How to customize and extend your OpenVPN installation.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Post
by Pippin » Thu Jan 18, 2018 2:43 pm
Hi,
Using update-resolv-conf script I just discovered that dhcp-option NTP is not working.
tcpdump shows NTP going to the system configured server instead of the pushed one.
update-resolv-conf
Code: Select all
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
Can see that DNS and DOMAIN is done.
Since I know too little about scripting, someone willing to adjust it too include NTP?
Thanks.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Thu Jan 18, 2018 3:21 pm
Now there is a
can-o-worms !
I expect the reason it has never been done before is because there is no
generic solution ..
For example, what NTP deamon are you running ?
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Post
by Pippin » Thu Jan 18, 2018 3:26 pm
I`m on Linux Mint 18.3 Cinnamon as client.
ntpd - NTP daemon program - Ver. 4.2.8p4
NTP service also runs on the server where OpenVPN server runs.
ntpd - NTP daemon program - Ver. 4.2.8p9
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Thu Jan 18, 2018 4:11 pm
Technically, dhcp-options are Windows specific ..
I would manually add the VPN server IP to the client ntp.conf
As for customising the update-resolv-conf script:
- I don't think this a good idea because it has a clear purpose and is maintained.
Instead you could write a wrapper script (e. /etc/openvpn/client-up.sh)
which calls update-resolv-conf and then your custom NTP script.
Sorry, I don't have any examples of what that would look like.
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Post
by Pippin » Thu Jan 18, 2018 8:25 pm
Ok thanks, was thinking that way too but thought modifying update-resolv-conf would be a better solution.
Will try following:
1. remove update-resolv-conf from config
2. instead call up script (and down to reverse)
3. call update-resolve-conf and update-ntp-conf from up-script
4. reverse for down script
Files:
1. original ntp.conf
2. new ntp-ovpn.conf - copy of ntp.conf but NTP servers removed and VPN server IP added
update-ntp-conf will:
1. mv (rename) the two files
2. service ntp restart
Somehow looks dirty
Thanks
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Thu Jan 18, 2018 8:46 pm
Looks ok to me
P-probably need some error checking and
what-not as well
Code: Select all
[ -f $filename ] || die "$filename does not exist!"
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Thu Jan 18, 2018 9:07 pm
If you want you can contact me privately : tincanteksup <at> gmail
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Post
by Pippin » Thu Jan 18, 2018 11:47 pm
It works fine this way:
up.sh
Code: Select all
#!/bin/sh
/etc/openvpn/update-resolv-conf
# Update NTP to OpenVPN server
mv /etc/ntp.conf /etc/ntp-bak.conf
mv /etc/ntp-ovpn.conf /etc/ntp.conf
service ntp restart
exit 0
service status ntp
Code: Select all
ntp.service - LSB: Start NTP daemon
Loaded: loaded (/etc/init.d/ntp; enabled; vendor preset: enabled)
Active: active (running) since vr 2018-01-19 00:27:26 CET; 5s ago
Docs: man:systemd-sysv-generator(8)
Process: 12620 ExecStop=/etc/init.d/ntp stop (code=exited, status=0/SUCCESS)
Process: 12632 ExecStart=/etc/init.d/ntp start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/ntp.service
└─12650 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 109:116
jan 19 00:27:26 Laptop-1 ntpd[12650]: proto: precision = 0.117 usec (-23)
jan 19 00:27:26 Laptop-1 ntpd[12650]: restrict: ignoring line 38, mask '::' unusable.
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listen and drop on 0 v4wildcard 0.0.0.0:123
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listen normally on 1 lo 127.0.0.1:123
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listen normally on 2 enp0s29u1u2 192.168.42.47:123
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listen normally on 3 tun0 192.168.168.2:123
jan 19 00:27:26 Laptop-1 ntpd[12650]: Listening on routing socket on fd #20 for interface updates
jan 19 00:27:27 Laptop-1 ntpd[12650]: Soliciting pool server 192.168.168.1
down.sh
Code: Select all
#!/bin/sh
/etc/openvpn/update-resolv-conf
# Update NTP to previous servers
mv /etc/ntp.conf /etc/ntp-ovpn.conf
mv /etc/ntp-bak.conf /etc/ntp.conf
service ntp restart
exit 0
service status ntp
Code: Select all
ntp.service - LSB: Start NTP daemon
Loaded: loaded (/etc/init.d/ntp; enabled; vendor preset: enabled)
Active: active (running) since vr 2018-01-19 00:40:21 CET; 2s ago
Docs: man:systemd-sysv-generator(8)
Process: 12847 ExecStop=/etc/init.d/ntp stop (code=exited, status=0/SUCCESS)
Process: 12858 ExecStart=/etc/init.d/ntp start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/ntp.service
└─12871 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 109:116
jan 19 00:40:21 Laptop-1 systemd[1]: Started LSB: Start NTP daemon.
