1

How can I update WinXP clients' web proxy and default printer settings after a successful OpenVPN connect and VPN'd DHCP negotiation? (And how can I remove those settings upon VPN disconnect?)

I'm sure this is a solved problem -- it's not conceptually too different from automating the non-VPN'd transitions for a laptop going from one network to another -- but my XP knowledge is rather shallow and I couldn't find a recipe for doing this.

pilcrow
  • 449
  • 5
  • 19

1 Answers1

1

Yes, you can execute arbitrary commands on the client or server side of an OpenVPN connection, on Windows or any other OS, at various points in the connection. There are several options (usable on the command line or in a config file) that define what script(s) to execute, and with what parameters, for the various stages of the connection process.

For example, if you include the line 'up "C:\my-up-script.bat"' in your OpenVPN client config file, your client will execute whatever batch script is located at "C:\my-up-script.bat" after it has successfully opened a VPN connection to the server. The line 'down "C:\my-down-script.bat"' would mean executing the script "C:\my-down-script.bat" after terminating a connection.

The OpenVPN manual (available in full at http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html) lists all of the various scripts and when each one gets executed:

SCRIPTING AND ENVIRONMENTAL VARIABLES
OpenVPN exports a series of environmental variables for use by user-defined scripts.

Script Order of Execution

--up
    Executed after TCP/UDP socket bind and TUN/TAP open.
--tls-verify
    Executed when we have a still untrusted remote peer.
--ipchange
    Executed after connection authentication, or remote IP address change.
--client-connect
    Executed in --mode server mode immediately after client authentication.
--route-up
    Executed after connection authentication, either immediately after, or some number of seconds after as defined by the --route-delay option.
--client-disconnect
    Executed in --mode server mode on client instance shutdown.
--down
    Executed after TCP/UDP and TUN/TAP close.
--learn-address
    Executed in --mode server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table.
--auth-user-pass-verify
    Executed in --mode server mode on new client connections, when the client is still untrusted.

If you're using the OpenVPN GUI for Windows, you might also want to read that program's installation guide (http://openvpn.se/install.txt), specifically the section entitled "Run Connect/Disconnect/Preconnect Scripts". The OpenVPN GUI runs the OpenVPN daemon as a Win32 service with dynamically-defined command-line options, so you just have to write your own scripts and save them in the locations where the service wrapper will look for them.

If you "roll your own" using the NullSoft NSIS installer building instructions (http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html), you can just drop your scripts into the package as you create it. (I don't want to go into more detail on this topic because it's pretty involved, and the official documentation explains it all much better than I can, here.)

If you're not familiar with the Windows scripting commands needed to add printers and set proxy configurations, I would suggest writing a couple of short Visual Basic scripts. You can find more examples on Google, but here's a starter for you, inspired by something I found on the Petri forums (http://www.petri.co.il/forums/showthread.php?t=6486), to set up a new printer and make it the default:

Set WshNetwork = CreateObject("WScript.Network")
WshNetwork.RemovePrinterConnection "\\MyGroupName\MyPrinterName"
WshNetwork.AddWindowsPrinterConnection "\\MyGroupName\MyPrinterName"
WshNetwork.SetDefaultPrinter "\\MyGroupName\MyPrinterName"

Save that as a .vbs file, and you should be able to execute it and see the changes from any machine that can see the printer. Also, obviously, you'll have to replace the workgroup and printer names with your own, in each of the last three lines.

If you use the OpenVPN GUI's pre-defined batch script paths, you can run a .vbs script by creating a batch file with the proper name (as explained in the doc I linked to, above), containing just the line:

START C:\add_printer.vbs

You could also just call a .vbs script directly from your OpenVPN configuration file, by adding the line:

up "C:\add_printer.vbs"

(Either way, you'll need to replace that path with the location of your actual .vbs script.)

The 'down' script could work the same way--probably, you'd just need it to contain one line, 'WshNetwork.RemovePrinterConnection "\MyGroupName\MyPrinterName"'.

Ryan B. Lynch
  • 2,006
  • 1
  • 12
  • 13
  • Is there a way to do this that's triggered by "normal" DHCP mechanisms, rather than specifically by OpenVPN scripts? – pilcrow Feb 16 '10 at 15:38
  • No, I'm pretty sure you can't add printers, or set a default printer, based on DHCP options. DHCP isn't really designed to support anything that sophisticated. You might be able to set the proxy, but I don't actually know. On Windows domains, any kind of advanced client auto-configuration is normally handled with GPOs that execute scripts at startup/shutdown/logon/logoff. BUT: If you DO find a DHCP option you want to pass to an OpenVPN client, the instructions are here: http://openvpn.net/index.php/open-source/documentation/howto.html#dhcp – Ryan B. Lynch Feb 18 '10 at 21:39
  • Thanks, Ryan. I didn't mean push out a DHCP option, I meant, can I configure the *client* stack to recognize that it's plugged back in to a familiar network and apply arbitrary settings peculiar to that networks. In any case, however, you've got the bounty! – pilcrow Feb 22 '10 at 02:47