Execute script on the event the OpenVPN or ISP disconnect

[crows]

Hello,

This is a continuation from the spilt tunnelling post which thanks to Eddie and Titex have pointed me in the right direction to get it working. I am ever grateful for their help.

Unfortunately because of Open-VPN(PIA) drops connection at least every day I was wondering if there is something I could do so that when open-vpn (tun1) or ISp(ppp0) disconnect and reconnect causing a change of IP I could initiate my start-up script(.rc_startup) to execute automatically. Because at the moment as soon as this happens my routing table goes haywire.

Appreciate any guidance.

Thank you
Crows

[crows]

Maybe an easier solution would be to run the script once the open VPN re-connects without worrying about the IP change?

[pia_user]

crows: There is --up-restart and --up cmd, which may help you where the vpn is concerned.

To catch reconnects by pppd, you will need to dig into pppd. I think I remember that there is the option to run scripts after a connection has been established as well. It's bit a (long) while, but I think there were folders like if-up.d or so into which you could place scripts to run.

[crows]

Hi thanks for responding...I can only see scripts route-up.sh and route-down.sh, are these what your talking about, and when do these scripts actually get called?

Thanks
Crows

crows: There is --up-restart and --up cmd, which may help you where the vpn is concerned.

To catch reconnects by pppd, you will need to dig into pppd. I think I remember that there is the option to run scripts after a connection has been established as well. It's bit a (long) while, but I think there were folders like if-up.d or so into which you could place scripts to run.

[pia_user]

Sorry, are you talking about OpenVPN or pppd?

--up and --down are explained in the manual. You can also put "up" and "down" in the OpenVPN configuration. Re pppd, the best place to start looking for options is in the pppd documentation for your Linux distribution.

[crows]

OpenVPN...I cannot see up or down scripts in any of the directories.

Sorry, are you talking about OpenVPN or pppd?

--up and --down are explained in the manual. You can also put "up" and "down" in the OpenVPN configuration. Re pppd, the best place to start looking for options is in the pppd documentation for your Linux distribution.

[pia_user]

That's because you need to create these. You can specify (e.g., with the command line parameters --up [cmd] and --down [cmd]) names of scripts to be run, and can then do whatever makes sense on your system. Instead of the command line parameters, you can also use "up [cmd]" and "down [cmd]" in your config file. So you could, e.g., execute your update script this way when the VPN is established or the connection is dropped.

[crows]

Thanks...can you provide me with a little example please, is this what you mean:

up sh /tmp/custom.sh (will this work? I want to run this custom script when the vpn comes up)

All I want to do is to run these routes like the ones below, is this what my up script will look like and where do I save it.

#!/bin/sh
#Whats my IP#
ip rule add to 66.171.248.172 table main
ip route flush cache

Thanks
Rick

That's because you need to create these. You can specify (e.g., with the command line parameters --up [cmd] and --down [cmd]) names of scripts to be run, and can then do whatever makes sense on your system. Instead of the command line parameters, you can also use "up [cmd]" and "down [cmd]" in your config file. So you could, e.g., execute your update script this way when the VPN is established or the connection is dropped.

[pia_user]

Hi Rick - As you can see from the parallel thread here topic19342.html, this is pretty much what I'm doing. My script is a bit more complex, but essentially also is only meant to switch a certain VPN routing on/off or adjust it, when the VPN connection is established or breaks down.

I have

Code: Select all

script-security 2
up "/usr/local/bin/VPN_routing on"
down "/usr/local/bin/VPN_routing off"

in my client.conf. Based on the limited understand I have of what you would like to do, you might probably rather want to go with

Code: Select all

script-security 2
up-restart "/usr/local/bin/VPN_routing on"

with, only, i.e. no "down" script, and "up-restart" instead of just "up". That might(!) also spare you the difficulties I had in the other thread, as I also needed "down", and there is no "down-restart".

[crows]

so in my config it will look like this:

script-security 2 (Don't know what this does)
up-restart sh /tmp/custom.sh

This right? even though there is no up-restart script(or is this part of os?)

