Can I get any +1s? This will guarantee that the routes will have been created when the OpenVPN link is up.
commit e8f63323b4e236629f438a082422d61a37cc95af Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Thu Oct 22 21:06:38 2015 +0000
Add script to OpenVPN for VPN route fixing
This will make sure that always after a start/restart the VPN routes are created
Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index abb5d03..704becb 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -14,6 +14,9 @@ nobind
persist-key
+up /etc/openvpn/fix-routes.sh +up-restart + ca ca.crt cert client.crt key client.key diff --git a/roles/openvpn/client/files/fix-routes.sh b/roles/openvpn/client/files/fix-routes.sh new file mode 100644 index 0000000..a08e519 --- /dev/null +++ b/roles/openvpn/client/files/fix-routes.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# First check if this server is actually an OpenVPN client +if [ -f /etc/openvpn/client.crt ]; +then + # Now the magic line + # This first checks whether there is a route, and if there isn't it will: + # 1. Get the local machine's VPN IP (up to and including awk) + # 2. Add a new route to 192.168.0.0/16 via that IP addres (from xargs on) + # 3. Print "Fixed VPN" and exit with code 2 to indicate that it changed + # Note: I've been told that the grep and awk can be in one command, and I believe that, but I find this clearer. + (ip route show | grep '192.168.0.0/16') || ((ip route show | grep '192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN" && exit 2); +fi diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 76817a2..67e44b1 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -17,6 +17,9 @@ - { file: client.conf, dest: /etc/openvpn/openvpn.conf, mode: '0644' } + - { file: fix-routes.sh, + dest: /etc/openvpn/fix-routes.sh, + mode: '0755' } - { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt", dest: "/etc/openvpn/client.crt", mode: '0600' }
With kind regards, Patrick Uiterwijk Fedora Infra
+1 thanks.
On 22 October 2015 at 15:11, Patrick Uiterwijk puiterwijk@redhat.com wrote:
Can I get any +1s? This will guarantee that the routes will have been created when the OpenVPN link is up.
commit e8f63323b4e236629f438a082422d61a37cc95af Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Thu Oct 22 21:06:38 2015 +0000
Add script to OpenVPN for VPN route fixing This will make sure that always after a start/restart the VPN routes are created Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index abb5d03..704becb 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -14,6 +14,9 @@ nobind
persist-key
+up /etc/openvpn/fix-routes.sh +up-restart
ca ca.crt cert client.crt key client.key diff --git a/roles/openvpn/client/files/fix-routes.sh b/roles/openvpn/client/files/fix-routes.sh new file mode 100644 index 0000000..a08e519 --- /dev/null +++ b/roles/openvpn/client/files/fix-routes.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# First check if this server is actually an OpenVPN client +if [ -f /etc/openvpn/client.crt ]; +then
# Now the magic line
# This first checks whether there is a route, and if there isn't it will:
# 1. Get the local machine's VPN IP (up to and including awk)
# 2. Add a new route to 192.168.0.0/16 via that IP addres (from xargs on)
# 3. Print "Fixed VPN" and exit with code 2 to indicate that it changed
# Note: I've been told that the grep and awk can be in one command, and I believe that, but I find this clearer.
(ip route show | grep '192.168.0.0/16') || ((ip route show | grep '192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN" && exit 2);
+fi diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 76817a2..67e44b1 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -17,6 +17,9 @@
- { file: client.conf, dest: /etc/openvpn/openvpn.conf, mode: '0644' }
- { file: fix-routes.sh,
dest: /etc/openvpn/fix-routes.sh,
mode: '0755' }
- { file: "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt", dest: "/etc/openvpn/client.crt", mode: '0600' }
With kind regards, Patrick Uiterwijk Fedora Infra _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
On Thu, 22 Oct 2015 17:11:51 -0400 (EDT) Patrick Uiterwijk puiterwijk@redhat.com wrote:
Can I get any +1s? This will guarantee that the routes will have been created when the OpenVPN link is up.
