Script security and logging
One of the major differences between OpenVPN 2.0 and later versions is related to the security when running scripts. With OpenVPN 2.0, all scripts were executed using a system
call and the entire set of server environment variables was passed to each script. Starting with OpenVPN 2.1, the script-security
configuration directive is introduced and the default for executing scripts is now the execv
call, which is more secure. Also, it is advisable to log output of your scripts for security reasons. With script logging output, including timestamps, it becomes much easier to track down problems and possible security incidents. Starting with OpenVPN 2.3, it is no longer possible to add the system
option to the script-security
configuration directive.
In this recipe, we will focus on the different options for the script-security
configuration directive and on the methods to ease the logging of script output.
Getting ready
Install OpenVPN 2.3 or higher on two computers....