Restarting OpenVPN
- 
 OpenVPN has a network interface of some kind that can be used to control it. I am 99% sure that pfSense uses this feature for itself to check on status and just generally control it, because when I tried to add the options to make it listen on the IP and port I wanted, all the pfSense built-in stuff broke. I would love to know what IP/port it's set to listen to by default in pfSense, because I want to do something similar (basically, I want to stop the VPN when certain conditions are met, and start it again on other conditions). Jim, do you know? 
- 
 Yeah I suppose that might be needed there. I don't think there is a way to make that happen inside of OpenVPN. Some Googling suggests that others do this (on other platforms) by shutting down the other server processes when they want to, so you're probably doing about the best you can. 
- 
 OpenVPN has a network interface of some kind that can be used to control it. I am 99% sure that pfSense uses this feature for itself to check on status and just generally control it, because when I tried to add the options to make it listen on the IP and port I wanted, all the pfSense built-in stuff broke. I would love to know what IP/port it's set to listen to by default in pfSense, because I want to do something similar (basically, I want to stop the VPN when certain conditions are met, and start it again on other conditions). Jim, do you know? It doesn't listen on a port like that, we use a unix socket (/var/etc/openvpn/<something>.sock)</something> 
- 
 Yeah I suppose that might be needed there. I don't think there is a way to make that happen inside of OpenVPN. Some Googling suggests that others do this (on other platforms) by shutting down the other server processes when they want to, so you're probably doing about the best you can. Yup, I googled around too, hoping that OpenVPN had a built-in feature to restart the tunnels periodically. It seems the answer is "no". Pity. I can't be the only person in the world who needs that feature. :-[ 
- 
 I should still be able to use that then as long as I'm controlling it from pfSense then, as opposed to an outside machine, right? I'm thinking I would install NRPE, and use a cron job to run one of the NRPE scripts, and send control commands to OpenVPN based on the results. Any thoughts? Thanks for the quick response. 
- 
 Yeah I suppose that might be needed there. I don't think there is a way to make that happen inside of OpenVPN. Some Googling suggests that others do this (on other platforms) by shutting down the other server processes when they want to, so you're probably doing about the best you can. Yup, I googled around too, hoping that OpenVPN had a built-in feature to restart the tunnels periodically. It seems the answer is "no". Pity. I can't be the only person in the world who needs that feature. :-[ 
 [/quote]Yeah, it seems like it would be a nice feature, but in reality that would involve the client periodically retrying the server connection on its own, potentially disrupting the tunnel there. Favoring stability over speed is usually a good choice, but it would be nice to have the option. 
- 
 I should still be able to use that then as long as I'm controlling it from pfSense then, as opposed to an outside machine, right? I'm thinking I would install NRPE, and use a cron job to run one of the NRPE scripts, and send control commands to OpenVPN based on the results. Any thoughts? Thanks for the quick response. Probably best to split that off into its own thread. 
- 
 Yeah I suppose that might be needed there. I don't think there is a way to make that happen inside of OpenVPN. Some Googling suggests that others do this (on other platforms) by shutting down the other server processes when they want to, so you're probably doing about the best you can. Yup, I googled around too, hoping that OpenVPN had a built-in feature to restart the tunnels periodically. It seems the answer is "no". Pity. I can't be the only person in the world who needs that feature. :-[ 
 [/quote]
 I found a way. You have to know which VPN server you're using (pfSense seems to assign them sequential numbers, server1, server2, etc.).Then in cron you can use this: nc -U /var/etc/openvpn/serverX.sock %signal SUGHUP%exit%The X in serverX.sock is the server number I referenced above. The exit is probably not necessary, at least that's what it seems in my testing, but I put it in anyway (the OpenVPN management interface only supports one connection at a time, so the OpenVPN status page in the web GUI is inoperable while you are connected). HTH 
- 
