Simple scripts to manage iptables rules based on user CCD files. Feel free to use and modify the scripts as you like.
copy the scripts to the OpenVPN server, make them executable (chmod +x on_*.sh)
Define them in the config:
script-security 2
client-connect /etc/openvpn/on_connect.sh
client-disconnect /etc/openvpn/on_disconnect.sh
configure sudo for the OpenVPN user. This was tested under CentOS, where OpenVPN is run under the user "nobody":
create a file /etc/sudoers.d/openvpn_iptables with the following contents
Defaults:nobody !requiretty
nobody ALL = NOPASSWD: /sbin/iptables
this will allow the user "nobody" to run "sudo iptables" without a password
Under Debian, OpenVPN is run as root, so sudo directives can be removed alltogether from both scripts.
(Centos/RHEL/Fedora only): configure SELinux to allow iptables execution
setenforce 0
grep openvpn /var/log/audit/audit.log | audit2allow -M openvpn_sudo_ipt
semodule -i openvpn_sudo_ipt.pp
setenforce 1
The scripts have seen only limited testing. If something doesn't work, first try running them manually as root.
They rely on env variables common_name
and ifconfig_pool_remote_ip
which are normally sent by openvpn.
To test, first export the variables:
export common_name=jekader
export ifconfig_pool_remote_ip=1.2.3.4
Now ensure that a CCD file with routes is present and the path is defined correctly in the script. After running the on_connect.sh script, iptables should appear, as well as log entries.
The scripts are in the Public Domain