Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 18.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guardian Rebel Alliance
      last edited by guardian

      Can someone please tell me the significance of ' pfsense openvpn[96995]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts'? What action should I be taking?

      I've included a small section of the log for context. Thanks in advance... any assistance is much appreciated.

      ---11:50:56 pfsense openvpn[27905]: MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
      ---11:50:56 pfsense openvpn[27905]: MANAGEMENT: CMD 'status 2'
      ---11:50:56 pfsense openvpn[27905]: MANAGEMENT: CMD 'quit'
      ---11:50:56 pfsense openvpn[27905]: MANAGEMENT: Client disconnected
      ---11:50:56 pfsense openvpn[53698]: MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock
      ---11:50:56 pfsense openvpn[53698]: MANAGEMENT: CMD 'status 2'
      ---11:50:57 pfsense openvpn[53698]: MANAGEMENT: CMD 'quit'
      ---11:50:57 pfsense openvpn[53698]: MANAGEMENT: Client disconnected
      ---11:51:32 pfsense openvpn[96995]: [UNDEF] Inactivity timeout (--ping-restart), restarting
      ---11:51:32 pfsense openvpn[96995]: SIGUSR1[soft,ping-restart] received, process restarting
      ---11:51:32 pfsense openvpn[96995]: Restart pause, 10 second(s)
      ---11:51:42 pfsense openvpn[96995]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      ---11:51:42 pfsense openvpn[96995]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:pppp
      ---11:51:42 pfsense openvpn[96995]: Socket Buffers: R=[42080->42080] S=[57344->57344]
      ---11:51:42 pfsense openvpn[96995]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx:0
      ---11:51:42 pfsense openvpn[96995]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:pppp
      ---11:51:42 pfsense openvpn[96995]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:pppp, sid=3b48eaf0 2acb0c78
      ---11:51:42 pfsense openvpn[96995]: VERIFY OK: depth=1, C=US, ST=--, L=---------, O=------------------------------, OU=------------------------------, CN=------------------------------, name=------------------------------, emailAddress=---@-----------.---
      ---11:51:42 pfsense openvpn[96995]: VERIFY KU OK
      ---11:51:42 pfsense openvpn[96995]: Validating certificate extended key usage
      ---11:51:42 pfsense openvpn[96995]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      ---11:51:42 pfsense openvpn[96995]: VERIFY EKU OK
      ---11:51:42 pfsense openvpn[96995]: VERIFY OK: depth=0, C=US, ST=--, L=---------, O=------------------------------, OU=------------------------------, CN=f5ed7150c0df5fba09ba33e9f97a309c, name=f5ed7150c0df5fba09ba33e9f97a309c
      

      If you find my post useful, please give it a thumbs up!
      pfSense 2.7.2-RELEASE

      1 Reply Last reply Reply Quote 0
      • PippinP
        Pippin
        last edited by

        Please see --script-security level in manual 2.4:
        https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        G 1 Reply Last reply Reply Quote 1
        • G
          guardian Rebel Alliance @Pippin
          last edited by

          @Pippin Thanks for the reference - Can someone tell me if there is any reason that pfSense needs a non-zero script security level, and if it doesn't how I can tighten this up.

          @Pippin said in What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?:

          Please see --script-security level in manual 2.4:
          https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

          If you find my post useful, please give it a thumbs up!
          pfSense 2.7.2-RELEASE

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @guardian
            last edited by

            @guardian said in What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?:

            and if it doesn't how I can tighten this up.

            No need to bother with it.
            Script files executed by OpenVPN could be an issue, but you first have to write and put in place these scripts.
            For that to happen, you need root or admin access to the firewall. At that very moment, VPN security issues is one of the least problems you would have.

            See the message as a reminder that routing setting, for example, could be changed out of VPN command line and parameter settings.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            G 1 Reply Last reply Reply Quote 1
            • G
              guardian Rebel Alliance @Gertjan
              last edited by

              @Gertjan said in What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?:

              @guardian said in What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?:

              and if it doesn't how I can tighten this up.

              No need to bother with it.
              Script files executed by OpenVPN could be an issue, but you first have to write and put in place these scripts.
              For that to happen, you need root or admin access to the firewall. At that very moment, VPN security issues is one of the least problems you would have.

              See the message as a reminder that routing setting, for example, could be changed out of VPN command line and parameter settings.

              Good point - thanks good to know it's not a high priority threat. Having said that, there is no sense leving something open if it isn't necessary. How can I set it to 0 or 1, and is doing so likey to break pfSense?

              If you find my post useful, please give it a thumbs up!
              pfSense 2.7.2-RELEASE

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                pfSense uses OpenVPN scripts to manage routes/gateways, for authentication, certificate validation, and other purposes. Changing that value will break things severely.

                Anyone with enough privileges on the firewall to alter the script files could do many, many worse things than alter the script files.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                G 1 Reply Last reply Reply Quote 1
                • G
                  guardian Rebel Alliance @jimp
                  last edited by

                  @jimp Thanks... that's what I needed to know.... I'll leave things alone.

                  If you find my post useful, please give it a thumbs up!
                  pfSense 2.7.2-RELEASE

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.