 Hi Brian, Thanks for the tip. After thinking more about the requirements, I have refined them a bit. Instead of restarting the VPN client every night, I am going to restart the VPN whenever I detect that it is connected to the VPN server's secondary (slow) IP address instead of the primary (fast) IP address. The primary IP address is specified by the Server host or address setting on the VPN client config screen (i.e. in the server_addr setting in the pfSense XML config file). The secondary IP address is specified by the remote setting inside the Advanced setting on the VPN client config screen (i.e. in the custom_options setting in the pfSense XML config file). Here is a hackish, unfinished, unpolished PHP script that I am currently working on for this purpose. Please don't flame saying the code sucks. I know it sucks. It's not done yet. So far it seems to work okay in my testing. require_once('config.inc'); include('openvpn.inc'); // Read in all of the OpenVPN client configs. global $config; if (!is_array($config['openvpn']['openvpn-client'])) { return; } // Find client config for London VPN server $found_config = false; $name = "London"; foreach ($config['openvpn']['openvpn-client'] as & $settings) { if (stripos($settings['description'], $name) !== false) { $found_config = true; break; } } // If client config not found, exit. if (!$found_config) { echo "Did not find client VPN config for \"$name\".\n"; exit; } // Print the client config. echo "vpnid: {$settings['vpnid']}\n"; echo "description: {$settings['description']}\n"; echo "server_addr: {$settings['server_addr']}\n"; echo "custom_options: {$settings['custom_options']}\n"; // Resolve the configured host name to an IP address. // This is the VPN server's primary IP. $ip = gethostbyname($settings['server_addr']); echo "VPN server primary IP: $ip\n"; // Tokenize the custom_options to get the VPN // server's secondary IP. $tok = strtok($settings['custom_options'], " \n\t;"); while ($tok !== false) { if (strcasecmp($tok, 'remote') == 0) { $tok = strtok(" \n\t;"); if ($tok !== false) { $ip_secondary = gethostbyname($tok); echo "VPN server secondary IP: $ip_secondary\n"; } } $tok = strtok(" \n\t;"); } // Find the status for the VPN client. $found_status = false; $clients = openvpn_get_active_clients(); foreach ($clients as $client) { if (stripos($client['name'], $name) !== false) { $found_status = true; break; } } // If client status not found, exit. if (!$found_config) { echo "Did not find VPN client status for \"$name\".\n"; exit; } // Print the client status echo "name: {$client['name']}\n"; echo "mgmt: {$client['mgmt']}\n"; echo "status: {$client['status']}\n"; echo "remote_host: {$client['remote_host']}"; // See if the client is connected to a secondary IP. // Note: $client['remote_host'] has trailing white space that // we must trim before comparing to $ip $remote_host = rtrim($client['remote_host']); if ($client['status'] == 'up' && $remote_host !== $ip) { echo "The VPN client is connected to the server's secondary IP.\n"; } else { echo "The VPN client is NOT connected to the server's secondary IP.\n"; echo "NOT restarting VPN.\n"; exit; } // If we got this far, we will want to restart the VPN client // so it connects to primary IP instead of secondary IP. // Before trying to connect to primary IP, we have to make sure // we can ping it. If we can't ping it, there's no sense in // trying to connect to it. Furthermore, that is probably // the reason why the client is currently connected to the // secondary IP. exec("ping -t 10 -o $ip", $output, $return_var); echo "ping return_var: $return_var\n"; // A return value of 0 means at least one ping was replied to. // In other words, the IP address is up and we should be // able to restart to VPN to connect to it. if ($return_var == 0) { echo "Restarting VPN.\n"; openvpn_restart('client', $settings); echo "Finished restarting VPN.\n"; } ?>As you can see, the script makes use of the handy config variables in config.inc and the handy functions in openvpn.inc. Rather than hard-coding the client vpnid number in my script, I scan all of the client configs for a description containing 'London'; that will be the client that connects to our London server. When finished, I will store this script somewhere in the pfSense filesystem (any suggestions as to an appropriate directory to store it in?). Then I will call it periodically with cron, perhaps once per hour. HTH 
- 
 Neat! For my purposes, I am actually doing more than just restarting, and I considered using PHP but I was really looking for something that didn't rely on external files. Basically, I want to be able to restore a config backup and not have to restore any random files to get this working again. I don't like that I am hard coding the server number, but I'm okay with it for now. I looked into the add-on package that lets you enter PHP code in the web gui (PHP Service) and runs it every second, but it was buggy and didn't work right, so I promptly uninstalled it. Please post your final solution; I'm interested, even if it's just to run the PHP via cron. 
- 
 I haven't tried it yet but I think the Shellcmd package might let you echo some PHP code to a file in /tmp on system startup. Then you should be able to call that script from cron. This should allow you to store the script (somewhat indirectly) inside the exported config file. Again, I haven't tried this yet but it seems like it could do the job. 
- 
 Meh. I tried Shellcmd. The GUI for it only lets you enter one line. Not really convenient for what I wanted to do. 