jan 19 00:40:21 Laptop-1 ntpd[12871]: proto: precision = 0.090 usec (-23)
jan 19 00:40:21 Laptop-1 ntpd[12871]: restrict: ignoring line 37, mask '::' unusable.
jan 19 00:40:21 Laptop-1 ntpd[12871]: Listen and drop on 0 v4wildcard 0.0.0.0:123
jan 19 00:40:21 Laptop-1 ntpd[12871]: Listen normally on 1 lo 127.0.0.1:123
jan 19 00:40:21 Laptop-1 ntpd[12871]: Listen normally on 2 enp0s29u1u2 192.168.42.47:123
jan 19 00:40:21 Laptop-1 ntpd[12871]: Listening on routing socket on fd #19 for interface updates
jan 19 00:40:22 Laptop-1 ntpd[12871]: Soliciting pool server 185.51.192.34
Now the struggle begins
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Fri Jan 19, 2018 12:50 am
Pippin wrote: ↑Thu Jan 18, 2018 10:15 pm
want to struggle first
Pippin wrote: ↑Thu Jan 18, 2018 11:47 pm
It works fine this way
Pippin wrote: ↑Thu Jan 18, 2018 11:47 pm
Now the struggle begins
I have detailed files
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Post
by Pippin » Fri Jan 19, 2018 8:23 am
Me too now
client.conf:
Code: Select all
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
down-pre
up.sh
Code: Select all
#!/bin/sh -x
run() {
$@
if [ $? -ne 0 ]
then
echo "$@ Failed with exit code $?"
return 1
else
return 0
fi
}
run /etc/openvpn/update-resolv-conf &&
run mv /etc/ntp.conf /etc/ntp-bak.conf &&
mv /etc/ntp-ovpn.conf /etc/ntp.conf &&
run systemctl restart ntp
down.sh
Code: Select all
#!/bin/sh -x
run() {
$@
if [ $? -ne 0 ]
then
echo "$@ Failed with exit code $?"
return 1
else
return 0
fi
}
run /etc/openvpn/update-resolv-conf &&
run mv /etc/ntp.conf /etc/ntp-ovpn.conf &&
mv /etc/ntp-bak.conf /etc/ntp.conf &&
run systemctl restart ntp
OpenVPN log:
Code: Select all
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 192.168.168.2/24 broadcast 192.168.168.255
/etc/openvpn/up.sh tun0 1500 1602 192.168.168.2 255.255.255.0 init
+ run /etc/openvpn/update-resolv-conf
+ /etc/openvpn/update-resolv-conf
+ '[' -x /sbin/resolvconf ']'
+ '[' up ']'
+ '[' tun0 ']'
+ case "$script_type" in
+ NMSRVRS=
+ SRCHS=
+ for optionvarname in '${!foreign_option_*}'
+ option='dhcp-option DNS 192.168.168.1'
+ echo 'dhcp-option DNS 192.168.168.1'
dhcp-option DNS 192.168.168.1
+ split_into_parts dhcp-option DNS 192.168.168.1
+ part1=dhcp-option
+ part2=DNS
+ part3=192.168.168.1
+ '[' dhcp-option = dhcp-option ']'
+ '[' DNS = DNS ']'
+ NMSRVRS=192.168.168.1
+ for optionvarname in '${!foreign_option_*}'
+ option='dhcp-option NTP 192.168.168.1'
+ echo 'dhcp-option NTP 192.168.168.1'
dhcp-option NTP 192.168.168.1
+ split_into_parts dhcp-option NTP 192.168.168.1
+ part1=dhcp-option
+ part2=NTP
+ part3=192.168.168.1
+ '[' dhcp-option = dhcp-option ']'
+ '[' NTP = DNS ']'
+ '[' NTP = DOMAIN ']'
+ R=
+ '[' '' ']'
+ for NS in '$NMSRVRS'
+ R='nameserver 192.168.168.1
'
+ /sbin/resolvconf -a tun0.openvpn
+ echo -n 'nameserver 192.168.168.1
'
+ [ 0 -ne 0 ]
+ return 0
+ run mv /etc/ntp.conf /etc/ntp-bak.conf
+ mv /etc/ntp.conf /etc/ntp-bak.conf
+ [ 0 -ne 0 ]
+ return 0
+ mv /etc/ntp-ovpn.conf /etc/ntp.conf
+ run service ntp restart
+ systemctl restart ntp
+ [ 0 -ne 0 ]
+ return 0
...
...
Initialization Sequence Completed
I think this is good enough, thanks.