Cannot run script at end of OpenVPN startup

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
WhatName
OpenVpn Newbie
Posts: 1
Joined: Sun Jul 16, 2017 7:31 pm

Cannot run script at end of OpenVPN startup

Post by WhatName » Sun Jul 16, 2017 8:11 pm

Hi,

I'm trying to install OpenVPN on Ubuntu 16.04. I'm using PIA and followed this tutorial minus the last section that modifies the IP tables. It's up and running.

I'd now like to have a script run at the end of the OpenVPN startup routine that modifies the IP tables to bypass VPN for certain ports. I've written the script using this tutorial and confirm that it works by running it manually after a reboot. Here's my script:

Code: Select all

# ---ENABLING KERNEL OPTIONS

sudo sysctl -w net.ipv4.conf.ens3.rp_filter=0
sudo sysctl -w net.ipv4.conf.tun0.rp_filter=0
sudo sysctl -w net.ipv4.conf.all.rp_filter=0
sudo sysctl -w net.ipv4.conf.default.rp_filter=0
sudo sysctl -w net.ipv4.conf.lo.rp_filter=0 

sudo sysctl -w net.ipv4.conf.all.forwarding=1
sudo sysctl -w net.ipv4.conf.default.forwarding=1
sudo sysctl -w net.ipv4.conf.ens3.forwarding=1
sudo sysctl -w net.ipv4.conf.lo.forwarding=1
sudo sysctl -w net.ipv4.conf.tun0.forwarding=1

sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.default.forwarding=1
sudo sysctl -w net.ipv6.conf.ens3.forwarding=1
sudo sysctl -w net.ipv6.conf.lo.forwarding=1
sudo sysctl -w net.ipv6.conf.tun0.forwarding=1

sudo sysctl -w net.ipv4.tcp_fwmark_accept=1


# ---CLEAR ALL FIREWALL RULES
iptables -F
iptables -t mangle -F
iptables -t nat -F

# ---FLSUH EXISTING TABLE 101 + cache
ip route flush table 101
ip route flush cache

#--- DEL IF EXISTS AND ADD RULE
ip rule del fwmark 2 table 101
ip rule add fwmark 2 table 101

#--- CREATE TABLE 101
ip route add table 101 default via 192.168.0.1 dev ens3
ip route add table 101 192.168.0.0/24 dev ens3  proto kernel  scope link  src 192.168.0.144


#---  PORT FORWARD TO TABLE 101

# SETTING MASQUERADE FOR OUTPUT
iptables --table nat --append POSTROUTING -o ens3 -j MASQUERADE

# VPN BYPASS!
# SSH THIS ONE IS THE MOST IMPORTANT
iptables -t mangle -A PREROUTING -p tcp --dport 22             -j MARK --set-mark 2

# PLEX
iptables -t mangle -A OUTPUT     -p tcp --dport  32400         -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport  32400         -j MARK --set-mark 2

# HTTP S
iptables -t mangle -A PREROUTING -p tcp --dport 80             -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport 443            -j MARK --set-mark 2

# FTP
iptables -t mangle -A PREROUTING -p tcp --dport 21             -j MARK --set-mark 2

# YOU NEED TO SET UP MIN/MAX PORT IN VSFTPD
iptables -t mangle -A PREROUTING -p tcp --dport 13000:13100    -j MARK --set-mark 2
iptables -t mangle -A OUTPUT     -p tcp --sport 21             -j MARK --set-mark 2

#DELUGE LOCAL only from LOCAL NETWORK IPs
iptables -t mangle -A PREROUTING -p tcp --dport 58846   -s 192.168.0.0/24        -j MARK --set-mark 2

# DELUGE WEB GUI
iptables -t mangle -A PREROUTING -p tcp --dport 8112             -j MARK --set-mark 2
My issue is that I can't get OpenVPN to start if I reference the script. Per the tutorial I used I modified my openvpn config file to reference pia-nl.conf as shown below:

Code: Select all

# This is the configuration file for /etc/init.d/openvpn

#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
# The VPN name refers to the VPN configutation file name.
# i.e. "home" would be /etc/openvpn/home.conf
#
# If you're running systemd, changing this variable will
# require running "systemctl daemon-reload" followed by
# a restart of the openvpn service (if you removed entries
# you may have to stop those manually)
#
#AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
AUTOSTART="pia-nl"
#
# WARNING: If you're running systemd the rest of the
# options in this file are ignored.
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0
My IP table script is located at /etc/openvpn/up.sh so I added a reference to it in my pia-nl.conf file as shown:

Code: Select all

client
dev tun
proto udp
remote us-florida.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass login.conf
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ

#Start script
up /etc/openvpn/up.sh
Rebooting results in OpenVPN failing during startup. To troubleshoot if it's the script itself that's causing the issue, I replaced the contents of /etc/openvpn/up.sh with just a # and it still fails to start properly.

I read here that the systemd file should be used instead of the OpenVPN config file, so I then removed the script reference from my pia-nl.conf and instead modified /lib/systemd/system/openvpn@.service to include ExecStartPost=/etc/openvpn/up.sh but have the same startup issues.

I've made sure that /etc/openvpn/up.sh is executable and so I've run out of ideas. Any help would be greatly appreciated!

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: Cannot run script at end of OpenVPN startup

Post by dazo » Tue Jul 18, 2017 8:28 pm

Have you made sure that the user account (the openvpn user?) which runs the script is allowed to do 'sudo' without passwords? Do you really need to use sudo?

Post Reply