# Make OpenVPN down.sh working

## tuner23

Hy,

i have the problem, that the down.sh-script does not do anything.

my down-script is very simple:

```

dev=$1

if [ -e /etc/resolv.conf-"${dev}".sv ] ; then

   # Important that we copy instead of move incase resolv.conf is

   # a symlink and not an actual file

   cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf

   rm -f /etc/resolv.conf-"${dev}".sv

fi

```

When i stop openvpn, i see in the messages:

```

...

Aug  6 12:15:35 fish openvpn[14768]: TCP/UDP: Closing socket

Aug  6 12:15:35 fish openvpn[14768]: /sbin/ip route del 192.168.23.65/32

Aug  6 12:15:35 fish openvpn[14768]: ERROR: Linux route delete command failed: external program exited with error status: 2

...

Aug  6 12:15:35 fish openvpn[14768]: /etc/openvpn/down.sh tun0 1500 1544 192.168.23.70 192.168.23.69 init

Aug  6 12:15:35 fish openvpn[14768]: Closing TUN/TAP interface

```

the /etc/resolv.conf-"${dev}".sv exists, and when i call the script on the cmd-line

```

/etc/openvpn/down.sh tun0

```

it works propperly.

oehm, so what am i doing wrong?

Thanks for your help,

Antonios.

----------

## Hu

Add the following to the top of your downscript, then let OpenVPN run it.  Afterward, check the generated log.

```
exec 2> $(mktemp openvpn-down.log.XXXXXX)

set -x
```

----------

## tuner23

Hmm,

thank you..

i see the problem, but not the solution right now...

openvpn starts up as root and switches to user nobody..

```

+ dev=tun0

+ '[' -e /etc/resolv.conf-tun0.sv ']'

+ cp /etc/resolv.conf-tun0.sv /etc/resolv.conf

cp: cannot create regular file `/etc/resolv.conf': Permission denied

+ rm -f /etc/resolv.conf-tun0.sv

rm: cannot remove `/etc/resolv.conf-tun0.sv': Permission denied

+ exit 0

```

maybe i should put a line in the init-script, or is there a better way..?

----------

## Hu

How do you create /etc/resolv.conf-tun0.sv?

----------

## tuner23

Hello Hu,

the up-script is called as vpn-option by the gentoo init-script 

```

...

if exist up.sh

openvpn  --up up.sh 

```

something like this..

It's the same with down.sh

----------

## marens

I think this problem still exists until today, did you manage to get things working? Otherwise opening a bug would be a good idea.

----------

## tuner23

Hello marens,

it's a long time ago, so i don't really know the actual status for that.

In my init-script are the following two lines, but i don't know if they are from me or from the original gentoo init-script..

```
   # When we get an authenticated packet from the peer then we run our script

   # which configures our DNS if any and marks us as up.

   if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \

   grep -q "^[    ]*remote[   ].*" "${VPNCONF}" ; then

      reenter="yes"

      args="${args} --up-delay --up-restart"

      args="${args} --script-security 2"

+++      args="${args} --up /etc/openvpn/up.sh"

+++     args="${args} --down-pre --down /etc/openvpn/down.sh"

```

Hope that helps. 

Maybe you also have to checkup, if the file exists, before setting the options..

Antonios.

----------

## marens

Well the problem is pretty clear, openvpn drops priviliges after changing routing/dns and so it can't change it back when we stop the service.

```
                # Warn about the inability to change ip/route/dns information when

                # dropping privs

                if grep -q "^[  ]*user[         ].*" "${VPNCONF}" ; then

                        ewarn "WARNING: You are dropping root privileges!"

                        ewarn "As such openvpn may not be able to change ip, routing"

                        ewarn "or DNS configuration."

                fi
```

But that isn't what i need for a quick vpn to the company and resetting it back again.

----------

## marens

installed openresolv, seems to be working properly now

----------

