[SOLVED] How to restart OpenVPN in a script?

guardian

@jsphgttgns said in How to restart OpenVPN in a script?:

I am using all kinds of OpenVPN connections and I never have to restart them manually. They typically run for months and automatically reconnect after a couple of seconds for all kinds of interruptions. There are OpenVPN settings related to that, but you haven't published your settings.

It may also make sense to increase the verbosity level and check whether there are any entries related to your problem.

Thanks for the reply. I've uploaded the settings that I used. The problem that I'm having is with Private Internet Access. I added some "Custom Settings" that I found in a forum that "more or less solved the problem" (drops occasionally - once every few weeks).

If you have any idea as to what settings I should change, that would be most appreciated. Thankfully the connection doesn't drop very often, so it will no doubt take quite some time to know if I have been successful in finding the correct answer.

jsphgttgns

I think your "Custom options" are mostly superfluous. Just set up a test tunnel without the parameters and export the settings to study the default options.

auth-nocache is more or less cosmetics and reneg-sec 0 may also not do a lot as the server might enforce the renogatiation.

I'd setup a default tunnel without extra options and evaluate the log file. I also don't see why you need net30.

heper

playback svc restart openvpn client 1

0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell
  

Enter an option: 12


Starting the pfSense developer shell....

Welcome to the pfSense developer shell

Type "help" to show common usage scenarios.

Available playback commands:
     changepassword checkopenvpn_status disablecarp disablecarpmaint disabledhcpd disablereferercheck enableallowallwan enablecarp enablecarpmaint enablesshd externalconfiglocator generateguicert gitsync installpkg listpkg removepkgconfig removeshaper resetwebgui restartdhcpd restartipsec svc tmp2 uninstallpkg 

pfSense shell: playback svc restart openvpn client 1

Playback of file svc started.

Attempting to issue restart to openvpn service...

openvpn has been restarted.
pfSense shell: 

guardian

@heper said in How to restart OpenVPN in a script?:

playback svc restart openvpn client 1

0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell
  

Enter an option: 12


Starting the pfSense developer shell....

Welcome to the pfSense developer shell

Type "help" to show common usage scenarios.

Available playback commands:
     changepassword checkopenvpn_status disablecarp disablecarpmaint disabledhcpd disablereferercheck enableallowallwan enablecarp enablecarpmaint enablesshd externalconfiglocator generateguicert gitsync installpkg listpkg removepkgconfig removeshaper resetwebgui restartdhcpd restartipsec svc tmp2 uninstallpkg 

pfSense shell: playback svc restart openvpn client 1

Playback of file svc started.

Attempting to issue restart to openvpn service...

openvpn has been restarted.
pfSense shell: 

Thanks very much for this! That's what I want to accomplish.

I'm a bit of a noob, so I need a bit of context. How can I wrap that command for use on a bash shell?

I'm assuming I need a small php script or is it possible to run the built in shell from the command line and pipe this command to it?

heper

@guardian
More info here:https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell

Not at pc atm, so can't provide a ready to use example

[root@pfsense.lan]/root: pfSsh.php playback svc restart openvpn client 1

Starting the pfSense developer shell....

Attempting to issue restart to openvpn service...

openvpn has been restarted.
[root@pfsense.lan]/root: 

guardian

@heper said in How to restart OpenVPN in a script?:

@guardian
More info here:https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell

Not at pc atm, so can't provide a ready to use example

[root@pfsense.lan]/root: pfSsh.php playback svc restart openvpn client 1

Starting the pfSense developer shell....

Attempting to issue restart to openvpn service...

openvpn has been restarted.
[root@pfsense.lan]/root: 

The problem with a lot of documentation is often lack of context. If you sort of know, but just need a reminder it's great, but if you don't know and don't have a lot of background it can be very frustrating.

Thanks so much for going the extra mile on this, that's exactly what I need. I really appreciate it.

nivz

I know this is an old post, but it helped me a lot as I was looking to do the same with auto restarting openvpn due to private internet access going down randomly.

What I ended up doing was putting the following in a script and running it via cron.

#!/bin/sh
WAN_IP=`/sbin/ifconfig vmx0 | /usr/bin/grep inet | /usr/bin/grep -v inet6 | /usr/bin/awk '{print $2}'`
PUBLIC_IP=$(/usr/local/bin/curl -s https://api.ipify.org)
if [ "$WAN_IP" = "$PUBLIC_IP" ]
then
/usr/local/sbin/pfSsh.php playback svc restart openvpn client 1
fi

(Change vmx0 to your actual WAN interface name)
Hopefully someone else might find this helpful.

guardian

@nivz said in How to restart OpenVPN in a script?:

I know this is an old post, but it helped me a lot as I was looking to do the same with auto restarting openvpn due to private internet access going down randomly.

What I ended up doing was putting the following in a script and running it via cron.

