Hello David,
> a) Mounting and un-mounting networked filesystems after the tunnel is up.
> Here I even implemented the --route-pre-down script hook, to unmount the
> filesystem before the tunnel is taken down. Here's the config extract:
This need root rights?
> This client has a web server behind it which is available on the public
> internet via the openvpn server which got the public IP address. To make
> sure the incoming public traffic is returned via the VPN tunnel and not
> the default gateway on the openvpn client, simple ip rules like the ones
> below are used in the route-up.sh
> /sbin/ip rule add from ${ifconfig_local} table 132
> /sbin/ip route add default via 10.8.0.1 table 132
> And the route-down.sh takes care of deleting the rule. This is to avoid
> errors and duplications if openvpn is restarted. (And there are probably
> other ways to solve this as well, but this is one way)
Need root rights, too?
Maybe it's a good idea to have two type of scripts.
One that is controlled from the administrator and is executed with
admin/root privileges and the other that runs as the user.
> Plugins can be used on both server side and client side. They can be
> used to extend the logging, or do other more advanced things which is
> easier and cleaner solved in a C program than using plenty of scripts.
In an enterprise setup I would think a plugin should be not modifable by the
user (i.e. the
user should have no chance to load own modules).
greetings
Carsten