+1 - must protect the virtual kittens traveling over openvpn wires in order to avoid the lava on the floor
Tim
commit e8f63323b4e236629f438a082422d61a37cc95af Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Thu Oct 22 21:06:38 2015 +0000
Add script to OpenVPN for VPN route fixing This will make sure that always after a start/restart the VPN routes are created Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index abb5d03..704becb 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -14,6 +14,9 @@ nobind
persist-key
+up /etc/openvpn/fix-routes.sh +up-restart
ca ca.crt cert client.crt key client.key diff --git a/roles/openvpn/client/files/fix-routes.sh b/roles/openvpn/client/files/fix-routes.sh new file mode 100644 index 0000000..a08e519 --- /dev/null +++ b/roles/openvpn/client/files/fix-routes.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# First check if this server is actually an OpenVPN client +if [ -f /etc/openvpn/client.crt ]; +then
# Now the magic line
# This first checks whether there is a route, and if there
isn't it will:
# 1. Get the local machine's VPN IP (up to and including awk)
# 2. Add a new route to 192.168.0.0/16 via that IP addres
(from xargs on)
# 3. Print "Fixed VPN" and exit with code 2 to indicate that
it changed
# Note: I've been told that the grep and awk can be in one
command, and I believe that, but I find this clearer.
(ip route show | grep '192.168.0.0/16') || ((ip route show |
grep '192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN" && exit 2); +fi diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml index 76817a2..67e44b1 100644 --- a/roles/openvpn/client/tasks/main.yml +++ b/roles/openvpn/client/tasks/main.yml @@ -17,6 +17,9 @@
- { file: client.conf, dest: /etc/openvpn/openvpn.conf, mode: '0644' }
- { file: fix-routes.sh,
dest: /etc/openvpn/fix-routes.sh,
mode: '0755' }
- { file:
"{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt", dest: "/etc/openvpn/client.crt", mode: '0600' }
With kind regards, Patrick Uiterwijk Fedora Infra _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
And I just realized I need to remove the exit 2, because this will make openvpn exit.
Can I get +1s to this change to the script?
commit 50511a65e7dbdf0a60ad1cc43a6fa2fddec66ed3 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Oct 23 02:41:01 2015 +0000
Make fix-routes not terminate with status 2 if it fixed it
This will make openvpn think something went wrong and terminate the connection. I did this to make it easily visible when running with ansible, but in this case it messes things up.
Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com
diff --git a/roles/openvpn/client/files/fix-routes.sh b/roles/openvpn/client/files/fix-routes.sh index a08e519..44a9450 100644 --- a/roles/openvpn/client/files/fix-routes.sh +++ b/roles/openvpn/client/files/fix-routes.sh @@ -8,5 +8,5 @@ then # 2. Add a new route to 192.168.0.0/16 via that IP addres (from xargs on) # 3. Print "Fixed VPN" and exit with code 2 to indicate that it changed # Note: I've been told that the grep and awk can be in one command, and I believe that, but I find this clearer. - (ip route show | grep '192.168.0.0/16') || ((ip route show | grep '192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN" && exit 2); + (ip route show | grep '192.168.0.0/16') || ((ip route show | grep '192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN"); fi
Count this as a +2 and get a retroactive 1 later. Dropping vpn because of this would be worse than waiting for it.
On 22 October 2015 at 20:45, Patrick Uiterwijk puiterwijk@redhat.com wrote:
And I just realized I need to remove the exit 2, because this will make openvpn exit.
