Solved

Establishing an OpenVPN connection from a Perl script

Posted on 2009-05-14
4
1,150 Views
Last Modified: 2012-05-07
Hi,
I'm attempting to script an OpenVPN client connection from within a perl script.
That same perl script, needs to wait (fork and wait?), until the connection is established fully, and then continue the script (talking over the vpn).
After it's done, it will kill the fork, or leave the fork alive, and kill the parent.

I'm trying to figure out the best way to go about this; I'll try to outline the flow as simply as I can...

1. start of perl script...
2. execute some stuff, script determines it needs to talk to a server over the vpn
3. perl dials a vpn connection, either by forking or however method is best
4. child, or other method, signals the main script to continue, as the connection has been established (having it's own IP, and gateway ip, settings and such)
5. main script (parent), continues execution, does some talking over the connection, etc.
6. main script decides by means of conditional if the vpn connection should be left open, and allow the main script to exit; otherwise kill the connection and exit

I've started with this simple bash connect script, and just sleep()'ing for 180 seconds in the main script, after forking off a child which executes the bash script. - Of course, this is not reliable in any way; and I can't really get the connection details back to the main script. (I have to do a few subnet tests, and get the results from a remote server.)

#!/bin/bash
 

if [[ $EUID -ne 0 ]]; then

   echo "This script must be run as root" 1>&2

   exit 1

fi
 

ca="/home/user/keys/ca.crt"

cert="/home/user/keys/user.crt"

key="/home/user/keys/user.key"

remote="x.x.x.x"

port="4430"

proto="tcp-client"
 

echo "Connecting to $remote:$port using $proto..."
 

openvpn \

--up "/bin/echo Yay up" \

--remote $remote \

--nobind \

--dev tun \

--proto $proto \

--port $port \

--up-restart \

--persist-key \

--persist-tun \

--management 127.0.0.1 1194 \

--management-query-passwords \

--route-noexec \

--client \

--ca $ca \

--cert $cert \

--key $key \

--script-security 2

Open in new window

0
Comment
Question by:mtchs
  • 2
  • 2
4 Comments
 
LVL 39

Expert Comment

by:Adam314
ID: 24399286
I don't see any reason to fork.  From your description, it sounds like you should be able to do everything in one process.

For steps 3 and 4.... I'm assuming the openvpn command creates the vpn connection.  Does it return only after the connection is complete, or does it return immediately?  If it returns immediately, how can you tell the connection is complete?

For step5, how do you communicate over the connection?  Do you just talk to IP addresses like normal, and the vpn handles it?
0
 

Author Comment

by:mtchs
ID: 24409489
Steps 3 and 4; openvpn does not exit from that command, unless you let it daemonize.

That's exactly what I'm trying to figure out; it either locks up the script (doesn't return) or it daemonizes. You can have it call a script after the connection is started up that's what the --up parameter does.


Step 5; it's just regular ip communication it's just basic linux routing table stuff.
0
 
LVL 39

Accepted Solution

by:
Adam314 earned 500 total points
ID: 24416999
Sounds like there are 2 ways to go:

steps 1 and 2 will be the same either way.

Option 1)
    Step 3: Start openvpn with the name of a second script
    Have the second script do steps 4, 5, and 6

Option 2)
    Step 3: Start openvpn as a daemon
    wait until complete
    have script do steps 4, 5, and 6



I think either will work.  Option 1 will probably be easier to implement, but you end up with 2 scripts.  For the "wait until complete" part, if the vpn program does not give you a way to check it's status, you could probably ping one of the IPs in the VPN.  when you get a reply, the connection is complete.
0
 

Author Closing Comment

by:mtchs
ID: 31581724
That's what I already came up with. I was hoping to see a better way to do this.
I resorted to just using a two script solution, the second one handling both the dial, and the what-to-do with the vpn once it's open. Based on the first parameter passed to the script.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have been pestered over the years to produce and distribute regular data extracts, and often the request have explicitly requested the data be emailed as an Excel attachement; specifically Excel, as it appears: CSV files confuse (no Red or Green h…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now