Reply To: trouble with routes (something not work on b13 and newer)

Forums Network Management ZeroShell trouble with routes (something not work on b13 and newer) Reply To: trouble with routes (something not work on b13 and newer)


Sorry for my english.

Looks like I found the reason.

Zeroshell 1.0b12 uses OpenVPN 2.0.9
Newer versions uses OpenVPN >=2.1.1

In OpenVPN 2.1 changelog I found this:

Added additional method parameter to –script-security to preserve
backward compatibility with system() call semantics used in OpenVPN
2.1_rc8 and earlier. To preserve backward compatibility use:

script-security 3 system

OpenVPN 2.1 manual contains this:

–script-security level [method]
This directive offers policy-level control over OpenVPN’s usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level:

0 — Strictly no calling of external programs.
1 — (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
2 — Allow calling of built-in executables and user-defined scripts.
3 — Allow passwords to be passed to scripts via environmental variables (potentially unsafe).

The method parameter indicates how OpenVPN should call external commands and scripts. Settings for method:

execve — (default) Use execve() function on Unix family OSes and CreateProcess() on Windows.
system — Use system() function (deprecated and less safe since the external program command line is subject to shell expansion).

The –script-security option was introduced in OpenVPN 2.1_rc9. For configuration file compatibility with previous OpenVPN versions, use: –script-security 3 system

I decided to test my hypothesis and did the following:
1. After some investigation in Zeroshell I found script /root/kerbynet.cgi/vpn_ctl that starts OpenVPN connections. Command line contains param “–script-security 3”.
2. I make 2 Zeroshell boxes with 2.0RC2, connected by 2 physical LAN interfaces (primary and secondary), set up 2 OpenVPN connections (primary and secondary) through this LANs and make 2 routes on each box to other side with metrics 1 (primary LAN) and 10 (secondary LAN). Everything works fine. But when I physically disconnect primary LAN, route with metric 1 is still in routing table and there is no traffic betseen boxes, in Zeroshell web-interface it still have status “up”. When I connect primary LAN everything works fine again.
3. I edit /root/kerbynet.cgi/vpn_ctl script by change param to “–script-security 3 system” on each box.
4. After that I kill both OpenVPN process on each box.
5. Watchdog script /root/kerbynet.cgi/checkvpn starts them after few seconds by calling edited /root/kerbynet.cgi/vpn_ctl
6. I check “ps” on each box to make sure that both OpenVPN process contain “–script-security 3 system” param
7. I drop down primary OpenVPN connection by physically disconnect primary LAN cable
8. Route with metric 1 was removed from routing table automatically and change status to “down” in Zeroshell web-interface!!!
9. Routing table now contains only one active route to other side (route with metric 10) and traffic go through secondary LAN.
10. When I connect primary LAN, traffic go through primary LAN again, because route with metric 1 added to routing table after primary VPN connect and have status “up” in Zeroshell web-interface.

Thats it.
Thank you fo reading.