Difference between revisions of "OpenVPN"
From Blue-IT.org Wiki
(→OpenVPN auto reconnect script) |
(→OpenVPN auto reconnect script) |
||
| Line 16: | Line 16: | ||
I am using a little [http://ubuntuforums.org/showthread.php?t=1316314&page=2&p=11818820#post11818820 improved script]. | I am using a little [http://ubuntuforums.org/showthread.php?t=1316314&page=2&p=11818820#post11818820 improved script]. | ||
| − | + | Because I am '''NOT SAVING MY VPN PASSWORD''' in the keyring, the gui asks for the vpn passord. It does this every 30 seconds. The problem: if nobody enters the password, the gui popups a new password dialog. This results in a massive amount of dialogues open. During one night > 30-40 dialogues. This means, the dialogue is not reopend on every recall. | |
| + | |||
| + | This does NOT work for me on Ubuntu 14.04: | ||
| + | * [http://sourceforge.net/projects/vpnautoconnect/?source=typ_redirect vpnautoconnect] | ||
=== Prerequisites === | === Prerequisites === | ||
| − | + | # '''IMPORTANT''': Install the helper script [[Bash#Kill_all_processes_with_a_certain_name killall_]] in ''/home/${USER}/bin'' or find another solution to kill the password dialog | |
| − | # | ||
# A configuration file ''conf/vpn_reconnect.conf'' (''/home/${USER}/bin/'''conf''''') with the following content: | # A configuration file ''conf/vpn_reconnect.conf'' (''/home/${USER}/bin/'''conf''''') with the following content: | ||
| Line 27: | Line 29: | ||
vim vpn_reconnect.conf | vim vpn_reconnect.conf | ||
| + | # The "pinghost" should be the host, | ||
| + | # which name resolution should be working | ||
| + | # when the vpn is connected | ||
| + | # e.g. "my-firewall" should resolve the ip "10.10.1.1" | ||
PING_HOST="hostname of vpn host" | PING_HOST="hostname of vpn host" | ||
DOMAIN="domainname.int" | DOMAIN="domainname.int" | ||
myVPN="uuid from /etc/NetworkManager/system-connections" | myVPN="uuid from /etc/NetworkManager/system-connections" | ||
| + | # alternate vpn server / backup vpn | ||
| + | myVPN_EMERGENCY="uuid from /etc/NetworkManager/system-connections" | ||
| + | === The script === | ||
touch /home/${USER}/bin/vpn_reconnect | touch /home/${USER}/bin/vpn_reconnect | ||
chmod 755 /home/${USER}/bin/vpn_reconnect | chmod 755 /home/${USER}/bin/vpn_reconnect | ||
| Line 37: | Line 46: | ||
#!/bin/bash | #!/bin/bash | ||
# The "pinghost" should be the host, | # The "pinghost" should be the host, | ||
| − | # which | + | # which name resolution should be working |
# when the vpn is connected | # when the vpn is connected | ||
# e.g. "my-firewall" should resolve the ip "10.10.1.1" | # e.g. "my-firewall" should resolve the ip "10.10.1.1" | ||
| Line 46: | Line 55: | ||
# - Above: | class=Nm-openvpn-auth-dialog | # - Above: | class=Nm-openvpn-auth-dialog | ||
# - Sticky: | class=Nm-openvpn-auth-dialog | # - Sticky: | class=Nm-openvpn-auth-dialog | ||
| − | + | ||
| − | |||
PING_HOST="" | PING_HOST="" | ||
DOMAIN="" | DOMAIN="" | ||
| Line 92: | Line 100: | ||
nmcli con down uuid "${myVPN_EMERGENCY}" | nmcli con down uuid "${myVPN_EMERGENCY}" | ||
vbox_reconnect_network | vbox_reconnect_network | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
} | } | ||
| + | # Singleton ;-) | ||
if ps x | grep -v grep | grep -v $$ | grep $0 | grep -v subl | grep -v vi | if ps x | grep -v grep | grep -v $$ | grep $0 | grep -v subl | grep -v vi | ||
then | then | ||
| Line 113: | Line 116: | ||
if ping -c 5 ${PING_HOST} | grep ${DOMAIN} | if ping -c 5 ${PING_HOST} | grep ${DOMAIN} | ||
then | then | ||
| − | echo " | + | echo "Connection established (or local network)." |
else | else | ||
echo " Recheck after 10 sec ..." | echo " Recheck after 10 sec ..." | ||
sleep 10 | sleep 10 | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
if ping -c 5 ${PING_HOST} | grep ${DOMAIN} | if ping -c 5 ${PING_HOST} | grep ${DOMAIN} | ||
then | then | ||
| − | echo " | + | echo "Connection established (or local network)." |
else | else | ||
vpn_connect | vpn_connect | ||
fi | fi | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
fi | fi | ||
Revision as of 10:05, 17 November 2015
Contents
Introduction
After successfully played around with an Cisco ASA 5505 Firewall we liked to expand our VPN experience. I personally was a little disappointed about the solutions, Cisco offered to us. First of all, I was very disappointed finding out, that - for IPSec VPN - there doesn't exist an native 64bit client for my linux machine. Second the license fees for SSL VPN are barely legal. Third the license and configuration djungle Cisco offers is not what I like.
