Subversion Repositories sysadmin_scripts

#! /usr/bin/perl -w

#    vpn - Manages OpenVPN sessions

#    Copyright (C) 2016  R. W. Rodolico

#

#    This program is free software: you can redistribute it and/or modify

#    it under the terms of the GNU General Public License as published by

#    the Free Software Foundation, either version 2 of the License, or

#    (at your option) any later version.

#

#    This program is distributed in the hope that it will be useful,

#    but WITHOUT ANY WARRANTY; without even the implied warranty of

#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

#    GNU General Public License for more details.

#

#    You should have received a copy of the GNU General Public License

#    along with this program.  If not, see <http://www.gnu.org/licenses/>.

#

#    HISTORY:

#    v0.1 - 20160311 RWR

#       Initial Release

#    v0.2 - 20160312 RWR

#       Added --chdir parameter to allow relative processing of files

#             from the .ovpn config file

#       Added --version parameter to display version information

#       Created copyright using GNUv2

#    v0.2.1 - 20191209 RWR

#       Since the openvpn cli does not return any exit codes (always 0), set it to monitor

#       the logs, looking for. See sub verifyUp for details.

#    v0.2.2 - 20250430 RWR

#       If user enters a partial connection name (ie, doesn't match subdirectory of

#       $configDirs), use connection name as a filter to match existing. Basically

#       a poor man's search function

#    v0.3.0 - 20250922 RWR

#       Added ability to run a script in the openvpn config directory prior to making

#       the vpn connection. Basically targeting TOTP connections, where we might want

#       to use oathtool to generate the key. hardcoded as preconnect, in the configuration

#       directory.

#       can also be set using the --pre or -p flags

# On secure systems, you can set this up with the setuid bit to run as root

# chown root:root vpn

# chmod u+s vpn

$main::VERSION = '0.2.2';

use Getopt::Long qw(:config auto_version bundling );

use Pod::Usage qw(pod2usage);

my $configDirs = '/etc/openvpn';

my $logDir = '/var/log/openvpn';

my $pidDir = '/var/run/openvpn';

my $statusDir = '/var/run/openvpn';

my $preConnectScript = 'preconnect';

my $timeOut = 60 * 60; # number of seconds of inactivity to close session

# These variables are for getOpt, and control the operation of the script

# I left them all global

my $kill = '';

my $show = '';

my $destination = '';

my $quiet = '';

my $verbose = '';

my $help = 0;

my $man = 0;

my $chdir = 0;

my $preConnectScript = 'preconnect';

# check if Directories exist and, if root, creates them if needed 

sub validateDirectories {

   my @errors;

   foreach my $dir ( $logDir, $pidDir, $statusDir ) {

      if ( ! -d $dir ) {

         if ( $< ) {

            push @errors,$dir;

         } else {

            `sudo mkdir -p $dir`;

         }

      }

   }

   if ( @errors ) {

      die "The following directories do not exist, rerun as root user\n\t" .

          join( "\n\t", @errors ) . "\n";

   } 

}

# get a pid from a session name, and verify it with a ps

# returns the PID, or an empty string if not found

# SIDE EFFECT: Will remove the .pid file if the process is not

# actually running

sub getPid {

   my $sessionName = shift;

   my $pidFile = "$pidDir/$sessionName.pid";

   my $pid = '';

   if ( -f $pidFile && open PID,"<$pidFile" ) {

      $pid = <PID>;

      close PID;

      chomp $pid;

      print "Found pid file " if $verbose;

      print "\tChecking if pid $pid exists\n" if $verbose;

      if ( `ps --pid $pid --no-headers -o pid` ) {

         print "\tFound PID $pid\n" if $verbose;

         return $pid;

      } else {

         if ( $< ) {

            print STDERR "Invalid PID file $pidDir/$sessionName.pid but can not remove as non-root user\n";

         } else {

            print STDERR "Invalid PID file $pidDir/$sessionName.pid removed\n" unless $quiet;

            `rm "$pidDir/$sessionName.pid"`;

         }

         return '';

      }

   }

   return $pid;

}

# get all available sessions and their status

# returns them in a hash

# if $filter, use that to parse the names by matching it in the string

sub getSessions {

   my $filter = shift;

   $filter = '' unless $filter;

   my %sessions;

   my @possibleSessions = `ls $configDirs`;

   my @active;

   chomp @possibleSessions;

   @possibleSessions = grep{ /$filter/ && -d "$configDirs/$_" } @possibleSessions;

   foreach my $thisSession ( @possibleSessions ) {

      if ( $pid = &getPid( $thisSession ) ) {

         $sessions{$thisSession}{'pidFile'} = "$pidDir/$thisSession.pid";