Your post is essentially what Im after...I'm a client though does that make a difference to PIA

You refer to a manual which one I cannot see any reference...I'm using DD-WRT if that makes a difference

I dont have these files either:
up "/usr/local/bin/VPN_routing on"
down "/usr/local/bin/VPN_routing off"

And if I run up-restart my system says not found

Thanks

Hi Rick - As you can see from the parallel thread here topic19342.html, this is pretty much what I'm doing. My script is a bit more complex, but essentially also is only meant to switch a certain VPN routing on/off or adjust it, when the VPN connection is established or breaks down.

I have

Code: Select all

script-security 2
up "/usr/local/bin/VPN_routing on"
down "/usr/local/bin/VPN_routing off"

in my client.conf. Based on the limited understand I have of what you would like to do, you might probably rather want to go with

Code: Select all

script-security 2
up-restart "/usr/local/bin/VPN_routing on"

with, only, i.e. no "down" script, and "up-restart" instead of just "up". That might(!) also spare you the difficulties I had in the other thread, as I also needed "down", and there is no "down-restart".

[pia_user]

/usr/local/bin/VPN_routing is a script I wrote myself. It creates a routing table, sets up some iptables rules to mark certain tcp packets and then routes marked packets through the VPN to the world. Nothing you need, you have your script (custom.sh).

The manual to OpenVPN (describing "script-security" and the rest) is here: https://openvpn.net/index.php/open-sour ... npage.html

I have no clue about DD-WRT. I would try to go with

Code: Select all

script-security 2
up-restart /tmp/custom.sh

in your case. If you want (or have to) specify sh explicitly, use quotes:

Code: Select all

script-security 2
up-restart "sh /tmp/custom.sh"

[crows]

if I execute up-restart system says file not found...however there is a file called route-up and route down

[pia_user]

the two lines need to go into your client.conf. OpenVPN will then execute your custom.sh each time the VPN is restarted (newly/reestablished).

If you do not have any configuration file for OpenVPN, you can also add

Code: Select all

--up-restart /tmp/custom.sh

to your OpenVPN command line.

[crows]

Yes I do have a config file and I inserted those lines as is but it doesnt work as my routes arent working...if I execute the custom.sh manually they all work again

If I run the --up-restart /tmp/custom.sh (Telnet) it says up-restart not found.

My config looks like this:

route-nopull
--up-restart "sh /tmp/custom.sh" (tried with and without quotes)
persist-key
persist-tun
tls-client
remote-cert-tls server

Thanks for helping me.

the two lines need to go into your client.conf. OpenVPN will then execute your custom.sh each time the VPN is restarted (newly/reestablished).

If you do not have any configuration file for OpenVPN, you can also add

Code: Select all

--up-restart /tmp/custom.sh

to your OpenVPN command line.

[pia_user]

Your config should look like this for a start:

Code: Select all

route-nopull
persist-key
persist-tun
tls-client
remote-cert-tls server
script-security 2
up-restart /tmp/custom.sh

Create this config, restart OpenVPN, and see what happens. It might be helpful to post the logfile, if things don't work as you'd expect.

[crows]

Yep did that and rebooted, routes are not there indicating script did not run on bootup. Maybe it will execute on the next disconnection?

I have enabled system log below nothing of real value I think, and the one just below that is my status report maybe a little better:

