Solved

Establishing an OpenVPN connection from a Perl script

Posted on 2009-05-14
4
1,169 Views
Last Modified: 2012-05-07
Hi,
I'm attempting to script an OpenVPN client connection from within a perl script.
That same perl script, needs to wait (fork and wait?), until the connection is established fully, and then continue the script (talking over the vpn).
After it's done, it will kill the fork, or leave the fork alive, and kill the parent.

I'm trying to figure out the best way to go about this; I'll try to outline the flow as simply as I can...

1. start of perl script...
2. execute some stuff, script determines it needs to talk to a server over the vpn
3. perl dials a vpn connection, either by forking or however method is best
4. child, or other method, signals the main script to continue, as the connection has been established (having it's own IP, and gateway ip, settings and such)
5. main script (parent), continues execution, does some talking over the connection, etc.
6. main script decides by means of conditional if the vpn connection should be left open, and allow the main script to exit; otherwise kill the connection and exit

I've started with this simple bash connect script, and just sleep()'ing for 180 seconds in the main script, after forking off a child which executes the bash script. - Of course, this is not reliable in any way; and I can't really get the connection details back to the main script. (I have to do a few subnet tests, and get the results from a remote server.)

#!/bin/bash
 

if [[ $EUID -ne 0 ]]; then

   echo "This script must be run as root" 1>&2

   exit 1

fi
 

ca="/home/user/keys/ca.crt"

cert="/home/user/keys/user.crt"

key="/home/user/keys/user.key"

remote="x.x.x.x"

port="4430"

proto="tcp-client"
 

echo "Connecting to $remote:$port using $proto..."
 

openvpn \

--up "/bin/echo Yay up" \

--remote $remote \

--nobind \

--dev tun \

--proto $proto \

--port $port \

--up-restart \

--persist-key \

--persist-tun \

--management 127.0.0.1 1194 \

--management-query-passwords \

--route-noexec \

--client \

--ca $ca \

--cert $cert \

--key $key \

--script-security 2

Open in new window

0
Comment
Question by:mtchs
  • 2
  • 2
4 Comments
 
LVL 39

Expert Comment

by:Adam314
ID: 24399286
I don't see any reason to fork.  From your description, it sounds like you should be able to do everything in one process.

For steps 3 and 4.... I'm assuming the openvpn command creates the vpn connection.  Does it return only after the connection is complete, or does it return immediately?  If it returns immediately, how can you tell the connection is complete?

For step5, how do you communicate over the connection?  Do you just talk to IP addresses like normal, and the vpn handles it?
0
 

Author Comment

by:mtchs
ID: 24409489
Steps 3 and 4; openvpn does not exit from that command, unless you let it daemonize.

That's exactly what I'm trying to figure out; it either locks up the script (doesn't return) or it daemonizes. You can have it call a script after the connection is started up that's what the --up parameter does.


Step 5; it's just regular ip communication it's just basic linux routing table stuff.
0
 
LVL 39

Accepted Solution

by:
Adam314 earned 500 total points
ID: 24416999
Sounds like there are 2 ways to go:

steps 1 and 2 will be the same either way.

Option 1)
    Step 3: Start openvpn with the name of a second script
    Have the second script do steps 4, 5, and 6

Option 2)
    Step 3: Start openvpn as a daemon
    wait until complete
    have script do steps 4, 5, and 6



I think either will work.  Option 1 will probably be easier to implement, but you end up with 2 scripts.  For the "wait until complete" part, if the vpn program does not give you a way to check it's status, you could probably ping one of the IPs in the VPN.  when you get a reply, the connection is complete.
0
 

Author Closing Comment

by:mtchs
ID: 31581724
That's what I already came up with. I was hoping to see a better way to do this.
I resorted to just using a two script solution, the second one handling both the dial, and the what-to-do with the vpn once it's open. Based on the first parameter passed to the script.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux Mint 18 31 76
Centos 7 User to Start Apache, MariaDB, LDAP 5 26
Log File Creation with Header and Footer 17 57
expectj telnet failing 5 22
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now