To make a long story short: pFsense has everything we needed, was configured in a snap and in combination with a Soekris hardware ist a really robust, fast and easy to maintain appliance. ooking back spending hours and hours configuring the ASA, dangling around with license issues and limitationsone of the software this was one of the best decisions this year!
pFSense
There are a lot of HowTo's and Tutorials how to get OpenVPN running with pfSense in version 2.x. I don't like to add another 2 cents here.
OpenVPN auto reconnect script
Despite the very stable connection overall - if you are on the road and the internet connection is lost, the network manager of Ubuntu does not reconnect when internet is available again.
I am using a little improved script.
Because I am NOT SAVING MY VPN PASSWORD in the keyring, the gui asks for the vpn passord. It does this every 30 seconds. The problem: if nobody enters the password, the gui popups a new password dialog. This results in a massive amount of dialogues open. During one night > 30-40 dialogues. This means, the dialogue is not reopend on every recall.
This does NOT work for me on Ubuntu 14.04:
Prerequisites
- IMPORTANT: Install the helper script Bash#Kill_all_processes_with_a_certain_name killall_ in /home/${USER}/bin or find another solution to kill the password dialog
- A configuration file conf/vpn_reconnect.conf (/home/${USER}/bin/conf) with the following content:
cd /home/${USER}/bin/
mkdir conf
vim vpn_reconnect.conf
# The "pinghost" should be the host, # which name resolution should be working # when the vpn is connected # e.g. "my-firewall" should resolve the ip "10.10.1.1" PING_HOST="hostname of vpn host" DOMAIN="domainname.int" myVPN="uuid from /etc/NetworkManager/system-connections" # alternate vpn server / backup vpn myVPN_EMERGENCY="uuid from /etc/NetworkManager/system-connections"
The script
touch /home/${USER}/bin/vpn_reconnect
chmod 755 /home/${USER}/bin/vpn_reconnect
vim /home/${USER}/bin/vpn_reconnect
#!/bin/bash
# The "pinghost" should be the host,
# which name resolution should be working
# when the vpn is connected
# e.g. "my-firewall" should resolve the ip "10.10.1.1"
# PRE: You should keep the openvpn-auth-dialog in foreground
# - using e. g. CCSM
# - Window rules
# - Above: | class=Nm-openvpn-auth-dialog
# - Sticky: | class=Nm-openvpn-auth-dialog
PING_HOST=""
DOMAIN=""
myVPN=""
myVPN_EMERGENCY=""
myGSM=""
cd /home/${USER}/bin
source conf/vpn_reconnect.conf
useVPNEmergency="no"
export PATH="${PATH}:/home/${USER}/bin"
export LC_MESSAGES="en_US.UTF-8"
export LC_TYPE="en_US.UTF-8"
export LANGUAGE="en_US.UTF-8"
vpn_connect() {
echo "Killing all opened openvpn auth dialog"
if [ "$(ps x | grep openvpn-auth-dialog | grep -v grep | awk '{print $1}')" == "" ]
then
echo "No openvpn-auth-dialog open ... continuing"
else
killall_ openvpn-auth-dialog
vbox_reconnect_network
fi
echo "Verbinung VPN-acinus herstellen ..."
if nmcli con up uuid "${myVPN}"
then
vbox_reconnect_network
else
if ["$useVPNEmergency" == "yes"]; then nmcli con up uuid "${myVPN_EMERGENCY}"; fi
killall_ openvpn-auth-dialog
vbox_reconnect_network
fi
}
vpn_disconnect() {
echo "Verbinung VPN-acinus abbauen ..."
# acinus, then administrator
nmcli con down uuid "${myVPN}" || \
nmcli con down uuid "${myVPN_EMERGENCY}"
vbox_reconnect_network
}
# Singleton ;-)
if ps x | grep -v grep | grep -v $$ | grep $0 | grep -v subl | grep -v vi
then
echo "$0 already running. Exiting"
exit 1
else
while (true);
do
if ping -c 5 ${PING_HOST} | grep ${DOMAIN}
then
echo "Connection established (or local network)."
else
echo " Recheck after 10 sec ..."
sleep 10
if ping -c 5 ${PING_HOST} | grep ${DOMAIN}
then
echo "Connection established (or local network)."
else
vpn_connect
fi
fi
sleep 30
done
fi
VPN client on ubuntu server
Client mode
All you need is:
- a ".ovpn" configuration file and rename it to ".conf"
- each unique named ".conf" is a vpn client
- chmod 600 (rw only for root)
- all necessary credentials that refer to ".p12", ".crt", ".key" -files within the ".ovpn"-file
- have to be in the /etc/openvpn directory and
- chmod 400 (read only for root!)
- place everything in the /etc/openvpn directory
- edit the /etc/default/openvpn configuration file.
- Put the name of the ".conf"-file without the ".conf" in the AUTOSTART variable.
- OR simply make AUTOSTART="all" which will start all vpn clients