Using Monit to restart openvpn server when ping fails

[williamk]

Hi,

On the latest and greatest version of OPNsense.  Have a vpn Server on OPNsense router  that a client connects to for a site to site vpn.  Anytime a router on either side reboots, or if there is a network blip, the tunnel dies, and I have to login to router and start the openvpn service.  I tried following this tutorial, but cannot get it to work.

https://forum.opnsense.org/index.php?topic=6979.0

I can create the monit service for pinging the gateway of the remote network, but am stuck at how to get monit to actually restart the openvpn server.  Can anyone give me some guidance?

On command line I can see the service.  If I run ps aux | grep openvpn I get:
root    88677   0.0  0.4 1073220  8632  -  Ss   08:16      0:00.26 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf

[mimugmail]

https://forum.opnsense.org/index.php?topic=19240.0
8)

[cdietz]

Hello,
From my point of view there are two commands to restart the client, it worked so far on the console:

a
  ps aux | grep openvpn
shows the running openvpn servers, in my case three, one of them is the client, number three.
This task is apparently also a start command for my client:
  /usr/local/sbin/openvpn --config /var/etc/openvpn/client3.conf
Alternatively, it also does a on the console:
  pluginctl -s openvpn start 3

Both start the openvpnclient on the console again and the connection is established, a refresh of the dashboard GUI shows the success.

I would now like to have one of the commands from Monit execute as a start and could use some help.
  pluginctl -s openvpn start 3
is not accepted as a start command in the MonitGui,
   / usr / local / sbin / openvpn --config /var/etc/openvpn/client3.conf
is apparently not executed as a start command.

I'm still testing / looking further, but would be very grateful for some help, could you solve it?

https://forum.opnsense.org/index.php?topic=22745.msg108537#msg108537

[Greelan]

Try perhaps:

Code Select Expand

/bin/sh -c '/usr/local/sbin/pluginctl -s openvpn start 3'

A guess based on a monit task I have (for dpinger)

[cdietz]

THX thats it!

To do this, I copied a service test settings "failed ping" in the Monit Gui and selected an Execute with the path above as the action. Under Service Settings then Ping test, Type Remote Host and in Tests the Ping and the Ping with Execute selected.

In general settings, set the polling interval to 300 so that the name server can adapt.

The client will now start again automatically after a WAN interruption.

[snoopy78]

i've found this thread...

also i want to restart my opnvpn clients on my opnsense (22.7.9_3)

in CLI i can successfully

root@OPNsense:~ # ps aux | grep openvpn
root          95966  25.8  0.0    17928    7952  -  Ss   12:38        0:16.58 /usr/local/sbin/openvpn --config /var/etc/openvpn/client15.conf
root          23564   0.0  0.0    17928    7808  -  Ss   12:38        0:00.41 /usr/local/sbin/openvpn --config /var/etc/openvpn/client19.conf
root          60688   0.0  0.0    17928    7952  -  Ss   12:40        0:00.04 /usr/local/sbin/openvpn --config /var/etc/openvpn/client12.conf


and also then successfully

root@OPNsense:~ # pluginctl -s openvpn start 19
Service `openvpn' has been started.
root@OPNsense:~ # pluginctl -s openvpn start 15
Service `openvpn' has been started.
root@OPNsense:~ # pluginctl -s openvpn start 12
Service `openvpn' has been started.


When i follow your steps, you created a copy of "ping failed" test and changed it to executable, which i did then too..
The failed ping test copy i can save successfully, but as soon as i select it in the service settings, i get issues
i see this in cli under " cat /usr/local/etc/monitrc"

"
check host OpenVPNClientGateway address 8.8.4.4
   if failed ping then alert
   if failedpingGW then exec /bin/sh -c '/usr/local/sbin/pluginctl -s openvpn start 12'

"
so basically the ping test and the script are there, but i can't save via webgui as i always get an error..

"
Error   monit   /usr/local/etc/monitrc:32: syntax error 'failedpingGW'
"

can you help me here please?

[snoopy78]

i've found this thread...

also i want to restart my opnvpn clients on my opnsense (22.7.9_3)

in CLI i can successfully

root@OPNsense:~ # ps aux | grep openvpn
root          95966  25.8  0.0    17928    7952  -  Ss   12:38        0:16.58 /usr/local/sbin/openvpn --config /var/etc/openvpn/client15.conf
root          23564   0.0  0.0    17928    7808  -  Ss   12:38        0:00.41 /usr/local/sbin/openvpn --config /var/etc/openvpn/client19.conf
root          60688   0.0  0.0    17928    7952  -  Ss   12:40        0:00.04 /usr/local/sbin/openvpn --config /var/etc/openvpn/client12.conf


and also then successfully

root@OPNsense:~ # pluginctl -s openvpn start 19
Service `openvpn' has been started.
root@OPNsense:~ # pluginctl -s openvpn start 15
Service `openvpn' has been started.
root@OPNsense:~ # pluginctl -s openvpn start 12
Service `openvpn' has been started.


