Script to keep your OpenVPN client connection up and running

Questions and mods regarding system management may go here
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
mathius
Rookie
Rookie
Posts: 37
Joined: Tue Apr 28, 2015 11:51 am

Script to keep your OpenVPN client connection up and running

Unread post by mathius » Sun Oct 08, 2017 5:14 am

Hey all,

I recently signed up with Private Internet Access for anonymous internet access, and set it up with the built-in Synology OpenVPN client (Control Panel > Network > Network Interface tab). Everything was great with the OpenVPN connection, except - I kept finding the VPN in a failed state, reporting that it was connected but not transferring any data. I also found that Synology's option to 'restart if lost' was not reliable enough. This VPN was used by a Squid proxy server which a lot of client apps and people were to rely upon, so this was a real deal-breaker for using a VPN. I also saw that a number of people were having a similar problem.

So I knocked up a quick script to regularly check the VPN, and to restart it if a website failed to load (I chose an RSS feed as it's perfect for this requirement). It writes to a log (denoted by the 'Processlog' variable) so you can keep an eye on the VPN and the script. It reads your VPN details from the $vpnconfig variable (/usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf) so if that format changes in a newer version, I will be back here to correct it.

Hopefully this helps someone with similar issues.. I made a little guide to maybe introduce some beginners on how these harmless hacks can be achieved, by working to set this up. As a Linux beginner I might need some correction on best practice though :p
  • Create a text file called "RestartVPN.sh" anywhere on your Synolgy NAS (e.g. \\Synoserver\public\RestartVPN.sh)
  • Copy the code below into the text file. Make sure it is saved as UTF-8 encoding.
  • ssh in as your primary admin account, and type 'sudo bash'. Re-enter your admin password. Note: If this step doesn't succeed, forget about proceeding, you need that sudo access..
  • Make sure that the IFCheckString variable reflects what your VPN tunnel is called - the output of the 'ifconfig' command should display an interface called 'tun0' but it may be different.
  • While you are at it - you may choose to replace the RSSFeed variable with an RSS feed hosted from your country; I am sure that the NZ one I have added here is fine but another one might be closer and faster.
  • Create the directory to house the files - (mkdir /etc/VPNBounce)
  • Copy the script from it's original location to the RestartVPN folder ( e.g. cp /volume1/public/RestartVPN.sh /etc/VPNBounce/)
  • Make the script executable (chmod u+x /etc/VPNBounce/RestartVPN.sh)
  • Test it by running it ( . /etc/VPNBounce/RestartVPN.sh) - it should tell you that the Tunnel was found in the InterfaceConfig, and the number of lines pulled from the website.
  • If if all looks OK - add it as a Scheduled Task:
  • # Log into your DSM desktop as admin
  • # Open the Task Scheduler (Control Panel > Task Scheduler)
  • # Select Create > Scheduled Task > User Defined Script
  • # On the general tab, give it a name (Task: field) and select 'Root' for the account (User: field)
  • # On the schedule tab - you select the schedule that you want. Mine runs every 10 minutes.
  • # On the Task Settings tab, just enter '/etc/VPNBounce/RestartVPN.sh' into the 'Run Command' box
Hopefully, that's it.. regularly check in on it, to begin with: just ssh into your NAS and enter 'cat /etc/VPNBounce/processlogs.log' (no quotes). That log should tell you what's going on. If it's empty or doesn't exist, then your VPN has been stable :)

Code: Select all

#! /bin/sh
echo -e "\n\n\nVPN Check script\n================\n\n\n"
# You may want to select a closer RSS Feed URL than New Zealand
RSSfeed='http://rss.nzherald.co.nz/rss/xml/nzhtsrsscid_000000698.xml'
# When connected, your VPN will display as something like "tun0" in the ifconfig output.
# Correct this variable if it is different on your system, especially if you have multiple VPNs
VPNstring="tun0"
## Set output file variables
processlog='/etc/VPNBounce/processlogs.log'
weblog='/etc/VPNBounce/webget.log'
## Gather required VPN variables from VPN Config file
vpnconfig='/usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf'
VPNacct=$(grep 'conf_name' $vpnconfig)
VPNacct=${VPNacct#*=}
VPNid=$(grep '\[' $vpnconfig)
VPNid=$(echo $VPNid | cut -d "[" -f2 | cut -d "]" -f1)
## Clear log, make directory if not exist
if [ ! -d /etc/VPNBounce ]; then
    mkdir /etc/VPNBounce
fi
if [ -f $weblog ]; then
    rm $weblog -f
    log='/etc/VPNBounce/logs.log'
fi
## Pause to allow time for a potentially new connection to settle
echo -e "Pausing 10 seconds to allow for a potentially new connection to complete...\n\n"
sleep 10


## Running check: Checking that the VPN tunnel features in the ifconfig
tunnel=$(ifconfig | grep "tun0")
if [ ! "$tunnel" ]; then
    echo $(date +%F) $(date +%T)" : VPN connection not present in ifconfig - restarting"$'\r' >> $processlog
    echo $(date +%F) $(date +%T)" : VPN connection not present in ifconfig - restarting"
    synovpnc kill_client --id=$VPNid
    sleep 10
    echo conf_id=$VPNid > /usr/syno/etc/synovpnclient/vpnc_connecting
    echo conf_name=$VPNacct >> /usr/syno/etc/synovpnclient/vpnc_connecting
    echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting
    synovpnc reconnect --protocol=openvpn --name=$VPNacct --retry=5
    sleep 30

    tunnel=$(ifconfig | grep "tun0")
    if [ ! "$tunnel" ]; then
        echo $(date +%F) $(date +%T)" : VPN Restart appears to have failed"$'\r' >> $processlog
        echo $(date +%F) $(date +%T)" : VPN Restart appears to have failed"
        exit 1
    else
        echo $(date +%F) $(date +%T)" : VPN Restart appears to have succeeded"$'\r' >> $processlog
        echo $(date +%F) $(date +%T)" : VPN Restart appears to have succeeded"
    fi
else
    echo -e "The VPN tunnel is successfully found in the ifconfig.\n\n"
fi


## Running check: Checking that the VPN tunnel is the default gateway
## This might not be important to you, but is required for the VPN to 'anonymise' all traffic
defaultGate=$( ip route | grep default)
if [[ ! "$defaultGate" == *"$VPNstring"* ]]; then
    echo $(date +%F) $(date +%T)" : VPN connection doesn't appear to be default route - restarting"$'\r' >> $processlog
    echo $(date +%F) $(date +%T)" : VPN connection doesn't appear to be default route - restarting"
    synovpnc kill_client --id=$VPNid
    sleep 10
    echo conf_id=$VPNid > /usr/syno/etc/synovpnclient/vpnc_connecting
    echo conf_name=$VPNacct >> /usr/syno/etc/synovpnclient/vpnc_connecting
    echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting
    synovpnc reconnect --protocol=openvpn --name=$VPNacct --retry=5
    sleep 30
    tunnel=$(ifconfig | grep "tun0")
    if [[ ! "$defaultGate" == *"$VPNstring"* ]]; then
        echo $(date +%F) $(date +%T)" : VPN Restart appears to have failed to establish Default"$'\r' >> $processlog
        echo $(date +%F) $(date +%T)" : VPN Restart appears to have failed to establish Default"
        exit 1
    else
        echo $(date +%F) $(date +%T)" : VPN Restart appears to have succeeded"$'\r' >> $processlog
        echo $(date +%F) $(date +%T)" : VPN Restart appears to have succeeded"
    fi
else
    echo -e "The VPN tunnel is successfully found as the default route\n\n"
fi


