Hello David, > a) Mounting and un-mounting networked filesystems after the tunnel is up. > Here I even implemented the --route-pre-down script hook, to unmount the > filesystem before the tunnel is taken down. Here's the config extract:
This need root rights? > This client has a web server behind it which is available on the public > internet via the openvpn server which got the public IP address. To make > sure the incoming public traffic is returned via the VPN tunnel and not > the default gateway on the openvpn client, simple ip rules like the ones > below are used in the route-up.sh > /sbin/ip rule add from ${ifconfig_local} table 132 > /sbin/ip route add default via 10.8.0.1 table 132 > And the route-down.sh takes care of deleting the rule. This is to avoid > errors and duplications if openvpn is restarted. (And there are probably > other ways to solve this as well, but this is one way) Need root rights, too? Maybe it's a good idea to have two type of scripts. One that is controlled from the administrator and is executed with admin/root privileges and the other that runs as the user. > Plugins can be used on both server side and client side. They can be > used to extend the logging, or do other more advanced things which is > easier and cleaner solved in a C program than using plenty of scripts. In an enterprise setup I would think a plugin should be not modifable by the user (i.e. the user should have no chance to load own modules). greetings Carsten