NTP and update-resolv-conf

How to customize and extend your OpenVPN installation.
Post Reply
User avatar
Pippin
Forum Team
Posts: 766
Joined: Wed Jul 01, 2015 8:03 am

NTP and update-resolv-conf

Post by Pippin » Thu Jan 18, 2018 2:43 pm

Hi,

Using update-resolv-conf script I just discovered that dhcp-option NTP is not working.
tcpdump shows NTP going to the system configured server instead of the pushed one.
update-resolv-conf

Code: Select all

#!/bin/bash
# 
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
# 
# Example envs set from openvpn:
#
#     foreign_option_1='dhcp-option DNS 193.43.27.132'
#     foreign_option_2='dhcp-option DNS 193.43.27.133'
#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#

[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0

split_into_parts()
{
	part1="$1"
	part2="$2"
	part3="$3"
}

case "$script_type" in
  up)
	NMSRVRS=""
	SRCHS=""
	for optionvarname in ${!foreign_option_*} ; do
		option="${!optionvarname}"
		echo "$option"
		split_into_parts $option
		if [ "$part1" = "dhcp-option" ] ; then
			if [ "$part2" = "DNS" ] ; then
				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
			elif [ "$part2" = "DOMAIN" ] ; then
				SRCHS="${SRCHS:+$SRCHS }$part3"
			fi
		fi
	done
	R=""
	[ "$SRCHS" ] && R="search $SRCHS
"
	for NS in $NMSRVRS ; do
        	R="${R}nameserver $NS
"
	done
	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
	;;
  down)
	/sbin/resolvconf -d "${dev}.openvpn"
	;;
esac
Can see that DNS and DOMAIN is done.
Since I know too little about scripting, someone willing to adjust it too include NTP?

Thanks.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7163
Joined: Fri Jun 03, 2016 1:17 pm

Re: NTP and update-resolv-conf

Post by TinCanTech » Thu Jan 18, 2018 3:21 pm

Now there is a can-o-worms ! :twisted:

I expect the reason it has never been done before is because there is no generic solution ..

For example, what NTP deamon are you running ?

User avatar
Pippin
Forum Team
Posts: 766
Joined: Wed Jul 01, 2015 8:03 am

Re: NTP and update-resolv-conf

Post by Pippin » Thu Jan 18, 2018 3:26 pm

I`m on Linux Mint 18.3 Cinnamon as client.
ntpd - NTP daemon program - Ver. 4.2.8p4

NTP service also runs on the server where OpenVPN server runs.
ntpd - NTP daemon program - Ver. 4.2.8p9

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7163
Joined: Fri Jun 03, 2016 1:17 pm

Re: NTP and update-resolv-conf

Post by TinCanTech » Thu Jan 18, 2018 4:11 pm

Technically, dhcp-options are Windows specific ..

I would manually add the VPN server IP to the client ntp.conf

As for customising the update-resolv-conf script:
  • I don't think this a good idea because it has a clear purpose and is maintained.

    Instead you could write a wrapper script (e. /etc/openvpn/client-up.sh)
    which calls update-resolv-conf and then your custom NTP script.
    Sorry, I don't have any examples of what that would look like.

User avatar
Pippin
Forum Team
Posts: 766
Joined: Wed Jul 01, 2015 8:03 am

Re: NTP and update-resolv-conf

Post by Pippin » Thu Jan 18, 2018 8:25 pm

Ok thanks, was thinking that way too but thought modifying update-resolv-conf would be a better solution.

Will try following:
1. remove update-resolv-conf from config
2. instead call up script (and down to reverse)
3. call update-resolve-conf and update-ntp-conf from up-script
4. reverse for down script

Files:
1. original ntp.conf
2. new ntp-ovpn.conf - copy of ntp.conf but NTP servers removed and VPN server IP added
update-ntp-conf will:
1. mv (rename) the two files
2. service ntp restart

Somehow looks dirty :)

Thanks

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7163
Joined: Fri Jun 03, 2016 1:17 pm

Re: NTP and update-resolv-conf

Post by TinCanTech » Thu Jan 18, 2018 8:46 pm

Looks ok to me ;)

