OpenVPN Support Forum

Hello all!

I am trying to find a way to run a client script AFTER the tunnel has gone down. Right now I can use config_down.[bat|sh] to execute a script BEFORE the tunnel goes down, but I would like to do some cleanup afterwards (e.g., closing proxy connections, etc.)

I tried config_post and that didn't work.

Ideas?

Thanks!

That's what I figured.

I have a _pre script that sets up a proxy connection before the tunnel starts up. The trick is that I want the proxy to close when I am done with the tunnel. When I use the _down script the proxy closes while the tunnel is still up and I get an error message saying that it cannot connect and then it closes. The result is the same: both the tunnel and proxy close, but it looks messy.

I guess I could trigger a scheduled task to go off a few seconds later...

Thanks!

Thanks!

Actually I just figured out how to do it using the same method you were describing!
I was using the GUI version on Windows which allows the "XXX_down.bat" script to run, but it was locked to running before the tunnel went down (as it states in the OpenVPNGui documentation). However, when I placed the up/down scripts directly into the configuration file itself the problem went away.

e.g.,
script-security 2
up "run_me_after_I_am_up.bat"
down "run_me_AFTER_I_am_down.bat"

The man page also has an option "down-pre" which alters the behavior of the down configuration directive to call the script BEFORE the tunnel goes down.

Interestingly, it didn't matter whether or not I used "down-pre" in my configuration file, as the error message I was getting when using the GUI "XXX_down.bat" method no longer showed up (i.e., the ssh tunnel was brought down after the tunnel closed instead of just before).

I am not sure how these GUI scripts work, but it appears that they are NOT being added as command-line configuration options which get appended to your configuration file:

openvpn --config "my_config_that_openvpngui_called_on_my_behalf" --up "XXX_up.bat"

Rather I think they may actually call these scripts independently of openvpn. So, when I hit disconnect and try to close the tunnel it runs the "XXX_down.bat" script first then sends a terminate signal to the openvpn process. This would explain the behavior that I was getting - the script was being executed far in advance (in microseconds) than if the script was being called directly from openvpn.

What is funny is if openvpn can handle these directives in the configuration file, what is the purpose of adding this behavior to the GUI? The only GUI script that is relevant is "XXX_pre.bat" as that does not have a configuration counterpart (--up runs after). Using similar logic, it may be useful in some cases to have a "XXX_post.bat" which runs AFTER openvpn has completely exited (e.g., copy files, etc.). "XXX_down.bat" can be accomplished using the --down configuration directive (both before and after).

Well at least my minor annoyance is a thing of the past.

Thanks again for the help!

Update:

Well I take that last paragraph back...
I tried converting the "XXX_up.bat" script I was using to a configuration directive (--up my_script.bat) and it fails. It starts a remote desktop session. The remote desktop program opens, but gets stuck in the "Initializing connection..." state when I use '--up'. I tried adding 'up-delay', but that did work either.

So basically my solution is to use a mix of GUI scripts and configuration scripts:
XXX_pre.bat (GUI) - start a ssh tunnel
XXX_up.bat (GUI) - open a remote desktop session
down "down.bat" (config) - close the ssh tunnel and remote desktop

If you are curious, I have to tunnel my VPN through ssh to connect to my server at home from inside my university. Last summer they did an IT upgrade and somehow disabled my access. After trying every port and VPN configuration, the only thing that got me through was SSH.

Thanks again!

That makes perfect sense

I don't know if that was causing my issue now...as it is working all of a sudden (using the up configuration directive). My batch file uses a non-blocking 'start' instead of 'call' so the script terminates but opens a remote desktop session. Definitely good to know though!
Thanks!

After running through it some more, it really depends on the time it takes to secure the connection whether the gui XXX_up.bat or the --up directive calling a remote desktop session works reliably. The directive I have found will work sometimes and not others, but the XXX_up.bat works fairly reliably because it is called a few seconds afterwards (even with the up-delay directive set). I guess I could always call a vbscript and sleep for a second or to and that would work.

Anyways, I think I have a good handle on it now. Thanks again for your assistance!