- 
 Brian, I am running the embedded version of pfSense. I just tried storing my custom script in /scripts. Then I rebooted. Low and behold, after rebooting, my script was still in /scripts. I expected that it would have been wiped out by a reboot but I was wrong. That's good. Now I can store my script there. It's not quite the same as storing it in the XML config file but at least I can keep all my scripts in one place. 
- 
 Yeah the embedded version won't delete your files on you. You might have some trouble writing things if you don't mount the filesystem as RW first, but anyway that's not what I was worried about. I am doing something that will be used at multiple locations, and I just don't want to have backup additional files with the config that I would then have to put back in place in the event of a restore. From what I could tell there is no way to do multiple lines with echo in the bourne shell, so you would need to install bash (another dependency I don't want). It just happens that cron does have a way to send mult-line input (the % character) so that helped me out there. 
- 
 /scripts already seems to be mounted writeable. I did not have to do a remount-rw. :) 
- 
 Brian, I have revised the code a bit. For example, I now write some messages to the system log by calling the logger command. I ran this script once per hour last night using cron. It seems to work fine so far. Still requires more testing. For example, I will have to pull the plug on our primary internet connection to force the VPN client to switchover to the secondary IP (i.e. backup connection). Then I will have to verify that this script forces the connection back to the primary IP. Here's the current version of the script: #!/usr/local/bin/php -f require_once('config.inc'); include('openvpn.inc'); // Read in all of the OpenVPN client configs. global $config; if (!is_array($config['openvpn']['openvpn-client'])) { return; } // Find client config for London VPN server $found_config = false; $name = "London"; foreach ($config['openvpn']['openvpn-client'] as & $settings) { if (stripos($settings['description'], $name) !== false) { $found_config = true; break; } } // If client config not found, exit. if (!$found_config) { echo "Did not find client VPN config for \"$name\".\n"; exit; } // Print the client config. echo "vpnid: {$settings['vpnid']}\n"; echo "description: {$settings['description']}\n"; echo "server_addr: {$settings['server_addr']}\n"; echo "custom_options: {$settings['custom_options']}\n"; // Resolve the configured host name to an IP address. // This is the VPN server's primary IP. $ip = gethostbyname($settings['server_addr']); echo "VPN server primary IP: $ip\n"; // Tokenize the custom_options to get the VPN // server's secondary IP. $tok = strtok($settings['custom_options'], " \n\t;"); while ($tok !== false) { if (strcasecmp($tok, 'remote') == 0) { $tok = strtok(" \n\t;"); if ($tok !== false) { $ip_secondary = gethostbyname($tok); echo "VPN server secondary IP: $ip_secondary\n"; } } $tok = strtok(" \n\t;"); } // Find the status for the VPN client. $found_status = false; $clients = openvpn_get_active_clients(); foreach ($clients as $client) { if (stripos($client['name'], $name) !== false) { $found_status = true; break; } } // If client status not found, exit. if (!$found_config) { echo "Did not find VPN client status for \"$name\".\n"; exit; } // Print the client status echo "name: {$client['name']}\n"; echo "mgmt: {$client['mgmt']}\n"; echo "status: {$client['status']}\n"; echo "remote_host: {$client['remote_host']}"; // See if the client is connected to a secondary IP. // Note: $client['remote_host'] has trailing white space that // we must trim before comparing to $ip $remote_host = rtrim($client['remote_host']); if ($client['status'] == 'up' && $remote_host == $ip) { $msg = "The $name VPN client is connected to $ip (VPN server primary IP). Not restarting client.\n"; echo $msg; exec("logger '$msg'"); exit; } else if ($client['status'] == 'up') { $msg = "The $name VPN client is connected to $ip (VPN server secondary IP).\n"; echo $msg; exec("logger '$msg'"); } else { $msg = "The $name VPN client is not connected. Current status is {$client['status']}.\n"; echo $msg; exec("logger '$msg'"); exit; } // If we got this far, we will want to restart the VPN client // so it connects to primary IP instead of secondary IP. // Before trying to connect to primary IP, we have to make sure // we can ping it. If we can't ping it, there's no sense in // trying to connect to it. Furthermore, that is probably // the reason why the client is currently connected to the // secondary IP. exec("ping -t 10 -o $ip", $output, $return_var); echo "ping return_var: $return_var\n"; // A return value of 0 means at least one ping was replied to. // In other words, the IP address is up and we should be // able to restart to VPN to connect to it. if ($return_var == 0) { $msg = "VPN server primary IP is up. Restarting $name VPN client.\n"; echo $msg; exec("logger '$msg'"); openvpn_restart('client', $settings); $msg = "Finished restarting $name VPN client.\n"; echo $msg; exec("logger '$msg'"); } else { $msg = "VPN server primary IP is down. Not restarting $name VPN client.\n"; echo $msg; exec("logger '$msg'"); } ?>
- 
 Having just read this thread i something think you're shooting on sparrows with cannons. (Writing scripts, changing php). Is it not feasible to have 2 OpenVPN tunnels up with two different tranfer subnets. 
