Script not run after vpn0 is established

BUILD ID = OS VERSION (Sailfish OS 4.0):
HARDWARE (Xperia 10 Plus):


I set up openvpn and it works flawlessly.

I want to extend the functionality by blocking IP addresses (e. g. Google, FB, etc.). This can be achieved with providing the “up” and “down” entries in the .ovpn file, however the entries seem to be ignored.

When I look after the process I see the following:

22138 defaultuser /usr/sbin/openvpn --remote --ca /home/defaultuser/System/XY Space/ca.crt --cert /home/defaultuser/System/XY-Space/client10.crt --key /home/defaultuser/System/XY-Space/client10.key --proto udp --port 1194 --cipher AES-128-CBC --auth SHA512 --comp-lzo --remote-cert-tls server --config /home/defaultuser/.local/share/system/privileged/vpn-provisioning/3d8d4909362c878c753abbdac9dc63c475119a54.conf --management /tmp/connman-vpn-management-95_216_205_51_sailfishos_org unix --management-query-passwords --auth-retry interact --syslog --script-security 2 --up /usr/lib/connman/scripts/openvpn-script --up-restart --setenv CONNMAN_BUSNAME :1.36 --setenv CONNMAN_INTERFACE net.connman.Task --setenv CONNMAN_PATH /task/2 --dev vpn0 --dev-type tun --persist-tun --route-noexec --ifconfig-noexec --ping 10
–ping-exit 60

The process already has an “up” entry (–up /usr/lib/connman/scripts/openvpn-script). This is - I guess - for setting up the routes. Now I wonder how can I run a script after vpn0 is up?
Any other chances?


VPN (openvpn)



Script is run


Script is not run


This is my .ovpn (some sensitive data removed/changed)

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote X.X.X.X 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.

# Scripts to be run
script-security 2
up /etc/openvpn/
down /etc/openvpn/

# Downgrade privileges after initialization (non-Windows only)
#user openvpn
#group openvpn

# Try to preserve some state across restarts.

# If you are connecting through an                 
# HTTP proxy to reach the actual OpenVPN            
# server, put the proxy server/IP and               
# port number here.  See the man page               
# if your proxy server requires                     
# authentication.                                   
;http-proxy-retry # retry on connection failures    
;http-proxy [proxy server] [proxy port #]           
# Wireless networks often produce a lot             
# of duplicate packets.  Set this flag              
# to silence duplicate packet warnings.             
# SSL/TLS parms.                                    
# See the server config file for more               
# description.  It's best to use                    
# a separate .crt/.key file pair                    
# for each client.  A single ca                     
# file can be used for all clients.                 
# Verify server certificate by checking that the    
# certicate has the correct key usage set.          
# This is an important precaution to protect against
# a potential attack discussed here:                
# To use this feature, you will need to generate   
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment              
# and the extendedKeyUsage to                      
#   serverAuth                                     
# EasyRSA can do this for you.                     
remote-cert-tls server                             
# If a tls-auth key is used on the server          
# then every client must also have the key.        
tls-auth /home/defaultuser/System/XY-Space/ta.key 1
tls-version-min 1.2                                
auth SHA512                                    
# Select a cryptographic cipher.               
# If the cipher option is used on the server   
# then you must also specify it here.          
cipher AES-128-CBC                             
# Use a FIPS 140-2 approved cipher in FIPS mode
;cipher AES-256-CBC   # AES-256                
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.                          
# Set log file verbosity.
verb 5

What happens when you run your .ovpn by hand? As I understand the .ovpn is interpreted with the connman-component not by openssl itself. This is the same with the ipv6 settings which work when you openvpn --config your.ovpn as root but not via the SFOS mimikry.

If I run openvpn by hand the script is being executed, in contrast to the situation when the “GUI” method (default) is used.
So - as expected - the “–up” parameter prevents the “up” entry in the .ovpn file from being used.


This is an update:
Instead of the “up” entry one can use the “route-up” entry, however, this does not change things.

O.k. I made up my mind and came up with using systemd for my purposes.

This is my systemd file, which I named local.service




My file looks like this


Block Facebook, Google, and Twitter

iptables --flush
iptables-restore < /usr/local/etc/iptables_full

block IPv6 traffic

/sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1

change DNS server

rm /etc/resolv.conf
ln -s /usr/local/etc/resolv.conf /etc/resolv.conf

The iptables_full file has all the addresses to be rejected.