Difference between revisions of "OpenVPN"
From Blue-IT.org Wiki
(→Client mode) |
(→OpenVPN auto reconnect script) |
||
| Line 12: | Line 12: | ||
== OpenVPN auto reconnect script == | == OpenVPN auto reconnect script == | ||
| − | Despite the very stable connection overall - if you are on the road and the internet connection is lost, the network manager of Ubuntu does not reconnect when internet is available again. | + | Despite the very stable connection overall - if you are on the road and the internet connection is lost, the network manager of Ubuntu does not reconnect when internet is available again. |
| − | + | I am using a little [http://ubuntuforums.org/showthread.php?t=1316314&page=2&p=11818820#post11818820 improved script]. | |
| + | |||
| + | Since I am NOT SAVING MY VPN PASSWORD in the keyring, the gui asks for the vpn passord. It does this every 30 seconds. The problem: if nobody enters the password, the gui popups a new password dialog. This results in a massive amount of dialogues open. During one night > 30-40 dialogues. This means, the dialogue is not reopend on every recall. | ||
| + | |||
| + | === Prerequisites === | ||
| + | |||
| + | # Helper script [[Bash#Kill_all_processes_with_a_certain_name killall_]] in ''/home/${USER}/bin'' | ||
| + | # A configuration file ''conf/vpn_reconnect.conf'' (''/home/${USER}/bin/'''conf''''') with the following content: | ||
| + | |||
| + | cd /home/${USER}/bin/ | ||
| + | mkdir conf | ||
| + | vim vpn_reconnect.conf | ||
| + | |||
| + | PING_HOST="hostname of vpn host" | ||
| + | DOMAIN="domainname.int" | ||
| + | myVPN="uuid from /etc/NetworkManager/system-connections" | ||
| + | |||
| + | touch /home/${USER}/bin/vpn_reconnect | ||
| + | chmod 755 /home/${USER}/bin/vpn_reconnect | ||
| + | vim /home/${USER}/bin/vpn_reconnect | ||
| + | |||
| + | #!/bin/bash | ||
| + | # The "pinghost" should be the host, | ||
| + | # which nameresolution should be working | ||
| + | # when the vpn is connected | ||
| + | # e.g. "my-firewall" should resolve the ip "10.10.1.1" | ||
| + | |||
| + | # PRE: You should keep the openvpn-auth-dialog in foreground | ||
| + | # - using e. g. CCSM | ||
| + | # - Window rules | ||
| + | # - Above: | class=Nm-openvpn-auth-dialog | ||
| + | # - Sticky: | class=Nm-openvpn-auth-dialog | ||
| + | |||
| + | |||
| + | PING_HOST="" | ||
| + | DOMAIN="" | ||
| + | myVPN="" | ||
| + | myVPN_EMERGENCY="" | ||
| + | myGSM="" | ||
| + | cd /home/${USER}/bin | ||
| + | source conf/vpn_reconnect.conf | ||
| + | |||
| + | useVPNEmergency="no" | ||
| + | |||
| + | export PATH="${PATH}:/home/${USER}/bin" | ||
| + | |||
| + | export LC_MESSAGES="en_US.UTF-8" | ||
| + | export LC_TYPE="en_US.UTF-8" | ||
| + | export LANGUAGE="en_US.UTF-8" | ||
| + | |||
| + | vpn_connect() { | ||
| + | |||
| + | echo "Killing all opened openvpn auth dialog" | ||
| + | if [ "$(ps x | grep openvpn-auth-dialog | grep -v grep | awk '{print $1}')" == "" ] | ||
| + | then | ||
| + | echo "No openvpn-auth-dialog open ... continuing" | ||
| + | else | ||
| + | killall_ openvpn-auth-dialog | ||
| + | vbox_reconnect_network | ||
| + | fi | ||
| + | |||
| + | echo "Verbinung VPN-acinus herstellen ..." | ||
| + | if nmcli con up uuid "${myVPN}" | ||
| + | then | ||
| + | vbox_reconnect_network | ||
| + | else | ||
| + | if ["$useVPNEmergency" == "yes"]; then nmcli con up uuid "${myVPN_EMERGENCY}"; fi | ||
| + | killall_ openvpn-auth-dialog | ||
| + | vbox_reconnect_network | ||
| + | fi | ||
| + | } | ||
| + | |||
| + | vpn_disconnect() { | ||
| + | echo "Verbinung VPN-acinus abbauen ..." | ||
| + | # acinus, then administrator | ||
| + | nmcli con down uuid "${myVPN}" || \ | ||
| + | nmcli con down uuid "${myVPN_EMERGENCY}" | ||
| + | vbox_reconnect_network | ||
| + | } | ||
| + | |||
| + | connect_wlan() { | ||
| + | # wwan off | ||
| + | # wifi on | ||
| + | echo "" | ||
| + | } | ||
| + | |||
| + | |||
| + | if ps x | grep -v grep | grep -v $$ | grep $0 | grep -v subl | grep -v vi | ||
| + | then | ||
| + | echo "$0 already running. Exiting" | ||
| + | exit 1 | ||
| + | else | ||
| + | |||
| + | |||
| + | while (true); | ||
| + | do | ||
| + | |||
| + | if ping -c 5 ${PING_HOST} | grep ${DOMAIN} | ||
| + | then | ||
| + | echo "Verbindung mit acinus ist hergestellt (oder lokales Netzwerk)." | ||
| + | else | ||
| + | echo " Recheck after 10 sec ..." | ||
| + | sleep 10 | ||
| + | |||
| + | #if wwan | grep on | ||
| + | #then | ||
| + | # echo "UMTS Verbindung ist aktiviert." | ||
| + | #connect_umts | ||
| + | #vpn_disconnect | ||
| + | if ping -c 5 ${PING_HOST} | grep ${DOMAIN} | ||
| + | then | ||
| + | echo "Verbindung mit acinus ist hergestellt (oder lokales Netzwerk)." | ||
| + | else | ||
| + | vpn_connect | ||
| + | |||
| + | fi | ||
| + | |||
| + | #else | ||
| + | #vpn_disconnect | ||
| + | # vpn_connect | ||
| + | #fi | ||
| + | |||
| + | fi | ||
| + | |||
| + | sleep 30 | ||
| + | |||
| + | done | ||
| + | |||
| + | fi | ||
== VPN client on ubuntu server == | == VPN client on ubuntu server == | ||
Revision as of 09:59, 17 November 2015
Contents
Introduction
After successfully played around with an Cisco ASA 5505 Firewall we liked to expand our VPN experience. I personally was a little disappointed about the solutions, Cisco offered to us. First of all, I was very disappointed finding out, that - for IPSec VPN - there doesn't exist an native 64bit client for my linux machine. Second the license fees for SSL VPN are barely legal. Third the license and configuration djungle Cisco offers is not what I like.
To make a long story short: pFsense has everything we needed, was configured in a snap and in combination with a Soekris hardware ist a really robust, fast and easy to maintain appliance. ooking back spending hours and hours configuring the ASA, dangling around with license issues and limitationsone of the software this was one of the best decisions this year!
pFSense
There are a lot of HowTo's and Tutorials how to get OpenVPN running with pfSense in version 2.x. I don't like to add another 2 cents here.
OpenVPN auto reconnect script
Despite the very stable connection overall - if you are on the road and the internet connection is lost, the network manager of Ubuntu does not reconnect when internet is available again.
I am using a little improved script.
Since I am NOT SAVING MY VPN PASSWORD in the keyring, the gui asks for the vpn passord. It does this every 30 seconds. The problem: if nobody enters the password, the gui popups a new password dialog. This results in a massive amount of dialogues open. During one night > 30-40 dialogues. This means, the dialogue is not reopend on every recall.
Prerequisites
- Helper script Bash#Kill_all_processes_with_a_certain_name killall_ in /home/${USER}/bin
- A configuration file conf/vpn_reconnect.conf (/home/${USER}/bin/conf) with the following content:
cd /home/${USER}/bin/
mkdir conf
vim vpn_reconnect.conf
PING_HOST="hostname of vpn host"
DOMAIN="domainname.int"
myVPN="uuid from /etc/NetworkManager/system-connections"
touch /home/${USER}/bin/vpn_reconnect
chmod 755 /home/${USER}/bin/vpn_reconnect
vim /home/${USER}/bin/vpn_reconnect
#!/bin/bash
# The "pinghost" should be the host,
# which nameresolution should be working
# when the vpn is connected
# e.g. "my-firewall" should resolve the ip "10.10.1.1"
# PRE: You should keep the openvpn-auth-dialog in foreground
# - using e. g. CCSM
# - Window rules
# - Above: | class=Nm-openvpn-auth-dialog
# - Sticky: | class=Nm-openvpn-auth-dialog
PING_HOST=""
DOMAIN=""
myVPN=""
myVPN_EMERGENCY=""
myGSM=""
cd /home/${USER}/bin
source conf/vpn_reconnect.conf
useVPNEmergency="no"
export PATH="${PATH}:/home/${USER}/bin"
export LC_MESSAGES="en_US.UTF-8"
export LC_TYPE="en_US.UTF-8"
export LANGUAGE="en_US.UTF-8"
vpn_connect() {
echo "Killing all opened openvpn auth dialog"
if [ "$(ps x | grep openvpn-auth-dialog | grep -v grep | awk '{print $1}')" == "" ]
then
echo "No openvpn-auth-dialog open ... continuing"
else
killall_ openvpn-auth-dialog
vbox_reconnect_network
fi
echo "Verbinung VPN-acinus herstellen ..."
if nmcli con up uuid "${myVPN}"
then
vbox_reconnect_network
else
if ["$useVPNEmergency" == "yes"]; then nmcli con up uuid "${myVPN_EMERGENCY}"; fi
killall_ openvpn-auth-dialog
vbox_reconnect_network
fi
}
vpn_disconnect() {
echo "Verbinung VPN-acinus abbauen ..."
# acinus, then administrator
nmcli con down uuid "${myVPN}" || \
nmcli con down uuid "${myVPN_EMERGENCY}"
vbox_reconnect_network
}
connect_wlan() {
# wwan off
# wifi on
echo ""
}
if ps x | grep -v grep | grep -v $$ | grep $0 | grep -v subl | grep -v vi
then
echo "$0 already running. Exiting"
exit 1
else
while (true);
do
if ping -c 5 ${PING_HOST} | grep ${DOMAIN}
then
echo "Verbindung mit acinus ist hergestellt (oder lokales Netzwerk)."
else
echo " Recheck after 10 sec ..."
sleep 10
#if wwan | grep on
#then
# echo "UMTS Verbindung ist aktiviert."
#connect_umts
#vpn_disconnect
if ping -c 5 ${PING_HOST} | grep ${DOMAIN}
then
echo "Verbindung mit acinus ist hergestellt (oder lokales Netzwerk)."
else
vpn_connect
fi
#else
#vpn_disconnect
# vpn_connect
#fi
fi
sleep 30
done
fi
VPN client on ubuntu server
Client mode
All you need is:
- a ".ovpn" configuration file and rename it to ".conf"
- each unique named ".conf" is a vpn client
- chmod 600 (rw only for root)
- all necessary credentials that refer to ".p12", ".crt", ".key" -files within the ".ovpn"-file
- have to be in the /etc/openvpn directory and
- chmod 400 (read only for root!)
- place everything in the /etc/openvpn directory
- edit the /etc/default/openvpn configuration file.
- Put the name of the ".conf"-file without the ".conf" in the AUTOSTART variable.
- OR simply make AUTOSTART="all" which will start all vpn clients