         $sessions{$thisSession}{'logFile'} = "$logDir/$thisSession.log";

         $sessions{$thisSession}{'statusFile'} = "$statusDir/$thisSession.status";

         $sessions{$thisSession}{'pid'} = $pid;

      } else {

         $sessions{$thisSession}{'pid'} = 0;

      }

   }

   return \%sessions;

}

# displays all available sessions and their status

sub printSessions {

   my $filter = shift;

   my $sessions = &getSessions( $filter );

   print '-'x40 . "\nActive\tSession\t\tPID\n";

   foreach my $session ( sort keys %$sessions ) {

      print $$sessions{$session}{'pid'} ? "*" : " ";

      print "\t$session" . ' 'x (length($session) < 25 ? 25 - length( $session ) : 25);

      if ( $$sessions{$session}{'pid'} ) {

         print "\t" . $$sessions{$session}{'pid'};

      }

      print "\n";

   }

   print '-'x40 . "\n";

   print "Status files located in $statusDir\n" if $verbose;

   print "Log Files located in $logDir\n" if $verbose;

   print "PID files located in $pidDir\n" if $verbose;

}

# simply returns the return code of a process

sub processReturnCode {

   my $code = shift;

   if ($code == -1) {

      return $code;

   }

   $code = $code >> 8;

   return ( $code );

}

# checks a log $count times, with a delay of $delay, for one of the messages below.

# The first two indicate failure, the last one indicates success.

sub verifyUp {

   my $logFile = shift;

   my $delay = 1;

   my $count = 10;

   my $returnCode;

   while ( $count-- ) {

      qx/grep 'AUTH_FAILED' $logFile 2>&1/;

      $returnCode = &processReturnCode( $? );

      print "auth failed grep returned [$returnCode]\n" if $verbose;

      return 0 if ( $returnCode ) == 0;

      qx/grep 'private key password verification failed' $logFile 2>&1/;

      $returnCode = &processReturnCode( $? );

      print "Checking private key password [$returnCode]\n" if $verbose;

      return 0 if ( $returnCode ) == 0;

      qx/grep 'Initialization Sequence Completed' $logFile 2>&1/;

      $returnCode = &processReturnCode( $? );

      print "initialization complete grep returned [$returnCode]\n" if $verbose;

      return 1 if ( $returnCode ) == 0;

      print "Sleeping for $delay seconds\n" if $verbose;

      sleep $delay;

   }

   return 0;

}

# start a connection. Can only be done as root user.

sub startConnection {

   my $destination = shift;

   my $exitString = 'Unknown Exit Status';

   my $toRun = "$configDirs/$destination/$preConnectScript";

   my $configFile = "$configDirs/$destination/$destination.ovpn";

   my $p12 =  "$configDirs/$destination/$destination.p12";

   return '' unless -d "$configDirs/$destination"; # they did not give a known configuration

   chdir( "$configDirs/$destination" ) if $chdir;

   # run the pre connect script, if it is here and executable

   if ( -e $toRun && -x $toRun ) {

      print "Running $toRun\n" if $verbose;

      `$toRun`;

   }

   if ( -f $configFile ) {

      # we found the config file

      if ( &getPid( $destination ) ) { # make sure it is not already running

         return 'The connection was already active';

      }

      my $command = 'openvpn' .

                    ( -f $p12 ? " --askpass" : '' ) .

                    " --daemon $destination" .

                    " --inactive $timeOut" .

                    " --writepid $pidDir/$destination.pid" .

                    " --log $logDir/$destination.log" .

                    " --status $statusDir/$destination.status" .

                    " --config $configFile";

      print "$command\n" if $verbose;

      # run the command.

      system ( $command );

      #  openvpn always appears to have a return code of 0, so we need to look at the logs to see if we had success or failure

      my $status = &verifyUp( "$logDir/$destination.log" );

      if ( $status == 1 ) { # good run, so we just say it 

         return "$destination now active with PID " . &getPid( $destination );

      } else {

         return "There was a failure in the command, check $logDir/$destination.log\nCommand was\n$command";

      }

   } else {

      return "Could not open '$configFile'";

   }

   return "We should never reach this point in startConnection";

}

# kill all active connections

sub killALL {

   my $sessions = &getSessions();

   foreach my $session ( keys %$sessions ) {

      if ( $$sessions{$session}{'pid'} ) {

         $status = &killConnection( $session );

         print "$status\n" unless $quiet;

      } # if

   } # foreach

} # killAll

# kills a connection

sub killConnection {

   my $connection = shift;

   my $pid = &getPid( $connection );

   if ( $pid ) {

      `kill $pid`;

