Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


OpenVPN Connection Script

Someday OpenVPN connections may be added to the Managed VPN service but until then a common need is for a VPN tunnel to be restarted if the service fails. To do this we will employ a simple connection script. The connection script should be programmed to use the P-t-P address of the far end of the tunnel and reboot the service if a series of pings fails to reach the destination.

ClearOS 6.x Script

Script

For this example we will create the script in /root/support/scripts/ and give it the name of openvpn.connection.tester.sh.

mkdir /root/support /root/support/scripts && vi /root/support/scripts/openvpn.connection.tester.sh
#!/bin/bash

site=$1
if [ "$site" == "" ]; then
	echo Usage: openvpn.connection.tester.sh [IP_address]
	exit 0
fi

ping_test=`ping -c 4 $site | grep "100% packet loss"`
if [ "$ping_test" ]; then
	service openvpn restart
else
	echo "Connection good."
fi

Now we will gather the information about the far side of the tunnel:

[root@home ~]# ifconfig tun1
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.100.0.1  P-t-P:10.100.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

In this scenario the address we would be pinging is 10.100.0.2. Test that now.

ping 10.100.0.2

If that works then we can safely apply the script. To execute the script, change it so that root can run it:

chmod u+x /root/support/scripts/openvpn.connection.tester.sh

Now run the program:

/root/support/scripts/openvpn.connection.tester.sh 10.100.0.2

Not test it against something that will fail to ping:

/root/support/scripts/openvpn.connection.tester.sh www.msnbc.com

Scheduling the test

With the test in place you can now schedule a test of the far side of the tunnel and restart the services locally (Note: you will need to use vi commands to edit crontab with this method).

crontab -e

Add this line to the end of the crontab (Shift+g o):

*/5	*	*	*	*	/root/support/scripts/openvpn.connection.tester.sh 10.100.0.2 &> /dev/null

Save the file. ( :wq )

ClearOS 7.x Script

Script

For this example we will create the script in /root/support/scripts/ and give it the name of openvpn.connection.tester.sh.

mkdir /root/support /root/support/scripts

With your favourite text editor, create the file /root/support/scripts/openvpn.connection.tester.sh and in it put:

#!/bin/bash

conffile=$(basename $1)
fullfile="/etc/openvpn/"$conffile
tunnel=$(basename $conffile .conf)

# Check if OpenVPN config file is specified
if [ " $conffile " == "  " ]; then
	echo Usage: openvpn.connection.tester.sh [OpenVPN_tunnel_conf_file]
	exit 0
fi

# Check if OpenVPN config file exists
if [ ! -f $fullfile ]; then
	echo "OpenVPN configuration file not found!"
	exit 0
fi

# Pick out the tunnel's remote IP 
remote_IP=$(grep -e "^ifconfig\s\+" $fullfile | awk '{print $3}')

# If it is not specified, config is invalid (e.g. roadwarrior config)
if [ " $remote_IP " == "  " ]; then
	echo "Configuration file is not a valid site-site configuration"
	exit 0
fi

### The next section is experimental as one routing failure has been seen in the field once ###
### You can delete or comment out the whole section if you want
### Change the target e-mail address to something suitable or remove the line

# Check routing table is not corrupt
route_test=`/usr/sbin/ip r | grep "via $remote_IP dev tun"`
if [ ! "$route_test" ]; then
	systemctl restart openvpn@$tunnel.service
	logger -t openvpn.connection.tester "$tunnel restarted due to routing failure"
	echo `/usr/sbin/ip r` | mail -s "Routing table failed to $remote_IP" yourname@your_domain.com
	sleep 60
fi

### End of experimental section

# Ping the remote tunnel
# If 100% packet loss, log message then restart tunnel. Otherwise continue
ping_test=`ping -c 4 $remote_IP | grep "100% packet loss"`
if [ "$ping_test" ]; then
	systemctl restart openvpn@$tunnel.service
	logger -t openvpn.connection.tester "$tunnel restarted"
	echo "ping failed"
else
	echo "Connection good."
fi

Make the script editable:

chmod u+x /root/support/scripts/openvpn.connection.tester.sh

Scheduling the test

With the script in place you can now schedule a test of the far side of the tunnel and restart the tunnel locally. You need to know the name of the conf file which contains your site-site tunnel (with or without the full path) (Note: you will need to use vi commands to edit crontab with this method).

crontab -e

To run the checker every 5 minutes, add this line to the end of the crontab (Shift+g o):

*/5	*	*	*	*	/root/support/scripts/openvpn.connection.tester.sh OpenVPN_tunnel_conf_file &> /dev/null

Save the file. ( :wq )

By default ClearOS will use the vi editor. If you wish to permanently use a different editor, in /root/.bash_profile add the following lines:

EDITOR="nano"
export EDITOR

Replace “nano” with the editor of your choice.

content/en_us/kb_o_openvpn_connection_script.txt · Last modified: 2018/09/14 12:12 by NickH

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_o_openvpn_connection_script&1710835038