Due to the ease of scripting, the OpenVPN plugin interface is a relatively underutilized tool available to OpenVPN server administrators. OpenVPN, by default, ships with a pair of plugins, one for PAM authentication and another for executing
--down scripts with root privileges, regardless of whether the administrator de-escalates privileges.
It's a good idea to drop privileges within OpenVPN, and the
down-root plugin allows you to do that. Applications like firewalls require escalated privileges to add and remove firewall rules. By utilizing the
down-root plugin, an administrator can provide new firewall rules upon a client connection as well as the ability for the removal of those rules once the client disconnects.
A usage scenario could be a single OpenVPN instance that supports an entire company's staff. Administrative and office staff would not generally need access to lights-out management interfaces and other such systems on a company network. With the addition of firewall...