Establish openvpn tunnel in bash script
Solution 1
ok i have managed to get the openvpn tunnel password entered automatically and also managed to get the tunnel to run on bootup. hopefully this helps someone else who is trying to do the same thing - coz its taken me over 20 hours to figure out something which now looks pretty basic. code:
$ cat /etc/init.d/ZZcreate_ovpn_tun.sh
#!/bin/bash
# check if the tunnel already exists before trying to create it
proc=$(ps aux | grep openvpn | grep Userxxx)
if [ "$proc" == "" ]; then
echo "ovpn tunnel does not exist yet - will create it now"
else
echo "ovpn tunnel already exists ($proc)"
exit 0
fi
# load the config file into openvpn - has options to request the pkcs12 password through
# telnet
nohup openvpn /etc/init.d/ovpn/Userxxx.ovpn
sleep 1
# enter the password though a telnet session
/etc/init.d/ovpn/telnet_commands.sh
$ cat /etc/init.d/ovpn/telnet_commands.sh
#!/usr/bin/expect
spawn telnet 127.0.0.1 5558
expect ">PASSWORD:Need 'Private Key' password"
send "password 'Private Key' xxxxxxxxxxxxx\r"
expect "SUCCESS: 'Private Key' password entered, but not yet verified"
send "quit\r"
expect eof
$ cat Userxxx.ovpn
#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com.au 1194
pkcs12 /etc/init.d/ovpn/Userxxx.p12
cipher AES-256-CBC
comp-lzo
verb 3
ns-cert-type server
tls-remote xxxxxxxxxxxxxxxxxxxxxxxxxxx.com.au
management 127.0.0.1 5558
management-query-passwords
$ sudo update-rc.d ZZcreate_ovpn_tun.sh defaults
$ sudo shutdown -r 0
$ # wait for system to boot up again
$ ps aux | grep openvpn
root 5279 0.0 0.1 28224 3728 ? S 22:48 0:00 openvpn /etc/init.d/ovpn/Userxxx.ovpn
you may also want to redirect all output to a file so that if it fails you will be able to see why. i called the file ZZcreate_ovpn_tun.sh to make sure it was run last out of all of the scripts in the init.d dir. ideally i would just have made sure that it only ran at level 6 or so but this works fine for now.
Solution 2
Just wanted to mention that (at least on Ubuntu 12.04) there is --askpass /your/file argument for openvpn, that reads the private key password from a file.
Solution 3
My working case with a small correction:
nohup openvpn /etc/init.d/ovpn/Userxxx.ovpn &
/etc/init.d/ovpn/telnet_commands.sh
Solution 4
I would expect all it is looking for is the password for the private key. Try using echo -e "xxxxxxxxx\r\n"
or echo "xxxxxxxx"
.
You may want to try using expect
to respond to the password request. Some password programs look for the password on a tty
type device. The program expect handles this.
You may be better off looking for an rc.d
init script to start your tunnel. This is the normal method for starting things at startup.
Related videos on Youtube
mulllhausen
Updated on September 17, 2022Comments
-
mulllhausen almost 2 years
I'm trying to write a script which will establish an openvpn tunnel when the computer boots up. The main problem lies in inputting the pkcs12 password. I realise it's very bad practice to have a password stored in plain text, but I'm not too fussed about that -- the computer is very secure in all other respects so I'm pretty confident that nobody but me will be accessing it to view the password.
I have added the
--management
and the--management-query-passwords
options so that the password can be input via a telnet session. This works fine when I do it manually, but when I try and do it automatically with a bash script it fails. My guess would be that either I am not doing the carridge return after the password line properly, or that some other garbage values are sneaking in to the telnet session as inputs. Here is the relevant bits of code (xxx for stuff that is classified):$ cat user.ovpn #OpenVPN Server conf tls-client client dev tun proto udp tun-mtu 1400 remote xxxxxxxxxxxxxxxxxxx 1194 pkcs12 user.p12 cipher AES-256-CBC comp-lzo verb 3 ns-cert-type server tls-remote xxxxxxxxxxxxxxxxxxxxxxx management 127.0.0.1 5558 management-query-passwords $ cat telnet_commands.sh #!/bin/bash echo "open 127.0.0.1 5558" sleep 1 echo -e "password 'Private Key' xxxxxxxxxx\r\n" $ nohup openvpn user.ovpn & $ ./telnet_commands.sh | telnet $ #manually check whether this worked: $ telnet 127.0.0.1 5558 Escape character is '^]'. >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info >PASSWORD:Need 'Private Key' password
Obviously this is not working -- the openvpn telnet management interface is still waiting for the password to be entered.
-
mulllhausen over 13 yearsmaybe i wasnt clear enough. to manually enter the password, the ONLY thing that is required is to open the telnet session like so
telnet 127.0.0.1 5558
and then enter password like so:password 'Private Key' xxxxxx
. this is exactly what i have in my telnet_commands.sh script but it is not working. i have looked into the 'expect' program but i think it would be overkill in this case since there is only ever one thing that is requested within the telnet session. -
BillThor over 13 years@mullhausen: I would try using expect to enter the value. It is designed to do this kind of thing.
-
mulllhausen over 13 yearsok i've got it working. thanks for pointing me in the right direction. in the end i used expect and added my script to /etc/init.d - i'll post the solution in a sec