Skip to main content

Access Server Supports Client-side Scripting

Abstract

What is client-side scripting, and what can it do? Learn about this scripting process to use this with Access Server.

What client-side scripting can do

Access Server supports pushing scripts to VPN clients. By default, OpenVPN Connect for Windows and Mac prompts the user once to confirm whether scripts should be executed. If the user approves, the script runs from that point on whenever the user connects or disconnects.

For security reasons, client-side script commands are limited to the user context. For system-wide configuration, you must call a program that asks the user for privilege escalation. Client-side scripting handles simple tasks. If you want to do complicated tasks, this also requires that the client-side script call a program. By calling an external program that can make a privilege escalation request to the user, full system-level access can be gained instead, and that program can then perform any task that any installation file with administrative privileges can do.

Example 1. Example tasks with client-side scripting

  • Open a web page automatically after the user connects.

  • Open a network drive in Explorer or Finder automatically.

  • Display a message on the computer screen indicating a successful connection (in addition to the popup window that OpenVPN Connect shows or with additional information).

  • Run a separate program to remove any temporary files or close open programs that only work over the VPN connection.



Client-side scripting requirements

Language

Client-side scripts can be written in a shell language like batch scripting, sh/bash scripting, or even Python. You can also configure environment variables set by the client operating system.

Platforms

Scripting works on Windows, Mac, and Linux if the client program permits the execution of scripts and if it runs them. For example, on Windows and Mac, if you use OpenVPN Connect, then by default, it will ask the user if it's okay to run the script before executing it.

For Linux clients, client-side scripting isn’t implemented out of the box. Refer to the “scripting and environmental variables” section in the Reference manual for OpenVPN 2.4 for how to configure this functionality. Currently, server-side scripting is only possible using a post-auth scriptwith limitations and caveats. A post-auth script runs after a client has successfully authenticated before the client establishes a connection. This offers the ability to add additional criteria before allowing the connection or additional commands like sending out a notification to the administrator that someone has connected.

Important

Auto-login profile types bypass post-auth entirely.

Client-side scripting tutorial

In this section: