Difference between revisions of "OpenVPN"

From Blue-IT.org Wiki

(OpenVPN auto reconnect script)
(The vpn reconnect script)
 
(22 intermediate revisions by the same user not shown)
Line 12: Line 12:
 
== OpenVPN auto reconnect script  ==
 
== OpenVPN auto reconnect script  ==
  
Despite the very stable connection overall - if you are on the road and the internet connection is lost, the network manager of Ubuntu does not reconnect when internet is available again.  
+
Despite the very stable connection overall: if you are on the road and the Internet connection is lost, the network manager of Ubuntu does not reconnect when Internet is available again. There are some options in network manageer to achieve this ( [http://askubuntu.com/questions/328823/vpn-autoconnec|see Ask Ubuntu]] ) but I came up this my own solution because I had some problems to solve:
  
I am using a little [http://ubuntuforums.org/showthread.php?t=1316314&page=2&p=11818820#post11818820 improved script].
+
* I do not want to save the password in the password manager
 +
* I am using VirtualBox guest which loses VPN on network reconnect
 +
* Password dialogue opens multiple times on reconnect
 +
* I am using a backup VPN server (failover)
 +
* using a configuration file for my uuids (working on several machines)
  
 
Because I am '''NOT SAVING MY VPN PASSWORD''' in the keyring, the gui asks for the vpn passord. It does this every 30 seconds. The problem: if nobody enters the password, the gui popups a new password dialog. This results in a massive amount of dialogues open. During one night > 30-40 dialogues. This means, the dialogue is not reopend on every recall.  
 
Because I am '''NOT SAVING MY VPN PASSWORD''' in the keyring, the gui asks for the vpn passord. It does this every 30 seconds. The problem: if nobody enters the password, the gui popups a new password dialog. This results in a massive amount of dialogues open. During one night > 30-40 dialogues. This means, the dialogue is not reopend on every recall.  
Line 22: Line 26:
  
 
=== Prerequisites ===
 
=== Prerequisites ===
# If you are using '''VirtualBox''', you should [[VirtualBox#Reconnect_on_lost_network_connection read this article about reconnection the guest network]], install the script and set ''useVboxReconnect="yes"''
+
'''Mandatory''':
# If you have a second Backup VPN server, you can use this one by setting ''useVPNEmergency="yes"'' and give ''$myVPN_EMERGENCY'' a value in the configuration file.
+
# Install the '''[[Bash#Kill_all_processes_with_a_certain_name|helper script "killall_"]]''' in ''/home/${USER}/bin'' or find another solution to kill the password dialog
# '''MANDATORY''': Install the '''helper script [[Bash#Kill_all_processes_with_a_certain_name killall_]]''' in ''/home/${USER}/bin'' or find another solution to kill the password dialog
+
# A '''configuration file''' ''conf/vpn_reconnect.conf'' (''/home/${USER}/bin/'''conf''''') with the following content:
# '''MANDATORY''': A '''configuration file''' ''conf/vpn_reconnect.conf'' (''/home/${USER}/bin/'''conf''''') with the following content:
 
  
 
  cd /home/${USER}/bin/
 
  cd /home/${USER}/bin/
Line 40: Line 43:
 
  # alternate vpn server / backup vpn
 
  # alternate vpn server / backup vpn
 
  myVPN_EMERGENCY="uuid from /etc/NetworkManager/system-connections"
 
  myVPN_EMERGENCY="uuid from /etc/NetworkManager/system-connections"
 
+
 
=== The script ===
+
 
 +
'''Optional''':
 +
# If you are using '''VirtualBox''', you should [[VirtualBox#Reconnect_guest_on_lost_network_connection|read this article about reconnection the guest network]], install the script and set ''useVboxReconnect="yes"''
 +
# If you have a '''second (failover) VPN server''', you can use this one by setting ''useVPNEmergency="yes"'' and give ''$myVPN_EMERGENCY'' a value in the configuration file.
 +
 
 +
=== The vpn reconnect script ===
 
  touch /home/${USER}/bin/vpn_reconnect
 
  touch /home/${USER}/bin/vpn_reconnect
 
  chmod 755 /home/${USER}/bin/vpn_reconnect
 
  chmod 755 /home/${USER}/bin/vpn_reconnect
Line 51: Line 59:
 
  # when the vpn is connected
 
  # when the vpn is connected
 
  # e.g. "my-firewall" should resolve the ip "10.10.1.1"
 
  # e.g. "my-firewall" should resolve the ip "10.10.1.1"
+
 
 
  # PRE: You should keep the openvpn-auth-dialog in foreground  
 
  # PRE: You should keep the openvpn-auth-dialog in foreground  
 
  # - using e. g. CCSM
 
  # - using e. g. CCSM
Line 57: Line 65:
 
  # - Above:  | class=Nm-openvpn-auth-dialog
 
  # - Above:  | class=Nm-openvpn-auth-dialog
 
  # - Sticky: | class=Nm-openvpn-auth-dialog
 
  # - Sticky: | class=Nm-openvpn-auth-dialog
 
+
 +
######################################################
 
  ## SET ACCORDING TO USAGE ############################
 
  ## SET ACCORDING TO USAGE ############################
 +
 
  useVPNEmergency="no"
 
  useVPNEmergency="no"
 
  useVboxReconnect="no"
 
  useVboxReconnect="no"
 
+
configuration ="/home/${USER}/bin/conf/vpn_reconnect.conf"
 +
export PATH="${PATH}:/home/${USER}/bin"
 +
 
  ######################################################
 
  ######################################################
 
+
 
 
  PING_HOST=""
 
  PING_HOST=""
 
  DOMAIN=""
 
  DOMAIN=""
Line 70: Line 82:
 
  myGSM=""
 
  myGSM=""
 
  cd /home/${USER}/bin
 
  cd /home/${USER}/bin
  source conf/vpn_reconnect.conf
+
  source "${configuration}"  
 
 
 
export PATH="${PATH}:/home/${USER}/bin"
 
 
   
 
   
 +
# Error messages in en_US
 
  export LC_MESSAGES="en_US.UTF-8"
 
  export LC_MESSAGES="en_US.UTF-8"
 
  export LC_TYPE="en_US.UTF-8"
 
  export LC_TYPE="en_US.UTF-8"
 
  export LANGUAGE="en_US.UTF-8"
 
  export LANGUAGE="en_US.UTF-8"
+
 
 
  vpn_connect() {
 
  vpn_connect() {
 
   
 
   
    echo "Killing all opened openvpn auth dialog"
+
    echo "Killing all opened openvpn auth dialog"
    if [ "$(ps x | grep openvpn-auth-dialog | grep -v grep | awk '{print $1}')" == "" ]
+
    if [ "$(ps x | grep openvpn-auth-dialog | grep -v grep | awk '{print $1}')" == "" ]
    then
+
    then
        echo "No openvpn-auth-dialog open ... continuing"
+
        echo "No openvpn-auth-dialog open ... continuing"
    else
+
    else
        killall_ openvpn-auth-dialog
+
        killall_ openvpn-auth-dialog
        if ["$useVPNEmergency" == "yes"]; then vbox_reconnect_network; fi
+
        if [ "${useVboxReconnect}" == "yes" ]; then vbox_reconnect_network; fi
    fi
+
    fi
 
   
 
   
    echo "Verbinung VPN-acinus herstellen ..."     
+
    echo "Discnnecting to vpn ..."     
    if nmcli con up uuid "${myVPN}"
+
    if nmcli con up uuid "${myVPN}"
then
+
    then
         if ["$useVPNEmergency" == "yes"]; then vbox_reconnect_network; fi
+
         if [ "${useVboxReconnect}" == "yes" ]; then vbox_reconnect_network; fi
 
+
        else
else
+
            if [ "${useVPNEmergency}" == "yes" ]
        if ["$useVPNEmergency" == "yes"]; then nmcli con up uuid "${myVPN_EMERGENCY}"; fi
+
            then  
        killall_ openvpn-auth-dialog
+
                if nmcli con up uuid "${myVPN_EMERGENCY}"
        if ["$useVPNEmergency" == "yes"]; then vbox_reconnect_network; fi
+
                then
fi
+
                    if [ "${useVboxReconnect}" == "yes" ]; then vbox_reconnect_network; fi
 +
            fi
 +
        fi
 +
 
 +
        if [ "${useVboxReconnect}" == "yes" ]; then vbox_reconnect_network; fi
 +
    fi
 
  }
 
  }
+
 
 
  vpn_disconnect() {
 
  vpn_disconnect() {
         echo "Verbinung VPN-acinus abbauen ..."
+
         echo "Disconnecting from vpn..."
 
         nmcli con down uuid "${myVPN}" || \
 
         nmcli con down uuid "${myVPN}" || \
 
         nmcli con down uuid "${myVPN_EMERGENCY}"
 
         nmcli con down uuid "${myVPN_EMERGENCY}"
 
         if ["$useVPNEmergency" == "yes"]; then vbox_reconnect_network; fi
 
         if ["$useVPNEmergency" == "yes"]; then vbox_reconnect_network; fi
 
  }
 
  }
 
 
   
 
   
 
  # Singleton ;-)
 
  # Singleton ;-)
Line 116: Line 130:
 
         exit 1
 
         exit 1
 
  else
 
  else
 
 
 
         while (true);
 
         while (true);
         do
+
         do  
 
 
                 if ping -c 5 ${PING_HOST} | grep ${DOMAIN}
 
                 if ping -c 5 ${PING_HOST} | grep ${DOMAIN}
 
                 then
 
                 then
Line 132: Line 143:
 
                                 echo "Connection established (or local network)."
 
                                 echo "Connection established (or local network)."
 
                         else
 
                         else
                                 vpn_connect
+
                                 vpn_connect  
 +
                        fi
 +
                fi
 +
 +
        # 90 seconds is the timeout for vpn-auth-gui if not successful
 +
        sleep 100
 +
 +
        done
 +
fi
 +
 
 +
=== Troubleshooting ===
 +
However there is sometimes a problem with nm-applet which effect me on openvpn as well
 +
* https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/1297849
 +
 
 +
So I have to restart network-manager and applet like this:
 +
 
 +
#!/bin/bash
 +
export PATH="${PATH}:/home/${USER}/bin"
 
   
 
   
                        fi
+
killall_ vpn_reconnect
 
   
 
   
                fi
+
sudo killall NetworkManager &
 
   
 
   
        sleep 30
+
sleep 5
 +
killall nm-applet
 +
sleep 3
 
   
 
   
        done
+
nm-applet &
 +
sleep 2
 
   
 
   
  fi
+
  vpn_reconnect &
  
 
== VPN client on ubuntu server ==
 
== VPN client on ubuntu server ==

Latest revision as of 09:10, 19 November 2015

Introduction

After successfully played around with an Cisco ASA 5505 Firewall we liked to expand our VPN experience. I personally was a little disappointed about the solutions, Cisco offered to us. First of all, I was very disappointed finding out, that - for IPSec VPN - there doesn't exist an native 64bit client for my linux machine. Second the license fees for SSL VPN are barely legal. Third the license and configuration djungle Cisco offers is not what I like.

To make a long story short: pFsense has everything we needed, was configured in a snap and in combination with a Soekris hardware ist a really robust, fast and easy to maintain appliance. ooking back spending hours and hours configuring the ASA, dangling around with license issues and limitationsone of the software this was one of the best decisions this year!

pFSense

There are a lot of HowTo's and Tutorials how to get OpenVPN running with pfSense in version 2.x. I don't like to add another 2 cents here.

OpenVPN auto reconnect script

Despite the very stable connection overall: if you are on the road and the Internet connection is lost, the network manager of Ubuntu does not reconnect when Internet is available again. There are some options in network manageer to achieve this ( Ask Ubuntu] ) but I came up this my own solution because I had some problems to solve:

  • I do not want to save the password in the password manager
  • I am using VirtualBox guest which loses VPN on network reconnect
  • Password dialogue opens multiple times on reconnect
  • I am using a backup VPN server (failover)
  • using a configuration file for my uuids (working on several machines)

Because I am NOT SAVING MY VPN PASSWORD in the keyring, the gui asks for the vpn passord. It does this every 30 seconds. The problem: if nobody enters the password, the gui popups a new password dialog. This results in a massive amount of dialogues open. During one night > 30-40 dialogues. This means, the dialogue is not reopend on every recall.

This does NOT work for me on Ubuntu 14.04:

Prerequisites

Mandatory:

  1. Install the helper script "killall_" in /home/${USER}/bin or find another solution to kill the password dialog
  2. A configuration file conf/vpn_reconnect.conf (/home/${USER}/bin/conf) with the following content:
cd /home/${USER}/bin/
mkdir conf
vim vpn_reconnect.conf
# The "pinghost" should be the host, 
# which name resolution should be working
# when the vpn is connected
# e.g. "my-firewall" should resolve the ip "10.10.1.1"
PING_HOST="hostname of vpn host"
DOMAIN="domainname.int"
myVPN="uuid from /etc/NetworkManager/system-connections"
# alternate vpn server / backup vpn
myVPN_EMERGENCY="uuid from /etc/NetworkManager/system-connections"


Optional:

  1. If you are using VirtualBox, you should read this article about reconnection the guest network, install the script and set useVboxReconnect="yes"
  2. If you have a second (failover) VPN server, you can use this one by setting useVPNEmergency="yes" and give $myVPN_EMERGENCY a value in the configuration file.

The vpn reconnect script

touch /home/${USER}/bin/vpn_reconnect
chmod 755 /home/${USER}/bin/vpn_reconnect
vim /home/${USER}/bin/vpn_reconnect
#!/bin/bash
# The "pinghost" should be the host, 
# which name resolution should be working
# when the vpn is connected
# e.g. "my-firewall" should resolve the ip "10.10.1.1"
 
# PRE: You should keep the openvpn-auth-dialog in foreground 
# - using e. g. CCSM
# - Window rules
# - Above:  | class=Nm-openvpn-auth-dialog
# - Sticky: | class=Nm-openvpn-auth-dialog

######################################################
## SET ACCORDING TO USAGE ############################

useVPNEmergency="no"
useVboxReconnect="no"
configuration ="/home/${USER}/bin/conf/vpn_reconnect.conf"
export PATH="${PATH}:/home/${USER}/bin"

######################################################
  
PING_HOST=""
DOMAIN=""
myVPN=""
myVPN_EMERGENCY=""
myGSM=""
cd /home/${USER}/bin
source "${configuration}" 

# Error messages in en_US
export LC_MESSAGES="en_US.UTF-8"
export LC_TYPE="en_US.UTF-8"
export LANGUAGE="en_US.UTF-8"
 
vpn_connect() {

   echo "Killing all opened openvpn auth dialog"
   if [ "$(ps x | grep openvpn-auth-dialog | grep -v grep | awk '{print $1}')" == "" ]
   then
       echo "No openvpn-auth-dialog open ... continuing"
   else
       killall_ openvpn-auth-dialog
       if [ "${useVboxReconnect}" == "yes" ]; then vbox_reconnect_network; fi
   fi

   echo "Discnnecting to vpn ..."    
   if nmcli con up uuid "${myVPN}"
   then
       if [ "${useVboxReconnect}" == "yes" ]; then vbox_reconnect_network; fi
       else
            if [ "${useVPNEmergency}" == "yes" ]
            then 
               if nmcli con up uuid "${myVPN_EMERGENCY}"
               then
                    if [ "${useVboxReconnect}" == "yes" ]; then vbox_reconnect_network; fi
            fi
       fi
 
       if [ "${useVboxReconnect}" == "yes" ]; then vbox_reconnect_network; fi
   fi
}
 
vpn_disconnect() {
        echo "Disconnecting from vpn..."
        nmcli con down uuid "${myVPN}" || \
        nmcli con down uuid "${myVPN_EMERGENCY}"
        if ["$useVPNEmergency" == "yes"]; then vbox_reconnect_network; fi
}

# Singleton ;-)
if ps x | grep -v grep | grep -v $$ | grep $0 | grep -v subl | grep -v vi
then
        echo "$0 already running. Exiting"
        exit 1
else
        while (true);
        do 
                if ping -c 5 ${PING_HOST} | grep ${DOMAIN}
                then
                        echo "Connection established (or local network)."
                else
                        echo " Recheck after 10 sec ..."
                        sleep 10

                        if ping -c 5 ${PING_HOST} | grep ${DOMAIN}
                        then
                                echo "Connection established (or local network)."
                        else
                                vpn_connect 
                        fi 
                fi

        # 90 seconds is the timeout for vpn-auth-gui if not successful
        sleep 100

        done 
fi

Troubleshooting

However there is sometimes a problem with nm-applet which effect me on openvpn as well

* https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/1297849

So I have to restart network-manager and applet like this:

#!/bin/bash
export PATH="${PATH}:/home/${USER}/bin"

killall_ vpn_reconnect

sudo killall NetworkManager &

sleep 5
killall nm-applet
sleep 3

nm-applet &
sleep 2

vpn_reconnect &

VPN client on ubuntu server

Client mode

All you need is:

  • a ".ovpn" configuration file and rename it to ".conf"
    • each unique named ".conf" is a vpn client
    • chmod 600 (rw only for root)
  • all necessary credentials that refer to ".p12", ".crt", ".key" -files within the ".ovpn"-file
    • have to be in the /etc/openvpn directory and
    • chmod 400 (read only for root!)
  • place everything in the /etc/openvpn directory
  • edit the /etc/default/openvpn configuration file.
    • Put the name of the ".conf"-file without the ".conf" in the AUTOSTART variable.
    • OR simply make AUTOSTART="all" which will start all vpn clients