4

Currently, I connect to a remote network using openvpn, and then when "Initialization Sequence Completed" appears in the terminal, I run a script in a second window. (All without having to type my password.)

$ cat /etc/sudoers.d/openvpn 
ron ALL = NOPASSWD: /usr/sbin/openvpn

xterm 1:

sudo openvpn --config foo.ovpn

xterm 2:

./snaggle.sh

Being lazy, though, I want to combine the two into one command, but can't figure out how. One this I do know is that doesn't work:

sudo nohup openvpn --config foo.ovpn &

EDIT: When adding these commands to foo.ovpn, I noticed that they ran well before "Initialization Sequence Completed" appeared:

user ron
group ron
script-security 2
up /home/ron/snaggle.sh

EDIT 2: here's the contents of snaggle.sh. (Of importance: sometimes I need to connect to the VPN without running this script.)

#!/bin/bash

echo $HOME
cd $HOME/work

readonly TS=`TZ=UTC date +"%Y%m%d_%H%M"`
readonly TSHUMAN=`TZ=UTC date +"%F %H:%M %Z"`
readonly OUTFILE=results/prod_cluster_${TS}UTC.txt

for ip in 16 17 18;
do
    node=10.0.83.${ip}
    echo $node
    echo -e "\n\n ${node} \n" >> ${OUTFILE}
    ssh A467197@${node} "bash -s" <<EOF >> ${OUTFILE}
#/bin/bash
mysql -N -e "select 'Uptime is ', mysql.big_time_format(VARIABLE_VALUE) as Uptime from performance_schema.global_status where VARIABLE_NAME='Uptime';"
mysql -N -e "SHOW GLOBAL STATUS LIKE 'wsrep_cluster%';"
EOF
done

echo "" | mutt -s "Some private stuff at ${TSHUMAN}" -a ${OUTFILE} -- $(cat email_addrs.txt)

EDIT 3:

OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no
Improve this question

4 Answers 4

Reset to default
6

You can specify a script to be run as you connect to your vpn through openvpn with the up directive (among a few others that will run on different times during initalization). You may need to set script security too for that. Just append the following to your foo.ovpn file:

script-security 2
up /path/to/script.sh

In your case, this should be the latest possible before the disconnection sequence, as you'll need connectivity through the VPN:

script-security 2
route-up /path/to/script.sh

Note that openvpn won't process any packets as this command runs, so this script needs to be a caller script for your snaggle.sh, like this:

#!/bin/bash

nohup /path/to/snaggle.sh &

exit 0

As you also need to choose if you will run the script or not upon connecting, you can either use 2 different .ovpn files or use the command line parameter form (openvpn --config xxx.ovpn --script-security 2 --route-up /path/to/script.sh) instead of having these options inside the .ovpn file. You can even create an alias for that like openvpnsnaggle if typing is an issue.

To find out more about the other available options for running commands (after authentication, on ip changes, on disconnection, etc...), you can read about them on the documentation.

Improve this answer
11
  • Thanks. Adding these to the ovpn file didn't work, though: script-security 2 ssh [email protected]
    – RonJohn
    Commented Oct 15, 2017 at 3:45
  • You need to add an actual script file path there, not a command, however if what you're running is ssh I don't think you will get access to your session through that. That's not what it's meant for. It's not supposed to be interactive.
    – Zip
    Commented Oct 15, 2017 at 3:53
  • It sure would help if I remembered to add "up "!!
    – RonJohn
    Commented Oct 15, 2017 at 4:10
  • added more info to the question.
    – RonJohn
    Commented Oct 15, 2017 at 4:17
  • Can you give more information on what that snaggle.sh script does? There are quite a few variations of that up command that would run on different times during the connection. To name a few: ipchange, iproute, route-up, route-pre-up, etc...
    – Zip
    Commented Oct 15, 2017 at 4:43
3

! answer written to askubuntu

I stumbled upon the answer in my research to solve this issue and I found out that the best solution is (using openvpn server):

Create a script to be executed:

# nano /etc/openvpn/up.sh
<file:contents>
#!/bin/sh

# export >> /var/log/openvpn/openvpn-up.log
D=`date "+%Y-%m-%d %H:%M"`
echo "[$D] ($local_port_1:$proto_1) $X509_0_CN: $trusted_ip => $ifconfig_pool_remote_ip" >> /var/log/openvpn/openvpn-up.log
</file>

Add the following lines into the openvpn configuration (usualy /etc/openvpn/server.conf). In the answer above it was used up and down, which are used when the server starts (restarats). The directive client-connect (and client-disconnect) are used when the client connects (disconnects)

# nano /etc/openvpn/server.conf
<file:add>
script-security 2
client-connect /etc/openvpn/up.sh
</file>
Improve this answer
2
  • Sadly, I need a script run on the client side.
    – RonJohn
    Commented Sep 14, 2018 at 13:04
  • How would you include the client name in this script?
    – callisto
    Commented May 24, 2019 at 9:51
1

In my case, I did not need it but, as Mathias Sundman said in a post, you can do the following (Windows only): 1. create a .bat file with all your code - if your openvpn config file is named office-network.ovpn then, - the .bat file should be named office-network_up.bat 2. put the .bat file into openvpn config folder (near ovpn file) 3. beware not to use pause or other cmd/shell commands that waits for user input, it will break the initialization of openvpn 4. if you need user interaction use:

start /I "next.bat"

in the office-network_up.bat

An example of .bat which list the environment variables

@echo off
date /t > %TEMP%\openvpn.log
for %%i in (%0 %1 %2 %3 %4 %5 %6 %7 %8 %9) do echo Argument %%i >> %TEMP%\openvpn.log
set >> %TEMP%\openvpn.log
start /I type %TEMP%\openvpn.log
Improve this answer
1
1

After following multiple suggestions, one problem I have is "--up" and --route-up" are executing before whole "Initialization Sequence Completed".

For me, I have to open ports after full initialization.. So I followed below..

#1) Create up.sh which launches port open script(proxyports.sh) asynchronously

#2) Create down.sh which closes the ports opened asynchronously in proxyports.sh

up.sh content ...

#!/bin/bash
( ( sleep 1 ; ~/proxyports.sh) & echo "Open the ports" )

proxyports.sh content ...

#!/bin/bash
HOME=/home/venkatdesu
PID=$(/usr/sbin/lsof -i :1080 | grep LISTEN|awk '{print $2}'|sort|uniq);
if [[ ! -z "$PID" ]]; then
  echo "SSH Socks Process $PID running with " $(ps "$PID");
  kill -9 $PID;
  sleep 1;
fi;
ssh -D 1080 -Nf [email protected] 
PID=$(/usr/sbin/lsof -i :1080 | grep LISTEN|awk '{print $2}'|sort|uniq);
echo "Socks running at $PID"

down.sh content ...

#!/bin/bash
PID=$(/usr/sbin/lsof -i :1080 | grep LISTEN|awk '{print $2}'|sort|uniq);
if [[ ! -z "$PID" ]]; then
 echo "SSH Socks Process $PID running with " $(ps "$PID");
 kill -9 $PID;
fi;
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .