Establish openvpn tunnel in bash script

bash shell-script telnet openvpn

15,736

Solution 1

ok i have managed to get the openvpn tunnel password entered automatically and also managed to get the tunnel to run on bootup. hopefully this helps someone else who is trying to do the same thing - coz its taken me over 20 hours to figure out something which now looks pretty basic. code:

$ cat /etc/init.d/ZZcreate_ovpn_tun.sh
#!/bin/bash

# check if the tunnel already exists before trying to create it
proc=$(ps aux | grep openvpn | grep Userxxx)
if [ "$proc" == "" ]; then
  echo "ovpn tunnel does not exist yet - will create it now"
else
  echo "ovpn tunnel already exists ($proc)"
  exit 0
fi

# load the config file into openvpn - has options to request the pkcs12 password through
# telnet
nohup openvpn /etc/init.d/ovpn/Userxxx.ovpn
sleep 1

# enter the password though a telnet session
/etc/init.d/ovpn/telnet_commands.sh

$ cat /etc/init.d/ovpn/telnet_commands.sh
#!/usr/bin/expect
spawn telnet 127.0.0.1 5558
expect ">PASSWORD:Need 'Private Key' password"
send "password 'Private Key' xxxxxxxxxxxxx\r"
expect "SUCCESS: 'Private Key' password entered, but not yet verified"
send "quit\r"
expect eof

$ cat Userxxx.ovpn
#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com.au 1194
pkcs12 /etc/init.d/ovpn/Userxxx.p12
cipher AES-256-CBC
comp-lzo
verb 3
ns-cert-type server
tls-remote xxxxxxxxxxxxxxxxxxxxxxxxxxx.com.au
management 127.0.0.1 5558
management-query-passwords

$ sudo update-rc.d ZZcreate_ovpn_tun.sh defaults
$ sudo shutdown -r 0

$ # wait for system to boot up again
$ ps aux | grep openvpn
root 5279  0.0  0.1  28224  3728 ? S 22:48 0:00 openvpn /etc/init.d/ovpn/Userxxx.ovpn

you may also want to redirect all output to a file so that if it fails you will be able to see why. i called the file ZZcreate_ovpn_tun.sh to make sure it was run last out of all of the scripts in the init.d dir. ideally i would just have made sure that it only ran at level 6 or so but this works fine for now.

Solution 2

Just wanted to mention that (at least on Ubuntu 12.04) there is --askpass /your/file argument for openvpn, that reads the private key password from a file.

Solution 3

My working case with a small correction:

nohup openvpn /etc/init.d/ovpn/Userxxx.ovpn &
/etc/init.d/ovpn/telnet_commands.sh

Solution 4

I would expect all it is looking for is the password for the private key. Try using echo -e "xxxxxxxxx\r\n" or echo "xxxxxxxx".

You may want to try using expect to respond to the password request. Some password programs look for the password on a tty type device. The program expect handles this.

You may be better off looking for an rc.d init script to start your tunnel. This is the normal method for starting things at startup.

View more solutions

15,736

mulllhausen

Updated on September 17, 2022

Comments

mulllhausen almost 2 years
I'm trying to write a script which will establish an openvpn tunnel when the computer boots up. The main problem lies in inputting the pkcs12 password. I realise it's very bad practice to have a password stored in plain text, but I'm not too fussed about that -- the computer is very secure in all other respects so I'm pretty confident that nobody but me will be accessing it to view the password.

I have added the --management and the --management-query-passwords options so that the password can be input via a telnet session. This works fine when I do it manually, but when I try and do it automatically with a bash script it fails. My guess would be that either I am not doing the carridge return after the password line properly, or that some other garbage values are sneaking in to the telnet session as inputs. Here is the relevant bits of code (xxx for stuff that is classified):
```
$ cat user.ovpn
#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote xxxxxxxxxxxxxxxxxxx 1194
pkcs12 user.p12
cipher AES-256-CBC
comp-lzo
verb 3
ns-cert-type server
tls-remote xxxxxxxxxxxxxxxxxxxxxxx
management 127.0.0.1 5558
management-query-passwords

$ cat telnet_commands.sh
#!/bin/bash
echo "open 127.0.0.1 5558"
sleep 1
echo -e "password 'Private Key' xxxxxxxxxx\r\n"

$ nohup openvpn user.ovpn &
$ ./telnet_commands.sh | telnet

$ #manually check whether this worked:
$ telnet 127.0.0.1 5558
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
>PASSWORD:Need 'Private Key' password
```
Obviously this is not working -- the openvpn telnet management interface is still waiting for the password to be entered.
mulllhausen over 13 years

maybe i wasnt clear enough. to manually enter the password, the ONLY thing that is required is to open the telnet session like so telnet 127.0.0.1 5558 and then enter password like so: password 'Private Key' xxxxxx. this is exactly what i have in my telnet_commands.sh script but it is not working. i have looked into the 'expect' program but i think it would be overkill in this case since there is only ever one thing that is requested within the telnet session.
BillThor over 13 years

@mullhausen: I would try using expect to enter the value. It is designed to do this kind of thing.
mulllhausen over 13 years

ok i've got it working. thanks for pointing me in the right direction. in the end i used expect and added my script to /etc/init.d - i'll post the solution in a sec