Ask Ubuntu Asked by Oxwivi on December 27, 2021
How can I associate a script to OpenVPN so that it runs when the VPN is connected successfully?
After following multiple suggestions, one problem I have is "--up" and --route-up" are executing before whole "Initialization Sequence Completed".
For me, I have to open ports after full initialization.. So I followed below..
#1) Create up.sh which launches port open script(proxyports.sh) asynchronously
#2) Create down.sh which closes the ports opened asynchronously in proxyports.sh
up.sh content ...
#!/bin/bash
( ( sleep 1 ; ~/proxyports.sh) & echo "Open the ports" )
proxyports.sh content ...
#!/bin/bash
HOME=/home/venkatdesu
PID=$(/usr/sbin/lsof -i :1080 | grep LISTEN|awk '{print $2}'|sort|uniq);
if [[ ! -z "$PID" ]]; then
echo "SSH Socks Process $PID running with " $(ps "$PID");
kill -9 $PID;
sleep 1;
fi;
ssh -D 1080 -Nf [email protected]
PID=$(/usr/sbin/lsof -i :1080 | grep LISTEN|awk '{print $2}'|sort|uniq);
echo "Socks running at $PID"
down.sh content ...
#!/bin/bash
PID=$(/usr/sbin/lsof -i :1080 | grep LISTEN|awk '{print $2}'|sort|uniq);
if [[ ! -z "$PID" ]]; then
echo "SSH Socks Process $PID running with " $(ps "$PID");
kill -9 $PID;
fi;
Answered by Venkateswara Rao on December 27, 2021
Here is the config for OpenVPN, in order to send mail after a successful connection:
Create a directory
mkdir /mailOpenVPN
Make it worldwide accessable
chmod 777 /mailOpenVPN
vim /etc/openvpn/up.sh
#! /bin/sh
python3 /mailOpenVPN/sendMail.py $X509_0_CN $trusted_ip $ifconfig_pool_remote_ip
Make up.sh
executable
chmod +x /etc/openvpn/up.sh
Add in /etc/openvpn/server.conf
script-security 2
client-connect /etc/openvpn/up.sh
Restart the OpenVPN service
service openvpn restart
vim /mailOpenVPN/sendMail.py
import sys
import smtplib
import datetime
smtp_user = "SENDER MAIL"
smtp_pass = "PASS"
recipients = "DEST MAIL"
smtp_server = "smtp.gmail.com" # This is in my case, because sender is gmail
try:
now = str(datetime.datetime.now())
subject = "New connection to home VPN"
msg = "Hello chief,nn"
msg += "New connection detected:n"
msg += "User: " + str(sys.argv[1]) + "n"
msg += "Public IP: " + str(sys.argv[2]) + "n"
msg += "Assigned IP: " + str(sys.argv[3]) + "n"
msg += "Timestamp: " + str(now) + "nn"
msg += "Best regards,n"
msg += "Your humble Pi"
sender = "OpenVPN Home"
message = "From: OpenVPN HomenSubject: {0}nn{1}".format(subject, msg)
server = smtplib.SMTP_SSL(smtp_server, 465)
server.ehlo()
server.login(smtp_user, smtp_pass)
server.sendmail(sender, recipients, message)
server.close()
except:
pass
Answered by Eusebiu Rizescu on December 27, 2021
I stumbled upon the answer in my research to solve this issue and I found out that the best solution is (using openvpn server) as follows:
Create a script to be executed:
# nano /etc/openvpn/up.sh
<file:contents>
#!/bin/sh
# export >> /var/log/openvpn/openvpn-up.log
D=`date "+%Y-%m-%d %H:%M"`
echo "[$D] ($local_port_1:$proto_1) $X509_0_CN: $trusted_ip => $ifconfig_pool_remote_ip" >> /var/log/openvpn/openvpn-up.log
</file>
Add the following lines into the openvpn configuration (usually /etc/openvpn/server.conf
). In the answer above it was used up and down, which are used when the server starts (restarts). The directive client-connect (and client-disconnect) are used when the client connects (disconnects).
