Solved

Establishing an OpenVPN connection from a Perl script

Posted on 2009-05-14
4
1,245 Views
Last Modified: 2012-05-07
Hi,
I'm attempting to script an OpenVPN client connection from within a perl script.
That same perl script, needs to wait (fork and wait?), until the connection is established fully, and then continue the script (talking over the vpn).
After it's done, it will kill the fork, or leave the fork alive, and kill the parent.

I'm trying to figure out the best way to go about this; I'll try to outline the flow as simply as I can...

1. start of perl script...
2. execute some stuff, script determines it needs to talk to a server over the vpn
3. perl dials a vpn connection, either by forking or however method is best
4. child, or other method, signals the main script to continue, as the connection has been established (having it's own IP, and gateway ip, settings and such)
5. main script (parent), continues execution, does some talking over the connection, etc.
6. main script decides by means of conditional if the vpn connection should be left open, and allow the main script to exit; otherwise kill the connection and exit

I've started with this simple bash connect script, and just sleep()'ing for 180 seconds in the main script, after forking off a child which executes the bash script. - Of course, this is not reliable in any way; and I can't really get the connection details back to the main script. (I have to do a few subnet tests, and get the results from a remote server.)

#!/bin/bash
 
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi
 
ca="/home/user/keys/ca.crt"
cert="/home/user/keys/user.crt"
key="/home/user/keys/user.key"
remote="x.x.x.x"
port="4430"
proto="tcp-client"
 
echo "Connecting to $remote:$port using $proto..."
 
openvpn \
--up "/bin/echo Yay up" \
--remote $remote \
--nobind \
--dev tun \
--proto $proto \
--port $port \
--up-restart \
--persist-key \
--persist-tun \
--management 127.0.0.1 1194 \
--management-query-passwords \
--route-noexec \
--client \
--ca $ca \
--cert $cert \
--key $key \
--script-security 2

Open in new window

0
Comment
Question by:mtchs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 39

Expert Comment

by:Adam314
ID: 24399286
I don't see any reason to fork.  From your description, it sounds like you should be able to do everything in one process.

For steps 3 and 4.... I'm assuming the openvpn command creates the vpn connection.  Does it return only after the connection is complete, or does it return immediately?  If it returns immediately, how can you tell the connection is complete?

For step5, how do you communicate over the connection?  Do you just talk to IP addresses like normal, and the vpn handles it?
0
 

Author Comment

by:mtchs
ID: 24409489
Steps 3 and 4; openvpn does not exit from that command, unless you let it daemonize.

That's exactly what I'm trying to figure out; it either locks up the script (doesn't return) or it daemonizes. You can have it call a script after the connection is started up that's what the --up parameter does.


Step 5; it's just regular ip communication it's just basic linux routing table stuff.
0
 
LVL 39

Accepted Solution

by:
Adam314 earned 500 total points
ID: 24416999
Sounds like there are 2 ways to go:

steps 1 and 2 will be the same either way.

Option 1)
    Step 3: Start openvpn with the name of a second script
    Have the second script do steps 4, 5, and 6

Option 2)
    Step 3: Start openvpn as a daemon
    wait until complete
    have script do steps 4, 5, and 6



I think either will work.  Option 1 will probably be easier to implement, but you end up with 2 scripts.  For the "wait until complete" part, if the vpn program does not give you a way to check it's status, you could probably ping one of the IPs in the VPN.  when you get a reply, the connection is complete.
0
 

Author Closing Comment

by:mtchs
ID: 31581724
That's what I already came up with. I was hoping to see a better way to do this.
I resorted to just using a two script solution, the second one handling both the dial, and the what-to-do with the vpn once it's open. Based on the first parameter passed to the script.
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been pestered over the years to produce and distribute regular data extracts, and often the request have explicitly requested the data be emailed as an Excel attachement; specifically Excel, as it appears: CSV files confuse (no Red or Green h…
There are many situations when we need to display the data in sorted order. For example: Student details by name or by rank or by total marks etc. If you are working on data driven based projects then you will use sorting techniques very frequently.…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question