Can I get +1s to this change to the script?
commit 50511a65e7dbdf0a60ad1cc43a6fa2fddec66ed3 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Oct 23 02:41:01 2015 +0000
Make fix-routes not terminate with status 2 if it fixed it This will make openvpn think something went wrong and terminate the connection. I did this to make it easily visible when running with ansible, but in this case it messes things up. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/openvpn/client/files/fix-routes.sh b/roles/openvpn/client/files/fix-routes.sh index a08e519..44a9450 100644 --- a/roles/openvpn/client/files/fix-routes.sh +++ b/roles/openvpn/client/files/fix-routes.sh @@ -8,5 +8,5 @@ then # 2. Add a new route to 192.168.0.0/16 via that IP addres (from xargs on) # 3. Print "Fixed VPN" and exit with code 2 to indicate that it changed # Note: I've been told that the grep and awk can be in one command, and I believe that, but I find this clearer.
(ip route show | grep '192.168.0.0/16') || ((ip route show | grep '192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN" && exit 2);
(ip route show | grep '192.168.0.0/16') || ((ip route show | grep '192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN");
fi _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
There is still some annoying thing in OpenVPN that's refusing to run the script. I have reverted the change that makes openvpn run the script automatically and will look that up further in the morning, I have left the script itself in place as it's useful.
retrospective +1s requested.
The change:
commit b2b07e8bcda3f2ff3352ad5c1dd8bc5fcb895e32 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Oct 23 03:11:02 2015 +0000
Running the script doesnt work yet. But we still want the script.
Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index 704becb..307a357 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -14,8 +14,8 @@ nobind
persist-key
-up /etc/openvpn/fix-routes.sh -up-restart +#up /etc/openvpn/fix-routes.sh +#up-restart
ca ca.crt cert client.crt
Count this as a +2 and get a retroactive 1 later. Dropping vpn because of this would be worse than waiting for it.
On 22 October 2015 at 20:45, Patrick Uiterwijk puiterwijk@redhat.com wrote:
And I just realized I need to remove the exit 2, because this will make openvpn exit.
Can I get +1s to this change to the script?
commit 50511a65e7dbdf0a60ad1cc43a6fa2fddec66ed3 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Oct 23 02:41:01 2015 +0000
Make fix-routes not terminate with status 2 if it fixed it This will make openvpn think something went wrong and terminate the connection. I did this to make it easily visible when running with ansible, but in this case it messes things up. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/openvpn/client/files/fix-routes.sh b/roles/openvpn/client/files/fix-routes.sh index a08e519..44a9450 100644 --- a/roles/openvpn/client/files/fix-routes.sh +++ b/roles/openvpn/client/files/fix-routes.sh @@ -8,5 +8,5 @@ then # 2. Add a new route to 192.168.0.0/16 via that IP addres (from xargs on) # 3. Print "Fixed VPN" and exit with code 2 to indicate that it changed # Note: I've been told that the grep and awk can be in one command, and I believe that, but I find this clearer.
(ip route show | grep '192.168.0.0/16') || ((ip route show | grep
'192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN" && exit 2);
(ip route show | grep '192.168.0.0/16') || ((ip route show | grep
'192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN"); fi _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
-- Stephen J Smoogen. _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
It's 3:00am so it may take a while for others to read, so if it'll speed things up for you I obviously trust Smooge's judgment - a retro +1
[I'm not an official infra member yet so it may not count but it's worth a try]
On Thu, Oct 22, 2015 at 11:14 PM, Patrick Uiterwijk puiterwijk@redhat.com wrote:
There is still some annoying thing in OpenVPN that's refusing to run the script. I have reverted the change that makes openvpn run the script automatically and will look that up further in the morning, I have left the script itself in place as it's useful.
retrospective +1s requested.
The change:
commit b2b07e8bcda3f2ff3352ad5c1dd8bc5fcb895e32 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Oct 23 03:11:02 2015 +0000
Running the script doesnt work yet. But we still want the script. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index 704becb..307a357 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -14,8 +14,8 @@ nobind
persist-key
-up /etc/openvpn/fix-routes.sh -up-restart +#up /etc/openvpn/fix-routes.sh +#up-restart
ca ca.crt cert client.crt
Count this as a +2 and get a retroactive 1 later. Dropping vpn because of this would be worse than waiting for it.
