Plugins
Due to the ease of scripting, the OpenVPN plugin interface is a relatively underutilized tool available to OpenVPN server administrators. OpenVPN, by default, ships with a pair of plugins, one for PAM authentication and another for executing --down
scripts with root privileges, regardless of whether the administrator de-escalates privileges.
Down-root
It's a good idea to drop privileges within OpenVPN, and the down-root
plugin allows you to do that. Applications like firewalls require escalated privileges to add and remove firewall rules. By utilizing the
down-root
plugin, an administrator can provide new firewall rules upon a client connection as well as the ability for the removal of those rules once the client disconnects.
A usage scenario ...
Get Mastering OpenVPN now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.