## Running check: Confirming the tunnel successfully provides a web curl from the RSS URL
curl $RSSfeed --interface tun0 > $weblog
webcount=$(wc -l < $weblog)
echo -e "\n\nThere are $webcount lines in the RSS get.\n\n"
if [ $webcount -lt 50 ]; then
    echo $(date +%F) $(date +%T)" : Restarting VPN as webget is less than 100 lines"$'\r' >> $processlog
    echo $(date +%F) $(date +%T)" : Restarting VPN as webget is less than 100 lines"
    synovpnc kill_client --id=$VPNid
    sleep 10
    echo conf_id=$VPNid > /usr/syno/etc/synovpnclient/vpnc_connecting
    echo conf_name=$VPNacct >> /usr/syno/etc/synovpnclient/vpnc_connecting
    echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting
    synovpnc reconnect --protocol=openvpn --name=$VPNacct --retry=5
    sleep 30
    if [ -f $weblog ]; then
        rm $weblog -f
        log='/etc/VPNBounce/logs.log'
    fi
    curl $RSSfeed --interface tun0 > $weblog
    webcount=$(wc -l < $weblog)
    if [ $webcount -gt 49 ]; then
        echo $(date +%F) $(date +%T)" : Restarting VPN appears to have restarted traffic"$'\r' >> $processlog
        echo $(date +%F) $(date +%T)" : Restarting VPN appears to have restarted traffic"
    else
        echo $(date +%F) $(date +%T)" : Restarting VPN appears NOT to have restarted traffic"$'\r' >> $processlog
        echo $(date +%F) $(date +%T)" : Restarting VPN appears NOT to have restarted traffic"
        exit 1
    fi
fi

Last edited by mathius on Tue Oct 24, 2017 10:50 pm, edited 1 time in total.

AlasBabylon
Trainee
Trainee
Posts: 16
Joined: Thu Oct 19, 2017 12:18 am

Re: Script to keep your OpenVPN client connection up and running

Unread post by AlasBabylon » Mon Oct 23, 2017 11:24 pm

Thank you for posting this! I am also wanting to set up PIA on my NAS. This will come in handy I think.

mathius
Rookie
Rookie
Posts: 37
Joined: Tue Apr 28, 2015 11:51 am

Re: Script to keep your OpenVPN client connection up and running

Unread post by mathius » Tue Oct 24, 2017 1:14 am

AlasBabylon wrote:Thank you for posting this! I am also wanting to set up PIA on my NAS. This will come in handy I think.
All good - I should add, I have been having some additional drama with keeping the VPN stable, something to do with DNS. Once I have that mastered, I will add that fix as well.

mathius
Rookie
Rookie
Posts: 37
Joined: Tue Apr 28, 2015 11:51 am

Re: Script to keep your OpenVPN client connection up and running

Unread post by mathius » Wed Oct 25, 2017 1:44 am

mathius wrote:I should add, I have been having some additional drama with keeping the VPN stable, something to do with DNS. Once I have that mastered, I will add that fix as well.
I think I have fixed the DNS thing - I think the OpenVPN client might have DNS Leak prevention enabled.. preventing reconnection when the VPN goes bad if you use a hostname for VPN connection. When configuring your VPN in Synology, you can use an IP Address as opposed to a hostname if you are getting such DNS related issues in the logs. This might mean editing the .ovpn file (if you use that method to configure your VPN).

Also changed the script to fully kill the connection first, and wait for (hopefully) DNS to correct via the normal connection before reconnecting. Wasn't necessary to take both these actions in my case, but it makes the script less susceptible to a connection that still uses a hostname to connect.

cesar8489
I'm New!
I'm New!
Posts: 2
Joined: Mon Jul 18, 2016 8:10 pm

Re: Script to keep your OpenVPN client connection up and running

Unread post by cesar8489 » Tue Sep 18, 2018 3:00 pm

Hi.

Just for information, I was getting an error so I figured it out:

Code: Select all

XYZ@NAS:~$ sh /etc/VPNBounce/RestartVPN.sh

VPN Check script
================

: No such file or directoryclient/openvpn/ovpnclient.conf
: No such file or directoryclient/openvpn/ovpnclient.conf
/etc/VPNBounce/RestartVPN.sh: line 113: syntax error: unexpected end of file

SOLUTION:
Save the file with EOL (End of File) = UNIX
On Notepad++
Edit > EOL Conversion > Unix (LF)

Cheers!

Locked

Return to “System Managment Mods”