P-probably need some error checking and what-not as well

Code: Select all

 [ -f $filename ] || die "$filename does not exist!"
:geek:

User avatar
Pippin
Forum Team
Posts: 766
Joined: Wed Jul 01, 2015 8:03 am

Re: NTP and update-resolv-conf

Post by Pippin » Thu Jan 18, 2018 8:59 pm

That`s too much for me already :cry:
:mrgreen:

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7163
Joined: Fri Jun 03, 2016 1:17 pm

Re: NTP and update-resolv-conf

Post by TinCanTech » Thu Jan 18, 2018 9:07 pm

If you want you can contact me privately : tincanteksup <at> gmail

User avatar
Pippin
Forum Team
Posts: 766
Joined: Wed Jul 01, 2015 8:03 am

Re: NTP and update-resolv-conf

Post by Pippin » Thu Jan 18, 2018 10:15 pm

That`s a kind offer but want to struggle first, thanks.

User avatar
Pippin
Forum Team
Posts: 766
Joined: Wed Jul 01, 2015 8:03 am

Re: NTP and update-resolv-conf

Post by Pippin » Thu Jan 18, 2018 11:47 pm

It works fine this way:
up.sh

Code: Select all

#!/bin/sh

/etc/openvpn/update-resolv-conf

# Update NTP to OpenVPN server
mv /etc/ntp.conf /etc/ntp-bak.conf
mv /etc/ntp-ovpn.conf /etc/ntp.conf
service ntp restart

exit 0
service status ntp

Code: Select all

ntp.service - LSB: Start NTP daemon
   Loaded: loaded (/etc/init.d/ntp; enabled; vendor preset: enabled)
   Active: active (running) since vr 2018-01-19 00:27:26 CET; 5s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 12620 ExecStop=/etc/init.d/ntp stop (code=exited, status=0/SUCCESS)
  Process: 12632 ExecStart=/etc/init.d/ntp start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/ntp.service
           └─12650 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 109:116

jan 19 00:27:26 Laptop-1 ntpd[12650]: proto: precision = 0.117 usec (-23)
jan 19 00:27:26 Laptop-1 ntpd[12650]: restrict: ignoring line 38, mask '::' unusable.
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listen and drop on 0 v4wildcard 0.0.0.0:123
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listen normally on 1 lo 127.0.0.1:123
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listen normally on 2 enp0s29u1u2 192.168.42.47:123
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listen normally on 3 tun0 192.168.168.2:123
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listening on routing socket on fd #20 for interface updates
jan 19 00:27:27 Laptop-1 ntpd[12650]: Soliciting pool server 192.168.168.1
down.sh

Code: Select all

#!/bin/sh

/etc/openvpn/update-resolv-conf

# Update NTP to previous servers
mv /etc/ntp.conf /etc/ntp-ovpn.conf
mv /etc/ntp-bak.conf /etc/ntp.conf
service ntp restart

exit 0
service status ntp

Code: Select all

ntp.service - LSB: Start NTP daemon
   Loaded: loaded (/etc/init.d/ntp; enabled; vendor preset: enabled)
   Active: active (running) since vr 2018-01-19 00:40:21 CET; 2s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 12847 ExecStop=/etc/init.d/ntp stop (code=exited, status=0/SUCCESS)
  Process: 12858 ExecStart=/etc/init.d/ntp start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/ntp.service
           └─12871 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 109:116

jan 19 00:40:21 Laptop-1 systemd[1]: Started LSB: Start NTP daemon.
jan 19 00:40:21 Laptop-1 ntpd[12871]: proto: precision = 0.090 usec (-23)
jan 19 00:40:21 Laptop-1 ntpd[12871]: restrict: ignoring line 37, mask '::' unusable.
jan 19 00:40:21 Laptop-1 ntpd[12871]: Listen and drop on 0 v4wildcard 0.0.0.0:123
jan 19 00:40:21 Laptop-1 ntpd[12871]: Listen normally on 1 lo 127.0.0.1:123
jan 19 00:40:21 Laptop-1 ntpd[12871]: Listen normally on 2 enp0s29u1u2 192.168.42.47:123
jan 19 00:40:21 Laptop-1 ntpd[12871]: Listening on routing socket on fd #19 for interface updates
jan 19 00:40:22 Laptop-1 ntpd[12871]: Soliciting pool server 185.51.192.34
Now the struggle begins :)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7163
Joined: Fri Jun 03, 2016 1:17 pm