 Each VPN tunnel on it's own WAN.When both tunnels are up a failover-pool forces all traffic to the fast connection. 
 Should it go down, the backup connection will be used.
 If the connection comes back up everything switches to the fast connection again.Should asymetric routing occur (for whatever reasons) traffic could even be NATed into the tunnel to ensure the answer comes back the same tunnel. 
- 
 Hi GruensFroeschli, Thank you for your comments. Is it not feasible to have 2 OpenVPN tunnels up with two different tranfer subnets. 
 Each VPN tunnel on it's own WAN.We don't have 2 tunnels. We have only 1. We use OpenVPN's standard way of connecting to redundant server IPs. That is, our VPN client is configured with two remote settings in the config file. For example: remote fast.foo.com 1194 remote slow.foo.com 1194Note that we do not use the βremote-random setting in our config. Therefore, the client will always try the first remote IP first and the second remote IP next. If the first IP is up, the client connects to that one but if it is down, the client connects to the second IP. When both tunnels are up a failover-pool forces all traffic to the fast connection. 
 Should it go down, the backup connection will be used.Yes, I absolutely agree. Our current configuration already does that. If the connection comes back up everything switches to the fast connection again. I have never seen an OpenVPN client connection switch back to the first remote IP after connecting to the second remote IP. As far as I know, there is NO mechanism in OpenVPN to keep trying the first IP after connecting to the second IP and then automatically switch back to the first one when it is up. If someone can tell me the name of the OpenVPN setting to enable this behaviour, I'm all ears. We have successfully been running our VPN server like this for months. When the primary IP goes down, the clients automatically switch over to the secondary IP after a short timeout period (about 1 minute). All of this happens without any intervention required by me. That's good! However, since the server side's secondary internet connection is way slower than the primary internet connection, we don't like to run the VPN on the secondary connection for long periods of time. We usually don't realize that the VPN clients have switched over to the secondary IP until a user calls a couple of days later to say that the VPN seems kind of slow. When we get that phone call, we manually restart the VPN client to force a reconnection to the primary IP. The purpose of my script is to automatically switch the VPN clients back to the primary IP when it comes back up. Note that my script runs only on the client side, not on the server side. Note also that we run our VPN in UDP mode. Perhaps the behaviour of the failover pool is different for TCP mode? If someone can suggest a simpler way of automatically switching the OpenVPN client back to the primary IP after connecting to the secondary IP, I'm all ears. (And by suggest, I mean, showing the exact config settings or code to accomplish this). 
- 
 You misunderstand me. 
 My suggestion is to not have a single OpenVPN connection with two remote entries,
 but to actually have two OpenVPN connections with only one remote entry.Let pfSense handle the switching between the tunnels. 
 Or is this OpenVPN client not a pfSense?With pfSense you can create failover-pools under "System β> Routing" 
- 
 Yes, do use failover pools. For example, we use failover pools at our main office, the office with the two internet connections (which is also the office where the VPN server is). With the failover pool, users at our main office are automatically switched over the the secondary internet connection when the primary internet connection goes down. Thus, they can keep browsing the web, sending email, etc, even when the primary internet connection goes down. Are you suggesting is to user failover pools on the client side (i.e. at our remote offices), which has only one internet connection? If so, how do I make the two tunnels appear as gateways on the Failover group configuration screen? I have never heard of this. If you have a step-by-step configuration for this, I'd like to see it. When I try to add a gateway using the Edit Gateway screen, the only interfaces I see are the actual WAN and LAN interfaces, not any sort of OpenVPN "pseudo" interface. Even if it is possible to have the tunnels appear as gateways in the failover group configuration screen, I'm not sure that would work for our requirements. We do NOT want ALL of the client's traffic to go over the VPN. We want inter-office traffic to go over the VPN but we want all other traffic (web browsing, etc) to go over the client's own internet connection. We have only limited bandwidth at the main office and we don't want all of the web browsing traffic from the several remote offices to go over the VPN. Again, if you have an actual working example, it would be helpful. Otherwise your comments will not really help me solve the problem, which has already been solved by my script.