      `rm "$pidDir/$connection.pid"`;

      return "Session $connection killed and pidfile removed\n";

   } else {

      return "$connection not running\n";

   }

}

#### some housekeeping

&validateDirectories(); # check if directories exist and, if root, create them if needed

# process options

GetOptions( 

   'kill|k=s' => \$kill, 

   'display|d' => \$show, 

   'start|s=s' => \$destination, 

   'timeout|t=i' => \$timeOut,

   'quiet|q' => \$quiet,

   'chdir|c' => \$chdir,

   'verbose|v' => \$verbose,

   'pre|p=s' => \$preConnectScript,

   'help|?' => \$help,

   'man' => \$man

);

pod2usage(1) if $help;

pod2usage( -exitval => 0, -verbose => 2 ) if $man;

# process rest of command line if it is there (name of connection)

$destination = shift if @ARGV > 0;

$show = 1 unless $destination || $kill; # if no destination given, default to show

#### main program

if ( $kill ) {

   die "Kill requires you to be root, use sudo\n" if $<;

   $status = ( $kill eq 'ALL' ) ? &killALL() : &killConnection( $kill );

   print "$status\n" unless $quiet;

} elsif ( $destination ) {

   die "Start requires you to be root, use sudo\n" if $<;

   my $status =  &startConnection( $destination );

   print "$status\n" if $status && !  $quiet;

   $show ||= !$status;

}

&printSessions( $destination ) if $show;

1;

__END__

=head1 NAME

vpn

=head1 SYNOPSIS

  vpn             Show status of all available sessions

  vpn session     Start a session (must be root). If no config exists, show

                  possible matches

  vpn [options]

Controls a set of OpenVPN connections, starting, stopping, and auto-timeouts.

=head1 OPTIONS

=over 3

=item B<--kill|-k> I<session>

Kill the named session if running. The keyword ALL (case sensitive) will kill all running sessions

=item B<--display|-d>

Display all available sessions and their current status

=item B<--destination> I<session>

Work with a particular destination

=item B<--start|-ss> I<session>

Start a session. Will check if session already running and not attempt a second connection.

=item B<--timeout|-t> I<seconds>

Set idle timeout, in seconds

=item B<--pre|-p> I<seconds>

Sets a script to be executed prior to making the connection. Must be located in the config directory and executable

=item B<--version>

Display version information

=item B<--chdir|-c>

Causes a chdir to be run before the actual openvpn command is executed. Useful if your pkcs12 file entry does not have a fully qualified path.

=item B<--verbose|-v>

Shows some extra information while processing.

=item B<--help|-?>

This screen

=item B<--man>

Prints the full man page

=back

=head1 DESCRIPTION

Each possible session is assumed to be stored in subdirectories of

$configDirs, with a configuration file of the same name as the subdirectory

and a .ovpn suffix. Any paths in the configuration file must be fully qualified

(ie pkcs12, etc...).

For example

   $configDirs

      +--- vpn1

      |  +--- vpn1.ovpn

      |  |

      |  +--- other files (such as pkcs12)

      |

      +--- vpn2

         +--- vpn2.ovpn

         |

         +--- other files (such as pkcs12)

Based on this, the command vpn vpn2 would look in $configDirs for vpn2.ovpn, then run openvpn using that configuration file.

B<NOTE>: if the configuration file does not have the fully qualified path to any files used (such as pkcs12 files), it will not be able to use them. You can modify this with the -chdir option, which will move into the directory before calling openvpn

The script will then create several files

=over 3

=item B<Log File> .log

Created in $logDir (default /var/log/openvpn). In this case, it would be /var/log/openvpn/vpn1.log

=item B<Status File> .status

Created in $statusDir (default /var/run/openvpn). In this case, would be /var/run/openvpn/vpn1.status

=item B<PID File> .pid

Created in $pidDir (default /var/run/openvpn). In this case would be /var/run/openvpn/vpn1.pid

=back

The Log and Status files are recreated each time a session is started (ie, stopping and starting vpn1 would overwrite the old files). The Pid file is automatically removed when a session is killed.

=head1 CAVEATS

Sometimes, the pid files can become out of sync with reality, especially with a reboot. When --show or --kill ALL are called, a cleanup on these files is done. You can, as a part of reboot, safely call vpn with the --kill ALL function.

Most of the options require elevated privileges as openvpn creates virtual devices on the system. While vpn --show can display the status of all possible sessions, it will complain if there is an old session file (.pid) it can not remove. It will still show the sessions though. Either manually remove the file, or run again with elevated privileges.

The script checks for the existance of the required directories (log, pid and status) and will attempt to create them if they don't exist. If you are not running with elevated privileges, it will complain, then exit.