Re: NTP and update-resolv-conf

Post by TinCanTech » Fri Jan 19, 2018 12:50 am

Pippin wrote:
Thu Jan 18, 2018 10:15 pm
want to struggle first
Pippin wrote:
Thu Jan 18, 2018 11:47 pm
It works fine this way
Pippin wrote:
Thu Jan 18, 2018 11:47 pm
Now the struggle begins :)
I have detailed files :mrgreen:

User avatar
Pippin
Forum Team
Posts: 766
Joined: Wed Jul 01, 2015 8:03 am

Re: NTP and update-resolv-conf

Post by Pippin » Fri Jan 19, 2018 8:23 am

Me too now :mrgreen:

client.conf:

Code: Select all

setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
down-pre
up.sh

Code: Select all

#!/bin/sh -x

run() {
    $@
    if [ $? -ne 0 ]
        then
        echo "$@ Failed with exit code $?"
        return 1
    else
        return 0
    fi
}

run /etc/openvpn/update-resolv-conf &&
    run mv /etc/ntp.conf /etc/ntp-bak.conf &&
        mv /etc/ntp-ovpn.conf /etc/ntp.conf &&
            run systemctl restart ntp
down.sh

Code: Select all

#!/bin/sh -x

run() {
    $@
    if [ $? -ne 0 ]
        then
        echo "$@ Failed with exit code $?"
        return 1
    else
        return 0
    fi
}

run /etc/openvpn/update-resolv-conf &&
    run mv /etc/ntp.conf /etc/ntp-ovpn.conf &&
        mv /etc/ntp-bak.conf /etc/ntp.conf &&
            run systemctl restart ntp
OpenVPN log:

Code: Select all

/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 192.168.168.2/24 broadcast 192.168.168.255
/etc/openvpn/up.sh tun0 1500 1602 192.168.168.2 255.255.255.0 init
+ run /etc/openvpn/update-resolv-conf
+ /etc/openvpn/update-resolv-conf
+ '[' -x /sbin/resolvconf ']'
+ '[' up ']'
+ '[' tun0 ']'
+ case "$script_type" in
+ NMSRVRS=
+ SRCHS=
+ for optionvarname in '${!foreign_option_*}'
+ option='dhcp-option DNS 192.168.168.1'
+ echo 'dhcp-option DNS 192.168.168.1'
dhcp-option DNS 192.168.168.1
+ split_into_parts dhcp-option DNS 192.168.168.1
+ part1=dhcp-option
+ part2=DNS
+ part3=192.168.168.1
+ '[' dhcp-option = dhcp-option ']'
+ '[' DNS = DNS ']'
+ NMSRVRS=192.168.168.1
+ for optionvarname in '${!foreign_option_*}'
+ option='dhcp-option NTP 192.168.168.1'
+ echo 'dhcp-option NTP 192.168.168.1'
dhcp-option NTP 192.168.168.1
+ split_into_parts dhcp-option NTP 192.168.168.1
+ part1=dhcp-option
+ part2=NTP
+ part3=192.168.168.1
+ '[' dhcp-option = dhcp-option ']'
+ '[' NTP = DNS ']'
+ '[' NTP = DOMAIN ']'
+ R=
+ '[' '' ']'
+ for NS in '$NMSRVRS'
+ R='nameserver 192.168.168.1
'
+ /sbin/resolvconf -a tun0.openvpn
+ echo -n 'nameserver 192.168.168.1
'
+ [ 0 -ne 0 ]
+ return 0
+ run mv /etc/ntp.conf /etc/ntp-bak.conf
+ mv /etc/ntp.conf /etc/ntp-bak.conf
+ [ 0 -ne 0 ]
+ return 0
+ mv /etc/ntp-ovpn.conf /etc/ntp.conf
+ run service ntp restart
+ systemctl restart ntp
+ [ 0 -ne 0 ]
+ return 0
...
...
Initialization Sequence Completed
I think this is good enough, thanks.

Post Reply