Docker container with openvpn - how to reconnect to VPN if it's down?

Question

I have a docker container in a LUbuntu 15.10 host.

This container is using the openvpn client to connect to a VPN.ac account.

This is the script I'm running to restart the vpn connection if it's down:

#! /bin/bash
while true
do
   sleep 60s
   ps -ef | grep -v grep | grep "/usr/sbin/openvpn --cd /etc/openvpn --config      /etc/openvpn/default.conf --redirect-gateway"
   if [ $? -eq 1 ] ; then
       sv restart openvpn
   fi
done

The problem is that if the internet connection goes down, when it comes back up the script says it's unable to resolve the vpn server hostname and I have to restart the container.

Is there a better way to do this?

BTW the reason I'm grepping for the whole command statement is that I have another container acting as VPN server and if I just do "grep openvpn" then it does find the other service too.

Thanks.

P.S - Please see below the content of the OpenVPN config file.

remote nl1.vpn.ac 50000 udp
dev tun
tls-client
persist-tun
persist-key
nobind
pull
redirect-gateway def1
route-delay 3
auth-user-pass pw
keepalive 10 60
verb 3
explicit-exit-notify 2
remote-cert-tls server
setenv CLIENT_CERT 0
key-direction 1
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

script-security 2
up update-resolv-conf.sh
down update-resolv-conf.sh

Answer 1

Normally, you should not need to do it like this: a statement like

    keepalive 10 60

in your client configuration file will automatically restart the client after 60 seconds without a ping arriving. Pings are sent every 10 seconds, if 6 are missed then the client restarts.

Alternatively, you can start openvpn as a service; on systemd distros, just copy the file /lib/systemd/system/[email protected] to a new file, say /lib/systemd/system/[email protected], and change the line

     ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf

to

     ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /path/to/client-config-file/%i.conf

Lastly,

The problem is that if the internet connection goes down, when it comes back up the script says it's unable to resolve the vpn server hostname and I have to restart the container.

means you have lost your DNS configuration, if not all connectivity altogether. You have not given enough details to unravel this, you may try by ascertaining whether you lost connectivity or just the DNS by

      ping -c1 8.8.8.8

If you get a reply, you lost DNS configuration (most likely you /etc/resolv.conf file is empty), if you do not you have lost all conncetivity.

Edit:

The client config file does call the update-resolv-conf script to use the VPN provider's DNS servers. Could that be the reason why it fails to reconnect? – Alberto

Certainly. You have two options: either delete persist-tun, as correctly pointed out by DanielB, or use `persist-remote-ip. According to the Manual:

--persist-tun

Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.

--persist-remote-ip

Preserve most recently authenticated remote IP address and port number across SIGUSR1 or --ping-restart restarts.