#!/bin/sh
WAN_IP=`/sbin/ifconfig vmx0 | /usr/bin/grep inet | /usr/bin/grep -v inet6 | /usr/bin/awk '{print $2}'`
PUBLIC_IP=$(/usr/local/bin/curl -s https://api.ipify.org)
if [ "$WAN_IP" = "$PUBLIC_IP" ]
then
/usr/local/sbin/pfSsh.php playback svc restart openvpn client 1
fi

(Change vmx0 to your actual WAN interface name)
Hopefully someone else might find this helpful.

Thanks for the reply... there is some useful code there (how to restart openvpn client). I'm assuming that this setup pipes all traffic over the VPN, and if the VPN goes down all traffic goes directly out?

I wouldn't be very happy if my VPN traffic went out unencrypted - I'd want everything blocked. In my case I let a lot of traffic go out normally, and then have another VLAN for my VPN traffic. VPN goes down, traffic on that VPN doesn't go out.

Any idea how to direct
PUBLIC_IP=$(/usr/local/bin/curl -s https://api.ipify.org)
out a specific interface?

BTW, you can ditch the second grep by doing this: /usr/bin/grep 'inet '

rschossler

Eu tive problemas onde o tunel VPN permanecia conectado, porém por algum motivo as rotas dos túneis eram perdidas. Sem sucesso na leitura dos logs, resolvi da seguinte maneira:

Instalado pacote Cron;
Criada tarefa na cron do pfSense (5 em 5 minutos, como root):

if ! /sbin/ping -c 10 10.0.30.201; then /usr/local/sbin/pfSsh.php playback svc restart openvpn server 9; fi

Para descobrir o ID da VPN, execute "ps uxaww | grep openvpn" (Diagnostics / Command Prompt / Execute Shell Command) e verifique os arquivos de configurações das VPNs (Exemplo: /var/etc/openvpn/server9.conf).

ps uxaww | grep openvpn

OBSERVAÇÃO: No IP remoto, utilize um IP estático diferente do servidor que completa o tunel VPN, para garantir que a VPN realmente está com problemas.

Escolhi essa opção de reinicialização do OpenVPN, direto na Cron, devido a mesma ficar salva no backup do pfSense, evitando criar scripts paralelos dentro do servidor e facilitando a restauração em caso de problemas.

TV

To further annoy the "old thread" folks, my slightly modified version of the script provided by @nivz

(Goal being to reduce the likelihood of a OVRC WattBox watchdog power-cycling this pfsense box in an "all traffic thru the tunnel or nothing" scenario for some remote office locations)

#!/bin/sh
#
VPN_IF=$1
if [ "$VPN_IF" = "" ]; then
  VPN_IF=6
fi
VPN_IP=`/sbin/ifconfig ovpnc$VPN_IF | /usr/bin/grep 'inet ' | /usr/bin/awk '{print $2}'`
VPN_GW=`/sbin/ifconfig ovpnc$VPN_IF | /usr/bin/grep 'inet ' | /usr/bin/awk '{print $4}'`
echo "VPN Interface  = $VPN_IF"
echo "VPN IP Address = $VPN_IP"
echo "VPN Gateway    = $VPN_GW"
if [ "$VPN_IP" != "" ] && [ "$VPN_GW" != "" ]
then
  # If ovpn interface has an IP and a gateway, test further
  /sbin/ping -c 3 -S $VPN_IP $VPN_GW > /dev/null
  if [ "$?" = "0" ]
  then
    echo "Success pinging gateway"
  else
    # Failed pinging first-hop, ping something public
    echo "Failed pinging gateway"
    /sbin/ping -c 3 -S $VPN_IP 8.8.8.8 > /dev/null
    if [ "$?" = "0" ]
    then
      echo "Success pinging public IP"
    else
	  # Failed both ping checks, restart ovpn service
	  echo "Failed pinging public IP"
      /usr/local/sbin/pfSsh.php playback svc restart openvpn client $VPN_IF
	 fi
  fi
else
  # ovpn interface failed IP and/or gateway value check, restart service
  /usr/local/sbin/pfSsh.php playback svc restart openvpn client $VPN_IF
fi

salvadordalisdad

Hi Guys,

Sorry this is an old thread, but it's still a live subject for me...

I used to have a script on a separate server which monitored the OVPN client connections & when the Privado one failed again it would ssh into it & restart it exactly as above.

Since upgrading to 2.5.2 that has stopped working.
I couldn't be bothered to fix it because so much had changed that ssh login with publickey had also failed, and I'm fundamentally lazy when it comes to something I want!
However, I've now fixed it all, but the "svc restart ovpn client N" has stopped working completely. (N=1 or 2)
The script now works as before, the ssh login works again, but regardless of all that it's the phpshell bit which no longer works (from an ssh session as admin user).
I'm stumped. I have chedked & there don't seem to be any packages to load, and the phpshell works - at least it says it does. "openvpn has been restarted." it claims...
However, I just tested from the console & it works.
So it must be some kind of user privilege, but I already assinged shell account access to that user. I've added the three suggested ones User - System: Copy files (scp) / User - System: Shell account access / System - HA node sync

Any suggestions anyone? I'm obvs missing something, wouldn't be the first time!
Thanks in advance

salvadordalisdad

@salvadordalisdad

Have implemented the cron jobs above.
Hoping that will resolve the issue of not being able to restart ovpn clients through SSH session
Ideally they should still, so one day I'd like to fix that...

Only time will tell if that cron job (every 5 mins) fixes the privado problem.
TIA
;-)

AK_4_Life

Why not just use the Service Watchdog from the package manager?

salvadordalisdad

@salvadordalisdad

Sadly time told. Didn't work.

Finally the privado VPN failed again & the cron job didn't do the trick.

if ! /sbin/ping -c 10 4.2.2.1; then /usr/local/sbin/pfSsh.php playback svc restart openvpn server 1; fi

The cron job is running as "root" user. (should it be another user?)

So while the VPN was in a failed state, I dug a bit deeper & tried running it in an SSH session.
The native SSH session wasn't actually a 'normal' shell, so I started a "sh" shell so it could at least run that cron command.
The command ran OK, the ping was lost as it should be, but the "playback restart openvpn" bit didn't.

It responded with "Attempting to issue restart to openvpn service...openvpn has been restarted." but it didn't actually restart the service. It lied!

I manually restarted the service in the GUI, and that fixed it as it always has.

Anyone any idea why the "playback restart" bit didn't work please?

Thanks in advance.

salvadordalisdad

@salvadordalisdad

EDIT-
Just tried the same thing from the console, entering option 12 (php) and entering the sub-line above "playback....server 1" and it also gave the successful message as above, but did NOT restart the service as it claimed. Needed to check given previous experience.

salvadordalisdad

@salvadordalisdad

Update.

Disabled the cron job above & tied the watchdog service as suggested.

Based on the description of the watchdog service function, ("restarts service if the service gets stopped"), I wasn't expecting it to work, and I wasn't disappointed.

It didn't fix it.
VPN failed (again) and the watchdog service did not restart the VPN service. Well that's not what it said it would do, so I'm not going to complain about that.

Just need to make the PHP script to restart the ovpn client work like it used to in 2.4.x

;-)

guardian

@jsphgttgns said in How to restart OpenVPN in a script?:

I am using all kinds of OpenVPN connections and I never have to restart them manually. They typically run for months and automatically reconnect after a couple of seconds for all kinds of interruptions. There are OpenVPN settings related to that, but you haven't published your settings.

It may also make sense to increase the verbosity level and check whether there are any entries related to your problem.

I've placed my complete script in the original post -- it has been working great for many months.

salvadordalisdad

@guardian
Hi Guardian,

Thanks very much for the nudge, very much appreciated.
I will certainly give it a try.
I see that at the heart of your script is the "PHP playback service..." mechanism, which simply doesn't work on my instance.

I'm using 2.5.2 (there have been no updates since), and when I run it (either from cron or SSH/CLI or console) it says "yup done that" but it simply hasn't - weird.

I am pretty sure it used to work on some 2.4.x version I ran a while ago, but I'm getting forgetful so maybe I imagined it ;-)

It's a fresh install of 2.5.2 on a vmware esxi 6.7 platform, and everything else works, so I'm pretty stumped to be quite honest.

Are you using 2.5.2 or the earlier stable 2.4.x release?
Thanks

guardian

@salvadordalisdad said in [SOLVED] How to restart OpenVPN in a script?:

@guardian
Hi Guardian,

Thanks very much for the nudge, very much appreciated.
I will certainly give it a try.
I see that at the heart of your script is the "PHP playback service..." mechanism, which simply doesn't work on my instance.

I'm using 2.5.2 (there have been no updates since), and when I run it (either from cron or SSH/CLI or console) it says "yup done that" but it simply hasn't - weird.

I am pretty sure it used to work on some 2.4.x version I ran a while ago, but I'm getting forgetful so maybe I imagined it ;-)

It's a fresh install of 2.5.2 on a vmware esxi 6.7 platform, and everything else works, so I'm pretty stumped to be quite honest.

Are you using 2.5.2 or the earlier stable 2.4.x release?
Thanks

I'm running 2.5.2, and the script is working perfectly. My ISP was having some "issues" for about a week in December and this script did it's job very well... when the ISP connectivity issue killed the VPN connection, the script restarted everything and got it running again.

I see that at the heart of your script is the "PHP playback service..." mechanism, which simply doesn't work on my instance.
Do you know why it isn't working? I suspect that would lead you to the real trouble source.

salvadordalisdad

@guardian

Thanks that's incredibly helpful.

So I added a simple cron job for today which just ran the "playback" bit regardless of whether it needed to or no. Didn't happen. VPNs start time was last week sometime.

I think it just confirms I need a fresh install again.

I will update once I've done so, ;-)