On 18/05/2019 17:09, Lorenz wrote: > Hi, > > does the OpenVPN 3 Linux client provide any equivalent to OpenVPN 2 up/down > scripts? > > I have to manually parse and utilize the DNS servers pushed by the vpn server. > > Theoretically I could increase the log verbosity and extract the DNS servers > from there but this does not feel right. Is there another way to extract > pushed options and/or execute external scripts? Yes, by using some D-Bus tricks. The openvpn3-service-netcfg process, which is providing the "VPN API" to the openvpn3-service-client processes (this is also how we achieve the strict privilege separation).
The openvpn3-service-netcfg process provides a D-Bus service named net.openvpn.v3.netcfg, which allows scripts to "subscribe" to network change signals issued by the this service whenever there are, well, network changes related to the VPN tunnels. This requires a bit more trickery to explain here. But have a look at this Python example script: <https://github.com/OpenVPN/openvpn3-linux/blob/master/src/tests/dbus/netcfg-subscription-test> Also, access to subscribe to these signals are by default allowed only by the "openvpn" user. If that is too strict for you, you can relax that by adding an additional D-Bus policy file into /etc/dbus-1/system.d. Basically it would need the same kind of XML header as the net.openvpn.v3.conf file has, with something like the blob below: ---------------------------------------------------------------------- <busconfig> <policy user="USERNAME"> <allow send_interface="net.openvpn.v3.netcfg" send_destination="net.openvpn.v3.netcfg" send_type="method_call" send_member="NotificationSubscribe"/> <allow send_interface="net.openvpn.v3.netcfg" send_destination="net.openvpn.v3.netcfg" send_type="method_call" send_member="NotificationUnsubscribe"/> </policy> </busconfig> ---------------------------------------------------------------------- Just replace "USERNAME" with the user you want to have access to subscribe to these network change signals. I would also recommend you *not* to update the existing net.openvpn.v3.conf file, as that will easily be replaced on the next openvpn3-linux update. The filename requirements here is basically that the filename must end with '.conf'. Also check the system logs for errors if the D-Bus policy got parsed correctly or not. You might also need to force the D-Bus daemon to do a policy reload; typically done via 'systemctl reload dbus' on most systemd enabled distributions. To check if your script has registered correctly, as root run this command: # openvpn3-admin netcfg-service --list-subscribers You should see one subscription by an "odd" 1:xxxx where xxxx is a number; this refers the connection references used inside the D-Bus universe. If you only see the "Current subscribers:" and nothing more, then have a look at the system logs again. For more details, see the D-Bus API documentation for the net.openvpn.v3.netcfg service: <https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/dbus/dbus-service-net.openvpn.v3.netcfg.md> -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
