Establish OpenVPN connection temporarily, then disconnect at a given time



  • Hello,

    My goal is to automate an OpenVPN connection with something like cron on a specific day for a backup to take place, then disconnect at a given time.  Both endpoints use pfSense 2.0.1.x.

    I have cron in mind.  What is the best way to use cron in pfSense?  I haven't really found any documentation on it.  It looks like cron exists at the command line, but there is also a package for the GUI it seems.

    Any advice is welcome.  Thank you.



  • You probably intend to write a shell script and run this from a cron job. So create the script, place it on pfsense, install Cron GUI package and then just create the cron jobs.

    PS: Why dou you want to disconnect the OpenVPN connection ? If you just like to stop traffic between the two end points except to backup time, you could create a firewall rule and a scheduler whichs blocks traffic on OpenVPN.



  • You probably intend to write a shell script and run this from a cron job. So create the script, place it on pfsense, install Cron GUI package and then just create the cron jobs.

    Ok this sounds like an option.  So I will be creating the OpenVPN connection from the script?.

    PS: Why do you want to disconnect the OpenVPN connection ? If you just like to stop traffic between the two end points except to backup time, you could create a firewall rule and a scheduler whichs blocks traffic on OpenVPN.

    I really only need the connection to establish on one day of the week, Saturday.  It is a good idea to just block the connection at the firewall and unblock as needed on a schedule.  I will consider this too.  I think the OpenVPN client connection re-establish is 1-2 minutes?  I can't really control that if I just leave it attempting to connect all week, but 1-2 minutes isn't bad.  Overall I am just trying to minimize traffic and be more exact.  With cron I have the connection, and then its gone.



  • On the client side of the site-to-site, I ended up using the pfsense GUI to create the client setup.  It creates all of the conf files, and interfaces for me, and I leave the configuration disabled.

    I added the "cron" package to the gui interface.

    I set two cron tasks:

    8                      4      root    /usr/local/sbin/openvpn –config /var/etc/openvpn/client12.conf    (establish the connection thurs at 8 am)
          14                      4      root    pkill -9 -F /var/run/openvpn_client12.pid                                    (kill the connection thurs at 2:00 pm)



  • ooo, make sure you put "*" (asterisks) in fields that you aren't using w/ cron.

    :)

    @wm408:

    On the client side of the site-to-site, I ended up using the pfsense GUI to create the client setup.  It creates all of the conf files, and interfaces for me, and I leave the configuration disabled.

    I added the "cron" package to the gui interface.

    I set two cron tasks:

    8                       4       root    /usr/local/sbin/openvpn –config /var/etc/openvpn/client12.conf    (establish the connection thurs at 8 am)
          14                      4       root    pkill -9 -F /var/run/openvpn_client12.pid                                    (kill the connection thurs at 2:00 pm)



  • Couldnt you just bring the openvpn interface up/down on a cron job using the ifconfig command?



  • Good question.  I am not sure if the pid stays open while the interface is off.  But I will test it.

    @jamesc:

    Couldnt you just bring the openvpn interface up/down on a cron job using the ifconfig command?



  • if I turn the interface off via: ifconfig (vpn interface) down

    PID stays on.  The service itself doesn't report any type of error in any of the logs that I can see… (system logs, status).  So OpenVPN doesn't seem concerned about the interface status.

    when i do: ifconfig (vpn interface) up

    the connection is back up.  This could work good also it seems, but can't really see a true status unless I do a ping test, or do an ifconfig to see the "UP" flag on the interface, or no "UP" flag.

    I feel like its a toss up as far as purpose.  Maybe one is cleaner than the other.

    @wm408:

    Good question.  I am not sure if the pid stays open while the interface is off.  But I will test it.

    @jamesc:

    Couldnt you just bring the openvpn interface up/down on a cron job using the ifconfig command?


Log in to reply