On 22 October 2015 at 20:45, Patrick Uiterwijk puiterwijk@redhat.com
wrote:
And I just realized I need to remove the exit 2, because this will make openvpn exit.
Can I get +1s to this change to the script?
commit 50511a65e7dbdf0a60ad1cc43a6fa2fddec66ed3 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Oct 23 02:41:01 2015 +0000
Make fix-routes not terminate with status 2 if it fixed it This will make openvpn think something went wrong and terminate the connection. I did this to make it easily visible when running with ansible,
but in
this case it messes things up. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/openvpn/client/files/fix-routes.sh b/roles/openvpn/client/files/fix-routes.sh index a08e519..44a9450 100644 --- a/roles/openvpn/client/files/fix-routes.sh +++ b/roles/openvpn/client/files/fix-routes.sh @@ -8,5 +8,5 @@ then # 2. Add a new route to 192.168.0.0/16 via that IP addres
(from
xargs on) # 3. Print "Fixed VPN" and exit with code 2 to indicate that it changed # Note: I've been told that the grep and awk can be in one
command,
and I believe that, but I find this clearer.
(ip route show | grep '192.168.0.0/16') || ((ip route show |
grep
'192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16
via)
&& echo "Fixed VPN" && exit 2);
(ip route show | grep '192.168.0.0/16') || ((ip route show |
grep
'192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16
via)
&& echo "Fixed VPN"); fi _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
-- Stephen J Smoogen. _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
On Thu, Oct 22, 2015 at 11:14:03PM -0400, Patrick Uiterwijk wrote:
There is still some annoying thing in OpenVPN that's refusing to run the script. I have reverted the change that makes openvpn run the script automatically and will look that up further in the morning, I have left the script itself in place as it's useful.
retrospective +1s requested.
+1 for me
The change:
commit b2b07e8bcda3f2ff3352ad5c1dd8bc5fcb895e32 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Oct 23 03:11:02 2015 +0000
Running the script doesnt work yet. But we still want the script. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index 704becb..307a357 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -14,8 +14,8 @@ nobind
persist-key
-up /etc/openvpn/fix-routes.sh -up-restart +#up /etc/openvpn/fix-routes.sh +#up-restart
ca ca.crt cert client.crt
Count this as a +2 and get a retroactive 1 later. Dropping vpn because of this would be worse than waiting for it.
On 22 October 2015 at 20:45, Patrick Uiterwijk puiterwijk@redhat.com wrote:
And I just realized I need to remove the exit 2, because this will make openvpn exit.
Can I get +1s to this change to the script?
commit 50511a65e7dbdf0a60ad1cc43a6fa2fddec66ed3 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Oct 23 02:41:01 2015 +0000
Make fix-routes not terminate with status 2 if it fixed it This will make openvpn think something went wrong and terminate the connection. I did this to make it easily visible when running with ansible, but in this case it messes things up. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/openvpn/client/files/fix-routes.sh b/roles/openvpn/client/files/fix-routes.sh index a08e519..44a9450 100644 --- a/roles/openvpn/client/files/fix-routes.sh +++ b/roles/openvpn/client/files/fix-routes.sh @@ -8,5 +8,5 @@ then # 2. Add a new route to 192.168.0.0/16 via that IP addres (from xargs on) # 3. Print "Fixed VPN" and exit with code 2 to indicate that it changed # Note: I've been told that the grep and awk can be in one command, and I believe that, but I find this clearer.
(ip route show | grep '192.168.0.0/16') || ((ip route show | grep
'192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN" && exit 2);
(ip route show | grep '192.168.0.0/16') || ((ip route show | grep
'192.168.0.' | awk '{print $1}' | xargs ip route add 192.168.0.0/16 via) && echo "Fixed VPN"); fi _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
-- Stephen J Smoogen. _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
infrastructure@lists.fedoraproject.org