System Error Log
an 1 10:30:02 DD-WRT syslog.info syslogd started: BusyBox v1.23.2
Jan 1 00:00:02 DD-WRT kern.notice kernel: klogd started: BusyBox v1.23.2 (2015-07-15 23:24:09 CEST)
Jan 1 00:00:02 DD-WRT kern.info kernel: Booting Linux on physical CPU 0x0
Jan 1 00:00:02 DD-WRT kern.notice kernel: Linux version 3.10.84 (bluebat@opensuse) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r42925) ) #394 SMP Tue Jul 14 23:57:58 CEST 2015
Jan 1 00:00:02 DD-WRT kern.warn kernel: CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=10c53c7d
Jan 1 00:00:02 DD-WRT kern.warn kernel: CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Jan 1 00:00:02 DD-WRT kern.warn kernel: Machine: Northstar Prototype
Jan 1 00:00:02 DD-WRT kern.warn kernel: Ignoring unrecognised tag 0x00000000
Jan 1 00:00:02 DD-WRT kern.warn kernel: Memory policy: ECC disabled, Data cache writealloc
Jan 1 00:00:02 DD-WRT kern.info kernel: map io
Jan 1 00:00:02 DD-WRT kern.info kernel: MPCORE found at 19020000 (VIRT d9020000) 18000000 d8000000
Jan 1 00:00:02 DD-WRT kern.debug kernel: On node 0 totalpages: 65536
Jan 1 00:00:02 DD-WRT kern.debug kernel: free_area_init_node: node 0, pgdat c0400940, node_mem_map c0479000
Jan 1 00:00:02 DD-WRT kern.debug kernel: Normal zone: 256 pages used for memmap
Jan 1 00:00:02 DD-WRT kern.debug kernel: Normal zone: 0 pages reserved
Jan 1 00:00:02 DD-WRT kern.debug kernel: Normal zone: 32768 pages, LIFO batch:7
Jan 1 00:00:02 DD-WRT kern.debug kernel: HighMem zone: 4352 pages used for memmap
Jan 1 00:00:02 DD-WRT kern.debug kernel: HighMem zone: 32768 pages, LIFO batch:7
Jan 1 00:00:02 DD-WRT kern.info kernel: PERCPU: Embedded 7 pages/cpu @c1688000 s6400 r8192 d14080 u32768
Jan 1 00:00:02 DD-WRT kern.debug kernel: pcpu-alloc: s6400 r8192 d14080 u32768 alloc=8*4096
Jan 1 00:00:02 DD-WRT kern.debug kernel: pcpu-alloc: [0] 0 [0] 1
Jan 1 00:00:02 DD-WRT kern.warn kernel: Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65280
Jan 1 00:00:02 DD-WRT kern.notice kernel: Kernel command line: console=ttyS0,115200 panic=10 root=/dev/mtdblock3 earlyprintk=1 rootfstype=squashfs,jffs2 noinitrd init=/bin/sh
Jan 1 00:00:02 DD-WRT kern.info kernel: PID hash table entries: 512 (order: -1, 2048 bytes)
Jan 1 00:00:02 DD-WRT kern.info kernel: Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Jan 1 00:00:02 DD-WRT kern.info kernel: Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Jan 1 00:00:02 DD-WRT kern.info kernel: Memory: 128MB 128MB = 256MB total
Jan 1 00:00:02 DD-WRT kern.notice kernel: Memory: 255284k/255284k available, 6860k reserved, 131072K highmem
Jan 1 00:00:02 DD-WRT kern.notice kernel: Virtual kernel memory layout:
Jan 1 00:00:02 DD-WRT kern.notice kernel: vector : 0xffff0000 - 0xffff1000 ( 4 kB)
Jan 1 00:00:02 DD-WRT kern.notice kernel: fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
Jan 1 00:00:02 DD-WRT kern.notice kernel: vmalloc : 0xc8800000 - 0xff000000 ( 872 MB)
Jan 1 00:00:02 DD-WRT kern.notice kernel: lowmem : 0xc0000000 - 0xc8000000 ( 128 MB)
Jan 1 00:00:02 DD-WRT kern.notice kernel: pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
Jan 1 00:00:02 DD-WRT kern.notice kernel: modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
Jan 1 00:00:02 DD-WRT kern.notice kernel: .text : 0xc0008000 - 0xc03aada4 (3724 kB)
Jan 1 00:00:02 DD-WRT kern.notice kernel: .init : 0xc03ab000 - 0xc03e5900 ( 235 kB)
Jan 1 00:00:02 DD-WRT kern.notice kernel: .data : 0xc03e6000 - 0xc0418a20 ( 203 kB)
Jan 1 00:00:02 DD-WRT kern.notice kernel: .bss : 0xc0418a20 - 0xc0478ee4 ( 386 kB)
Jan 1 00:00:02 DD-WRT kern.info kernel: Hierarchical RCU implementation.
Jan 1 00:00:02 DD-WRT kern.info kernel: CONFIG_RCU_FANOUT set to non-default value of 2
Jan 1 00:00:02 DD-WRT kern.info kernel: NR_IRQS:256
Jan 1 00:00:02 DD-WRT kern.info kernel: MPCORE GIC init
Jan 1 00:00:02 DD-WRT kern.warn kernel: External imprecise Data abort at addr=0x0, fsr=0x1c06 ignored.
Jan 1 00:00:02 DD-WRT kern.info kernel: MPCORE Global Timer Clock 500000000Hz on IRQ 27
Jan 1 00:00:02 DD-WRT kern.info kernel: sched_clock: 32 bits at 500MHz, resolution 2ns, wraps every 8589ms
Jan 1 00:00:02 DD-WRT kern.info kernel: register local timer
Jan 1 00:00:02 DD-WRT kern.err kernel: smp_twd: clock not found -2
Jan 1 00:00:02 DD-WRT kern.info kernel: Calibrating delay loop... 1987.37 BogoMIPS (lpj=9936896)


