OpenVPN Environmental Variables
Written on 2011年4月12日 – 11:58 | by liuxf@mail.neu.edu.cn
Once set, a variable is persisted indefinitely until it is reset by a new value or a restart,
As of OpenVPN 2.0-beta12, in server mode, environmental variables set by OpenVPN are scoped according to the client objects they are associated with, so there should not be any issues with scripts having access to stale, previously set variables which refer to different client instances.
- bytes_received
- Total number of bytes received from client during VPN session. Set prior to execution of the –client-disconnect script.
- bytes_sent
- Total number of bytes sent to client during VPN session. Set prior to execution of the –client-disconnect script.
- common_name
- The X509 common name of an authenticated client. Set prior to execution of –client-connect, –client-disconnect, and –auth-user-pass-verify scripts.
- config
- Name of first –config file. Set on program initiation and reset on SIGHUP.
- daemon
- Set to "1" if the –daemon directive is specified, or "0" otherwise. Set on program initiation and reset on SIGHUP.
- daemon_log_redirect
- Set to "1" if the –log or –log-append directives are specified, or "0" otherwise. Set on program initiation and reset on SIGHUP.
- dev
- The actual name of the TUN/TAP device, including a unit number if it exists. Set prior to –up or –down script execution.
- foreign_option_{n}
- An option pushed via –push to a client which does not natively support it, such as –dhcp-option on a non-Windows system, will be recorded to this environmental variable sequence prior to –up script execution.
- ifconfig_broadcast
- The broadcast address for the virtual ethernet segment which is derived from the –ifconfig option when –dev tap is used. Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to –up script execution.
- ifconfig_local
- The local VPN endpoint IP address specified in the –ifconfig option (first parameter). Set prior to OpenVPN calling theifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to –up script execution.
- ifconfig_remote
- The remote VPN endpoint IP address specified in the –ifconfig option (second parameter) when –dev tun is used. Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to –upscript execution.
- ifconfig_netmask
- The subnet mask of the virtual ethernet segment that is specified as the second parameter to –ifconfig when –dev tap is being used. Set prior to OpenVPN calling the ifconfig or netsh (windows version of ifconfig) commands which normally occurs prior to –up script execution.
- ifconfig_pool_local_ip
- The local virtual IP address for the TUN/TAP tunnel taken from an –ifconfig-push directive if specified, or otherwise from the ifconfig pool (controlled by the –ifconfig-pool config file directive). Only set for –dev tun tunnels. This option is set on the server prior to execution of the –client-connect and –client-disconnect scripts.
- ifconfig_pool_netmask
- The virtual IP netmask for the TUN/TAP tunnel taken from an –ifconfig-push directive if specified, or otherwise from the ifconfig pool (controlled by the –ifconfig-pool config file directive). Only set for –dev tap tunnels. This option is set on the server prior to execution of the –client-connect and –client-disconnect scripts.
- ifconfig_pool_remote_ip
- The remote virtual IP address for the TUN/TAP tunnel taken from an –ifconfig-push directive if specified, or otherwise from the ifconfig pool (controlled by the –ifconfig-pool config file directive). This option is set on the server prior to execution of the –client-connect and –client-disconnect scripts.
- link_mtu
- The maximum packet size (not including the IP header) of tunnel data in UDP tunnel transport mode. Set prior to –up or –down script execution.
- local
- The –local parameter. Set on program initiation and reset on SIGHUP.
- local_port
- The local port number, specified by –port or –lport. Set on program initiation and reset on SIGHUP.
- password
- The password provided by a connecting client. Set prior to –auth-user-pass-verify script execution only when the via-envmodifier is specified, and deleted from the environment after the script returns.
- proto
- The –proto parameter. Set on program initiation and reset on SIGHUP.
- remote_{n}
- The –remote parameter. Set on program initiation and reset on SIGHUP.
- remote_port_{n}
- The remote port number, specified by –port or –rport. Set on program initiation and reset on SIGHUP.
- route_net_gateway
- The pre-existing default IP gateway in the system routing table. Set prior to –up script execution.
- route_vpn_gateway
- The default gateway used by –route options, as specified in either the –route-gateway option or the second parameter to–ifconfig when –dev tun is specified. Set prior to –up script execution.
- route_{parm}_{n}
- A set of variables which define each route to be added, and are set prior to –up script execution.
parm will be one of "network", "netmask", "gateway", or "metric".
n is the OpenVPN route number, starting from 1.
If the network or gateway are resolvable DNS names, their IP address translations will be recorded rather than their names as denoted on the command line or configuration file.
- script_context
- Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for –up.
- script_type
- One of up, down, ipchange, route-up, tls-verify, auth-user-pass-verify, client-connect, client-disconnect, or learn-address. Set prior to execution of any script.
- signal
- The reason for exit or restart. Can be one of sigusr1, sighup, sigterm, sigint, inactive (controlled by –inactive option),ping-exit (controlled by –ping-exit option), ping-restart (controlled by –ping-restart option), connection-reset (triggered on TCP connection reset), error, or unknown (unknown signal). This variable is set just prior to down script execution.
- tls_id_{n}
- A series of certificate fields from the remote peer, where n is the verification level. Only set for TLS connections. Set prior to execution of –tls-verify script.
- tls_serial_{n}
- The serial number of the certificate from the remote peer, where n is the verification level. Only set for TLS connections. Set prior to execution of –tls-verify script.
- tun_mtu
- The MTU of the TUN/TAP device. Set prior to –up or –down script execution.
- trusted_ip
- Actual IP address of connecting client or peer which has been authenticated. Set prior to execution of –ipchange, –client-connect, and –client-disconnect scripts.
- trusted_port
- Actual port number of connecting client or peer which has been authenticated. Set prior to execution of –ipchange, –client-connect, and –client-disconnect scripts.
- untrusted_ip
- Actual IP address of connecting client or peer which has not been authenticated yet. Sometimes used to nmap the connecting host in a –tls-verify script to ensure it is firewalled properly. Set prior to execution of –tls-verify and –auth-user-pass-verify scripts.
- untrusted_port
- Actual port number of connecting client or peer which has not been authenticated yet. Set prior to execution of –tls-verifyand –auth-user-pass-verify scripts.
- username
- The username provided by a connecting client. Set prior to –auth-user-pass-verify script execution only when the via-envmodifier is specified.
