts to avoid creating a security vulnerability in the way that these strings are handled. Never use these strings in such a way that they might be escaped or evaluated by a shell interpreter.

    For a sample script that performs PAM authentication, see sample-scripts/auth-pam.pl in the OpenVPN source distribution.


Log in to reply