# nano /etc/openvpn/server.conf
<file:add>
script-security 2
client-connect /etc/openvpn/up.sh
</file>
Answered by CozC on December 27, 2021
To the question: "How can I associate a script to OpenVPN so that it runs when the VPN is connected successfully?" I want to point out that Lekensteyn provided an excellent answer. But, at the time his answer was composed, it lacked a little clarity on how openvpn command line arguments should be provided to start openvpn on an ubuntu machine, especially so that it works the same after reboots.
Naturally, one can start openvpn from a command line with any avalable legal options. But, on an Ubuntu machine, if one wants to start openvpn with the same command line arguments after a reboot, they should consider editing the file /etc/default/openvpn
. Examine following lines:
# Optional arguments to openvpn's command line
OPTARGS=""
From the community openvpn man page on --script-security
--script-security level This directive offers policy-level control over OpenVPN's usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level: 0 -- Strictly no calling of external programs. 1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. 2 -- Allow calling of built-in executables and user-defined scripts. 3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe). OpenVPN releases before v2.3 also supported a method flag which indicated how OpenVPN should call external commands and scripts. This could be either execve or system. As of OpenVPN v2.3, this flag is no longer accepted. In most *nix environments the execve() approach has been used without any issues. Some directives such as --up allow options to be passed to the external script. In these cases make sure the script name does not contain any spaces or the configuration parser will choke because it can't determine where the script name ends and script options start.
Combined with an abbreviated section on --up
--up cmd Run command cmd after successful TUN/TAP device open (pre --user UID change). cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single- or double-quoted and/or escaped using a backslash, and should be separated by one or more spaces.
On my machine with a openpvn server.conf, I have the following lines in my /etc/default/openvpn
file:
OPTARGS="
--script-security 2
--up /etc/openvpn/nat.sh
"
Incidentally, the nat.sh sets up network address translation for routing private network traffic from openvpn clients to the public internet; which is good for when one does not trust a public WIFI access point.
Aside from allowing to restart as expected after a reboot, when /etc/openvpn/[client or server].conf
and /etc/default/openvpn
files are properly configured, openvpn can be started or stopped with:
sudo service openvpn start
sudo service openvpn stop
Other useful options available for service openvpn
include cond-restart,force-reload,reload, restart,soft-restart, start, status, stop
.
Answered by Keith Reynolds on December 27, 2021
As that is a quite old thread I'm not sure if still of interest. If you still want to use the NetworkManager to connect to a VPN you can add a simple udev rule like that:
KERNEL=="vpn0", RUN+="/PATH_TO_THE_SCRIPT/SCRIPT_NAME"
This should run any script after the VPN is created.
Answered by Thomas on December 27, 2021
network-manager-openvpn
does not provide such functionality, you have to use openvpn
directly.
Pass --script-security 2 --up /path/to/your/script
to it when connecting. If you're using a configuration file located at /etc/openvpn/
, append the next lines to your configuration file:
script-security 2
# run /etc/openvpn/up.sh when the connection is set up
up /etc/openvpn/up.sh
From the OpenVPN manpage:
--script-security level [method] This directive offers policy-level control over OpenVPN’s usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level: 0 -- Strictly no calling of external programs. 1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. 2 -- Allow calling of built-in executables and user-defined scripts. 3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe). --up cmd Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. Script Order of Execution --up Executed after TCP/UDP socket bind and TUN/TAP open. --down Executed after TCP/UDP and TUN/TAP close.
There are more events for script execution, those can be found on the manual page.
Create /etc/openvpn/up.sh
, and give it execute permissions (say, 755 or 700). Example content for adding an IPv6 address and route (shown for educational purposes, do not copy it directly):
#!/bin/sh
# add an IPv6 address to device $dev (environment variable)
ip -6 addr add 2001:db8::1:2/112 dev $dev
# and the IPv6 route for this net using gateway 2001:db8::1
ip -6 route add 2001:db8::1:0/112 via 2001:db8::1 dev $dev
Note that this up
script is run as root. If you have not specified a User
and Group
setting, OpenVPN will run scripts like down
as root too.
Answered by Lekensteyn on December 27, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP