The Access Server supports the pushing of executable scripts to the
Scripts are defined as group properties on the Access Server, meaning
that scripts that are associated with a given group will only be
pushed to clients that are members of that group. If you would like
to push scripts to all clients, it is possible to configure a default
In the Group Permissions page on the Access Server,
(a) scripts can be defined for each of the platforms supported by the
Access Server client: Windows, Mac OS X, and Linux.
(b) scripts can be designated as requiring user or admin-level
(c) environmental variables may be defined that will be pushed
Scripts may be designated on the Access Server as requiring useror administrative privileges. Admin-level script execution requires that an additional global setting be configured.
The Access Server client supports script execution using locally
installed script interpreters such as cmd.exe on Windows and
sh/bash on unix/linux. The client also supports execution of
Python scripts on all platforms, using an integrated python
Note that the integrated Python interpreter does not include 100%
of the standard Python library that would be present with a stock
Python install. This is done to save space in the client installer.
If you believe that a certain python module would be useful to
OpenVPN scripting that is not already bundled, please contact
suppport at OpenVPN Technologies, and we consider including it in
a future release.
Sample Python Scripts
Launch a URL:
# On VPN connection initiation, launch a URL in the default browser.
# Works on all client platforms (Windows, Mac, Linux).
# Environmental Variables:
# LAUNCH_URL -- URL to launch
import os, webbrowser
if os.environ['N_RECONNECTS'] == '0':
Download and install an application on Windows:
# Download and install an MSI-based application on Windows. Leave a marker
# file behind, so that we only install the application once per local user.
# Environmental Variables:
# MSI_URL -- URL of MSI file
# MSI_HASH -- sha1 hash of MSI file, for security verification
# MSI_OPT (optional) -- extra MSI arguments, such as /q for quiet install
import os, urllib, scripthelper as sh
url = os.environ['MSI_URL']
local = os.path.basename(url)
hash = os.environ['MSI_HASH']
if not os.path.exists(hash):
if sh.digest_file(local, 'sha1') != hash:
raise ValueError("downloaded file has incorrect hash")
os.system("msiexec /i %s %s /l* msi.log" % (local, os.environ.get('MSI_OPT', '')))
Admin-levels scripting notes:
* On Windows, scripts that run with admin privileges may not
be able to interact with the desktop.
* Admin-level scripts (if allowed) will be executed by the client
even if the end-user who is currently operating the client
does not possess admin privileges.
Special environmental variables that may be set on the AS:
PREPATH -- if defined, will be prepended to client's PATH before the
script is executed.
Special environmental variables set by the client backend before
scripts are executed:
N_RECONNECTS (integer rendered as string) -- the number of reconnects
that have occurred thus far in this session.
GRACEFUL_DISCONNECT ("0" or "1") -- set to "1" if this disconnect was
requested by the user, and "0" if the disconnect
Script shebang usage for Windows (on unix, shebangs are processed by the OS):
The "shebang" is a unix construct for designating the interpreter that
should process a script, by including a specially coded line beginning
with "#!" as the first line of the script. When the Access Server
client runs on unix, the OS will handle the shebang usage. However
since Windows doesn't natively recognize shebang usage, the Access
Server client will interpret the shebang line and use it to determine
how to execute the script, using the following rules:
[script content] -- defaults to cmd.exe processing
[script content... -- find foo.exe in path]
#!foo.exe -a somearg
[script content... -- pass options (the last option is the implicit script filename)]
#!"c:\Program Files\Foo Corp\foo.exe" -a somearg
[script content... -- quote the program exe]
[script content... -- script will be written to a .foo file before execution]
[python code -- execute python script using OpenVPN Client built-in python interpreter]
[python code -- execute python script using OpenVPN Client built-in python interpreter
on Windows, and using default python install on unix.]