When i follow your steps, you created a copy of "ping failed" test and changed it to executable, which i did then too..
The failed ping test copy i can save successfully, but as soon as i select it in the service settings, i get issues
i see this in cli under " cat /usr/local/etc/monitrc"

"
check host OpenVPNClientGateway address 8.8.4.4
   if failed ping then alert
   if failedpingGW then exec /bin/sh -c '/usr/local/sbin/pluginctl -s openvpn start 12'

"
so basically the ping test and the script are there, but i can't save via webgui as i always get an error..

"
Error   monit   /usr/local/etc/monitrc:32: syntax error 'failedpingGW'
"

can you help me here please?

aarrghh...

if i use the correct command...it works..
"
check host OpenVPNClientGateway address 8.8.4.4
   if failed ping then alert
   if failed ping then exec /bin/sh -c '/usr/local/sbin/pluginctl -s openvpn start 12'
"

[jfenech]

Reviving a very old thread, posting my "solution" here as it might help someone. For context, I have 2 openvpn (client) connections on the firewall, which for various reasons would end up down every so often. My current quick and dirty solution is to create a script called "openvpn-monitor.sh" in /usr/local/sbin and call it via cron every minute

the script looks like this :-

Code Select Expand

#!/usr/local/bin/bash
clear
MONITOR_IP="1.1.1.1"
LOG_FILE="/var/log/openvpn-monitor.log"

dt=$(date '+%d/%m/%Y %H:%M:%S');

echo ${dt}

printf "Getting Openvpn interface list...\n\n" | tee -a ${LOG_FILE}

INTERFACES=$(ifconfig | awk '/^ovpnc[0-9]+:/ { interface = $1 } /inet / { print interface, $2 }' | grep ovpnc)

if [ -z "$INTERFACES" ]; then
    echo "No running openvpn instances found, exiting" | tee -a ${LOG_FILE}
    exit 0
else
echo "Current active openvpn interfaces..." | tee -a ${LOG_FILE}
echo "${INTERFACES}" | tee -a ${LOG_FILE}
printf "\n\n" | tee -a ${LOG_FILE}

echo "Checking connectivity..." | tee -a ${LOG_FILE}
grep -oE 'ovpnc[0-9]+: [0-9.]+' <<< "$INTERFACES" | while read -r interface; do
INTERFACE_NO=$(echo $interface |  awk '{print $1}' | sed 's/[^0-9]*//g')
INTERFACE_IP=$(echo $interface | awk '{print $2}')

        if ping -c2 -S ${INTERFACE_IP}  ${MONITOR_IP} >/dev/null 2>&1; then
    echo "Ping ${MONITOR_IP} via openvpn-${INTERFACE_NO} succeeded" | tee -a ${LOG_FILE}
else
echo "Ping ${MONITOR_IP} via openvpn-${INTERFACE_NO} Failed" | tee -a ${LOG_FILE}
echo "Restarting openvpn interface ${INTERFACE_NO}" | tee -a ${LOG_FILE}
/usr/local/sbin/pluginctl -s openvpn start ${INTERFACE_NO}
fi
done
fi

echo "--------------------------------------------" | tee -a ${LOG_FILE}


Basically, it gets a list of openvpn interfaces along with their respective ip addresses, issues 2 pings (ping -c2) to the ip address defined in $MONITOR_IP. If the pings are ok, it stops, otherwise it issues /usr/local/sbin/pluginctl -s openvpn start ${INTERFACE_NO}, which basically resets the connection.

For the cron, originally I added an entry to the normal crontab, using crontab -e, only to find this is overwritten on boot ... should have read the manual :), so it won't work after a reboot.

Instead, goto /usr/local/opnsense/service/conf/actions.d and create a new file called actions_checkopenvpn.conf.

in the file just paste the following :

Code Select Expand

[start]
command:/usr/local/sbin/openvpn-monitor.sh
parameters:
type:script
message:OpenVPN Monitor
description:OpenVPN Monitor

save the file, and run "service configd restart".

At this point the cron should be visible in the cron GUI under System->Settings->Cron.

Click on the + icon, select the OpenVPN Monitor from the drop down, put a * in the minutes and in the hours field (this will make the cron run every minute). Add a description if needed, hit save and apply.

It is not the tidiest of  solutions, since most likely a BSD update will delete the script file, but for now it is serving its purpose. It might be an idea to create a plugin out of it which should not be too difficult. In case I manage, will post a quick howto.

[mimugmail]

Thx for sharing