Running a command after my OpenVPN client connects

linux scripting openvpn

18,742

Solution 1

You can specify a script to be run as you connect to your vpn through openvpn with the up directive (among a few others that will run on different times during initalization). You may need to set script security too for that. Just append the following to your foo.ovpn file:

script-security 2
up /path/to/script.sh

In your case, this should be the latest possible before the disconnection sequence, as you'll need connectivity through the VPN:

script-security 2
route-up /path/to/script.sh

Note that openvpn won't process any packets as this command runs, so this script needs to be a caller script for your snaggle.sh, like this:

#!/bin/bash

nohup /path/to/snaggle.sh &

exit 0

As you also need to choose if you will run the script or not upon connecting, you can either use 2 different .ovpn files or use the command line parameter form (openvpn --config xxx.ovpn --script-security 2 --route-up /path/to/script.sh) instead of having these options inside the .ovpn file. You can even create an alias for that like openvpnsnaggle if typing is an issue.

To find out more about the other available options for running commands (after authentication, on ip changes, on disconnection, etc...), you can read about them on the documentation.

Solution 2

! answer written to askubuntu

I stumbled upon the answer in my research to solve this issue and I found out that the best solution is (using openvpn server):

Create a script to be executed:

# nano /etc/openvpn/up.sh
<file:contents>
#!/bin/sh

# export >> /var/log/openvpn/openvpn-up.log
D=`date "+%Y-%m-%d %H:%M"`
echo "[$D] ($local_port_1:$proto_1) $X509_0_CN: $trusted_ip => $ifconfig_pool_remote_ip" >> /var/log/openvpn/openvpn-up.log
</file>

Add the following lines into the openvpn configuration (usualy /etc/openvpn/server.conf). In the answer above it was used up and down, which are used when the server starts (restarats). The directive client-connect (and client-disconnect) are used when the client connects (disconnects)

# nano /etc/openvpn/server.conf
<file:add>
script-security 2
client-connect /etc/openvpn/up.sh
</file>

Solution 3

In my case, I did not need it but, as Mathias Sundman said in a post, you can do the following (Windows only): 1. create a .bat file with all your code - if your openvpn config file is named office-network.ovpn then, - the .bat file should be named office-network_up.bat 2. put the .bat file into openvpn config folder (near ovpn file) 3. beware not to use pause or other cmd/shell commands that waits for user input, it will break the initialization of openvpn 4. if you need user interaction use:

start /I "next.bat"

in the office-network_up.bat

An example of .bat which list the environment variables

@echo off
date /t > %TEMP%\openvpn.log
for %%i in (%0 %1 %2 %3 %4 %5 %6 %7 %8 %9) do echo Argument %%i >> %TEMP%\openvpn.log
set >> %TEMP%\openvpn.log
start /I type %TEMP%\openvpn.log

Solution 4

After following multiple suggestions, one problem I have is "--up" and --route-up" are executing before whole "Initialization Sequence Completed".

For me, I have to open ports after full initialization.. So I followed below..

#1) Create up.sh which launches port open script(proxyports.sh) asynchronously

#2) Create down.sh which closes the ports opened asynchronously in proxyports.sh

up.sh content ...

#!/bin/bash
( ( sleep 1 ; ~/proxyports.sh) & echo "Open the ports" )

proxyports.sh content ...

#!/bin/bash
HOME=/home/venkatdesu
PID=$(/usr/sbin/lsof -i :1080 | grep LISTEN|awk '{print $2}'|sort|uniq);
if [[ ! -z "$PID" ]]; then
  echo "SSH Socks Process $PID running with " $(ps "$PID");
  kill -9 $PID;
  sleep 1;
fi;
ssh -D 1080 -Nf [email protected] 
PID=$(/usr/sbin/lsof -i :1080 | grep LISTEN|awk '{print $2}'|sort|uniq);
echo "Socks running at $PID"

down.sh content ...

#!/bin/bash
PID=$(/usr/sbin/lsof -i :1080 | grep LISTEN|awk '{print $2}'|sort|uniq);
if [[ ! -z "$PID" ]]; then
 echo "SSH Socks Process $PID running with " $(ps "$PID");
 kill -9 $PID;
fi;

View more solutions

18,742

RonJohn

Updated on September 18, 2022

Comments

RonJohn almost 2 years

Currently, I connect to a remote network using openvpn, and then when "Initialization Sequence Completed" appears in the terminal, I run a script in a second window. (All without having to type my password.)

$ cat /etc/sudoers.d/openvpn 
ron ALL = NOPASSWD: /usr/sbin/openvpn

xterm 1:

sudo openvpn --config foo.ovpn

xterm 2:

./snaggle.sh

Being lazy, though, I want to combine the two into one command, but can't figure out how. One this I do know is that doesn't work:

sudo nohup openvpn --config foo.ovpn &

EDIT: When adding these commands to foo.ovpn, I noticed that they ran well before "Initialization Sequence Completed" appeared:

user ron
group ron
script-security 2
up /home/ron/snaggle.sh

EDIT 2: here's the contents of snaggle.sh. (Of importance: sometimes I need to connect to the VPN without running this script.)

#!/bin/bash

echo $HOME
cd $HOME/work

readonly TS=`TZ=UTC date +"%Y%m%d_%H%M"`
readonly TSHUMAN=`TZ=UTC date +"%F %H:%M %Z"`
readonly OUTFILE=results/prod_cluster_${TS}UTC.txt

for ip in 16 17 18;
do
    node=10.0.83.${ip}
    echo $node
    echo -e "\n\n ${node} \n" >> ${OUTFILE}
    ssh A467197@${node} "bash -s" <<EOF >> ${OUTFILE}
#/bin/bash
mysql -N -e "select 'Uptime is ', mysql.big_time_format(VARIABLE_VALUE) as Uptime from performance_schema.global_status where VARIABLE_NAME='Uptime';"
mysql -N -e "SHOW GLOBAL STATUS LIKE 'wsrep_cluster%';"
EOF
done

echo "" | mutt -s "Some private stuff at ${TSHUMAN}" -a ${OUTFILE} -- $(cat email_addrs.txt)

EDIT 3:

OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

RonJohn over 6 years

Thanks. Adding these to the ovpn file didn't work, though: script-security 2 ssh [email protected]
Zip over 6 years

You need to add an actual script file path there, not a command, however if what you're running is ssh I don't think you will get access to your session through that. That's not what it's meant for. It's not supposed to be interactive.
RonJohn over 6 years

It sure would help if I remembered to add "up "!!
RonJohn over 6 years

added more info to the question.
Zip over 6 years

Can you give more information on what that snaggle.sh script does? There are quite a few variations of that up command that would run on different times during the connection. To name a few: ipchange, iproute, route-up, route-pre-up, etc...
Zip over 6 years

Just updated the answer with a bit more info and a link to the documentation where you can find out about all the other options that can run scripts at later times.
RonJohn over 6 years

Added a second edit.
Zip over 6 years

Well... I kind of don't know what else to do here without going into a hopefully unneeded parsing script for the openvpn output. Didn't the route-up option work instead of up? Maybe waiting a successful vpn ping inside a while block on your snaggle.sh could make it wait to run when needed...
RonJohn over 6 years

After more googling, maybe an inotifywait solution?
Zip over 6 years

Found out that openvpn will wait the script execution to start processing packets, so VPN connectivity scritps wouldn't work just with route-up. The answer now will allow your network dependant script to run, as well as describes how can you run the script only when you want, not everytime you connect to the VPN. I don't think that inotifywait is needed.
RonJohn almost 6 years

Sadly, I need a script run on the client side.
callisto about 5 years

How would you include the client name in this script?
Ng Sek Long over 3 years

community.sophos.com/utm-firewall/f/… Added linked for more detail