Status log:

Clientlog:
19700101 10:30:05 I OpenVPN 2.3.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 15 2015
19700101 10:30:05 I library versions: OpenSSL 1.0.2d 9 Jul 2015 LZO 2.09
19700101 10:30:05 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19700101 10:30:05 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
19700101 10:30:05 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 10:30:05 Socket Buffers: R=[180224->131072] S=[180224->131072]
19700101 10:30:05 I UDPv4 link local: [undef]
19700101 10:30:05 I UDPv4 link remote: [AF_INET]xxx.xxx.xxx:1194
20150731 15:28:22 I [UNDEF] Inactivity timeout (--ping-restart) restarting
20150731 15:28:22 I SIGUSR1[soft ping-restart] received process restarting
20150731 15:28:22 Restart pause 2 second(s)
20150731 15:28:24 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20150731 15:28:24 Socket Buffers: R=[180224->131072] S=[180224->131072]
20150731 15:28:24 I UDPv4 link local: [undef]
20150731 15:28:24 I UDPv4 link remote: [AF_INET]xxx.xxx.xxx:1194
20150731 15:28:24 TLS: Initial packet from [AF_INET]xxx.xxx.xxx:1194 sid=4e9a6def de1e23b0
20150731 15:28:24 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20150731 15:28:24 VERIFY OK: depth=1 C=US ST=OH L=Columbus O=Private Internet Access CN=Private Internet Access CA emailAddress=secure@privateinternetaccess.com
20150731 15:28:24 Validating certificate key usage
20150731 15:28:24 ++ Certificate has key usage 00a0 expects 00a0
20150731 15:28:24 NOTE: --mute triggered...
20150731 15:28:25 10 variation(s) on previous 3 message(s) suppressed by --mute
20150731 15:28:25 I [Private Internet Access] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx:1194
20150731 15:28:27 SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
20150731 15:28:27 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS xxx.xxx.xxx dhcp-option DNS xxx.xxx.xxx ping 10 comp-lzo no route xxx.xxx.xxx topology net30 ifconfig xxx.xxx.xxx'
20150731 15:28:27 N Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
20150731 15:28:27 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20150731 15:28:27 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20150731 15:28:27 NOTE: --mute triggered...
20150731 15:28:27 1 variation(s) on previous 3 message(s) suppressed by --mute
20150731 15:28:27 OPTIONS IMPORT: timers and/or timeouts modified
20150731 15:28:27 OPTIONS IMPORT: LZO parms modified
20150731 15:28:27 OPTIONS IMPORT: --ifconfig/up options modified
20150731 15:28:27 I TUN/TAP device tun1 opened
20150731 15:28:27 TUN/TAP TX queue length set to 100
20150731 15:28:27 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20150731 15:28:27 I /sbin/ifconfig tun1 xxx.xxx.xxx pointopoint xxx.xxx.xxx mtu 1500
20150731 15:28:27 I Initialization Sequence Completed
20150731 15:28:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:28:32 D MANAGEMENT: CMD 'state'
20150731 15:28:32 MANAGEMENT: Client disconnected
20150731 15:28:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:28:32 D MANAGEMENT: CMD 'state'
20150731 15:28:32 MANAGEMENT: Client disconnected
20150731 15:28:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:28:32 D MANAGEMENT: CMD 'state'
20150731 15:28:32 MANAGEMENT: Client disconnected
20150731 15:28:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:28:32 D MANAGEMENT: CMD 'status 2'
20150731 15:28:32 MANAGEMENT: Client disconnected
20150731 15:28:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:28:32 D MANAGEMENT: CMD 'log 500'
20150731 15:28:32 MANAGEMENT: Client disconnected
20150731 15:29:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:29:57 D MANAGEMENT: CMD 'state'
20150731 15:29:57 MANAGEMENT: Client disconnected
20150731 15:29:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:29:57 D MANAGEMENT: CMD 'state'
20150731 15:29:57 MANAGEMENT: Client disconnected
20150731 15:29:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:29:57 D MANAGEMENT: CMD 'state'
20150731 15:29:57 MANAGEMENT: Client disconnected
20150731 15:29:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:29:57 D MANAGEMENT: CMD 'status 2'
20150731 15:29:57 MANAGEMENT: Client disconnected
20150731 15:29:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:29:57 D MANAGEMENT: CMD 'log 500'
20150731 15:29:57 MANAGEMENT: Client disconnected
20150731 15:32:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:32:58 D MANAGEMENT: CMD 'state'
20150731 15:32:58 MANAGEMENT: Client disconnected
20150731 15:32:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:32:58 D MANAGEMENT: CMD 'state'
20150731 15:32:58 MANAGEMENT: Client disconnected
20150731 15:32:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:32:58 D MANAGEMENT: CMD 'state'
20150731 15:32:58 MANAGEMENT: Client disconnected
20150731 15:32:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:32:58 D MANAGEMENT: CMD 'status 2'
20150731 15:32:58 MANAGEMENT: Client disconnected
20150731 15:32:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:32:58 D MANAGEMENT: CMD 'log 500'
20150731 15:32:58 MANAGEMENT: Client disconnected
20150731 15:35:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:35:06 D MANAGEMENT: CMD 'state'
20150731 15:35:06 MANAGEMENT: Client disconnected
20150731 15:35:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:35:06 D MANAGEMENT: CMD 'state'
20150731 15:35:06 MANAGEMENT: Client disconnected
20150731 15:35:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:35:06 D MANAGEMENT: CMD 'state'
20150731 15:35:06 MANAGEMENT: Client disconnected
20150731 15:35:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:35:06 D MANAGEMENT: CMD 'status 2'
20150731 15:35:06 MANAGEMENT: Client disconnected
20150731 15:35:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150731 15:35:06 D MANAGEMENT: CMD 'log 500'
19700101 10:30:00

