You are not logged in.
- Topics: Active | Unanswered
#1 2014-03-22 08:01:30
- twarkie
- Member
- Registered: 2007-09-16
- Posts: 24
OpenVPN - up/down scripts not run correctly
Hi,
I have a OpenVPN client on my computer which connects to a remote server at startup (launched by systemd). The connection i primarily used to set up a network drive. To make this process as smooth as possible I'm trying to mount with an up script and unmount with an down script. This is my config:
client
dev tun
proto udp
remote site.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca site.crt
cert site.crt
key site.key
comp-lzo
verb 3
reneg-sec 0
script-security 3
route-up /etc/openvpn/up.sh
route-pre-down /etc/openvpn/down.sh(last two lines)
In theory, up.sh should execute when the connection is initialized and the routes are in place. And down.sh should run when the connection is still active just before the routes are removed. This seems to be the case in the log:
Sat Mar 22 08:37:50 2014 OpenVPN 2.3.2 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Nov 13 2013
Sat Mar 22 08:37:50 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Mar 22 08:37:50 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Mar 22 08:37:50 2014 WARNING: file 'site.key' is group or others accessible
Sat Mar 22 08:37:50 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Mar 22 08:37:50 2014 UDPv4 link local: [undef]
Sat Mar 22 08:37:50 2014 UDPv4 link remote: [AF_INET]xxx:1194
Sat Mar 22 08:37:50 2014 TLS: Initial packet from [AF_INET]xxx:1194, sid=cc55bb26 51a6f522
Sat Mar 22 08:37:50 2014 VERIFY OK: depth=1, C=SE, ST=Stockholm, L=Stockholm, O=xxx, CN=xxx CA, emailAddress=xxx
Sat Mar 22 08:37:50 2014 VERIFY OK: depth=0, C=SE, ST=Stockholm, L=Stockholm, O=xxx, CN=xxx, emailAddress=xxx
Sat Mar 22 08:37:50 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 22 08:37:50 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 22 08:37:50 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 22 08:37:50 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 22 08:37:50 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Mar 22 08:37:50 2014 [xxx] Peer Connection Initiated with [AF_INET]xxx:1194
Sat Mar 22 08:37:52 2014 SENT CONTROL [xxx]: 'PUSH_REQUEST' (status=1)
Sat Mar 22 08:37:52 2014 PUSH: Received control message: 'PUSH_REPLY,route xxx 255.255.255.0,route xxx 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig xxx xxx'
Sat Mar 22 08:37:52 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sat Mar 22 08:37:52 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 22 08:37:52 2014 OPTIONS IMPORT: route options modified
Sat Mar 22 08:37:52 2014 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=ec:a8:6b:ff:de:31
Sat Mar 22 08:37:52 2014 TUN/TAP device tun0 opened
Sat Mar 22 08:37:52 2014 TUN/TAP TX queue length set to 100
Sat Mar 22 08:37:52 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Mar 22 08:37:52 2014 /usr/bin/ip link set dev tun0 up mtu 1500
Sat Mar 22 08:37:52 2014 /usr/bin/ip addr add dev tun0 local xxxpeer xxx
Sat Mar 22 08:37:52 2014 /usr/bin/ip route add xxx via xxx
Sat Mar 22 08:37:52 2014 /usr/bin/ip route add xxx via xxx
Mounting network drives...
mount error(115): Operation now in progress
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
mount error(115): Operation now in progress
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Sat Mar 22 08:38:12 2014 Initialization Sequence Completed
^CSat Mar 22 08:38:18 2014 event_wait : Interrupted system call (code=4)
Sat Mar 22 08:38:18 2014 /etc/openvpn/down.sh tun0 1500 1542 xxx xxx init
Unmounting network drives...
Sat Mar 22 08:40:22 2014 /usr/bin/ip route del xxx
Sat Mar 22 08:40:22 2014 /usr/bin/ip route del xxx
Sat Mar 22 08:40:22 2014 Closing TUN/TAP interface
Sat Mar 22 08:40:22 2014 /usr/bin/ip addr del dev tun0 local xxx peer xxx
Sat Mar 22 08:40:22 2014 SIGINT[hard,] received, process exitingBut here's the problem. The up script will not mount because it doesn't seem to be able to reach the network. The routes ARE there (checked via netstat -rn in the up script) but it will not work. It works perfectly if I run the script maually diretly after OpenVPN is done. And the down script (which unmounts the drives) just hangs because the connections seems to be interrupted.
So, how can make it work so that mount and umount is handled by OpenVPN? Am i missing something?
Offline
#2 2014-03-22 09:56:36
- Gcool
- Member
- Registered: 2011-08-16
- Posts: 1,456
Re: OpenVPN - up/down scripts not run correctly
Would it be possible to post the actual content of the down and up script?
Burninate!
Offline
#3 2014-03-22 09:58:46
- twarkie
- Member
- Registered: 2007-09-16
- Posts: 24
Re: OpenVPN - up/down scripts not run correctly
Sure
#!/usr/bin/bash
echo "Mounting network drives..."
mount -t cifs //xxx/xxx /mnt/net/xxx/xxx -o user=guest,password=
mount -t cifs //xxx/xxx /mnt/net/xxx/xxx -o user=guest,password=#!/usr/bin/bash
echo "Unmounting network drives..."
umount -f /mnt/net/xxx/xxx
umount -f /mnt/net/xxx/xxxLast edited by twarkie (2014-03-22 09:59:18)
Offline
#4 2014-03-22 10:03:57
- Gcool
- Member
- Registered: 2011-08-16
- Posts: 1,456
Re: OpenVPN - up/down scripts not run correctly
Looks straightforward enough to me.
Are you using the share's ip address in the up.sh script (not a hostname)? Also, have you tried adding a sleep statement to the beginning of the scripts (to give it a bit of time)?
Burninate!
Offline
#5 2014-03-22 10:05:58
- twarkie
- Member
- Registered: 2007-09-16
- Posts: 24
Re: OpenVPN - up/down scripts not run correctly
Yes and yes. Sleep does nothing unfortunately. Somehow the routes does not seem to work until "Initialization Sequence Completed" is reached.
Offline
#6 2014-03-22 15:37:36
- twarkie
- Member
- Registered: 2007-09-16
- Posts: 24
Re: OpenVPN - up/down scripts not run correctly
Managed to get around the problem using systemd:
[Unit]
Description=OpenVPN connection to %i
[Service]
Type=forking
ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i
ExecStartPost=/root/scripts/mount.sh
ExecStop=/root/scripts/umount.sh
[Install]
WantedBy=multi-user.target...but I think it's cleaner to do it in the openVPN config, so I still like some help there :-)
Last edited by twarkie (2014-03-22 15:37:49)
Offline
#7 2015-08-21 22:47:50
- dllud
- Member
- Registered: 2015-08-21
- Posts: 4
Re: OpenVPN - up/down scripts not run correctly
I am facing the exact same issue on a Lubuntu 15.04 box. Something is not right with OpenVPN.
Anyway, the systemd workaround also works around here. Thanks a bunch for sharing twarkie.
/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
Before=systemd-user-sessions.service
[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ExecStartPost=/root/scripts/mount.sh
ExecStop=/root/scripts/umount.sh
[Install]
WantedBy=multi-user.targetOffline