[pia_user]

Hm. No sign that OpenVPN even tried to start the up-restart script.

If you replace "up-restart" in your config with "up", does it work?

[crows]

No sign of the up script either in the log, however when I changed it to "route-up /tmp/custom.sh" it shows in status but the routes are not there so I think the custom script is not executing maybe format wrong?

Clientlog:
20150731 20:36:38 W Multiple --route-up scripts defined. The previously configured script is overridden.
20150731 20:36:38 I OpenVPN 2.3.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 15 2015
20150731 20:36:38 I library versions: OpenSSL 1.0.2d 9 Jul 2015 LZO 2.09
20150731 20:36:38 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20150731 20:36:38 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20150731 20:36:38 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

[pia_user]

I'm just a user myself, so my understanding is limited. However, I would start by fixing this:

20150731 20:36:38 W Multiple --route-up scripts defined. The previously configured script is overridden.

No sure what you defined, but maybe the wrong script is called?

[crows]

Hi I think all that means is that a different route-up script will be defined and used instaed of the standard.

Not sure though, should this command executed in command prompt (telnet) is responding with no such file route-up:

BusyBox v1.23.2 (2015-07-15 23:24:09 CEST) built-in shell (ash)

root@DD-WRT:~# route-up /tmp/custom.sh
-sh: route-up: not found

Shouldnt this execute from here?

Thanks