Re: Freeze break requeest: add script to make OpenVPN always fix its routes

[Tim Flink]

On Thu, 22 Oct 2015 17:11:51 -0400 (EDT)
Patrick Uiterwijk <puiterw...@redhat.com> wrote:

> Can I get any +1s?
> This will guarantee that the routes will have been created when the
> OpenVPN link is up.

+1 - must protect the virtual kittens traveling over openvpn wires in
order to avoid the lava on the floor

Tim

> commit e8f63323b4e236629f438a082422d61a37cc95af
> Author: Patrick Uiterwijk <puiterw...@redhat.com>
> Date:   Thu Oct 22 21:06:38 2015 +0000
> 
>     Add script to OpenVPN for VPN route fixing
>     
>     This will make sure that always after a start/restart the
>     VPN routes are created
>     
>     Signed-off-by: Patrick Uiterwijk <puiterw...@redhat.com>
> 
> diff --git a/roles/openvpn/client/files/client.conf
> b/roles/openvpn/client/files/client.conf index abb5d03..704becb 100644
> --- a/roles/openvpn/client/files/client.conf
> +++ b/roles/openvpn/client/files/client.conf
> @@ -14,6 +14,9 @@ nobind
>  
>  persist-key
>  
> +up /etc/openvpn/fix-routes.sh
> +up-restart
> +
>  ca ca.crt
>  cert client.crt
>  key client.key
> diff --git a/roles/openvpn/client/files/fix-routes.sh
> b/roles/openvpn/client/files/fix-routes.sh new file mode 100644
> index 0000000..a08e519
> --- /dev/null
> +++ b/roles/openvpn/client/files/fix-routes.sh
> @@ -0,0 +1,12 @@
> +#!/bin/sh
> +# First check if this server is actually an OpenVPN client
> +if [ -f /etc/openvpn/client.crt ];
> +then
> +       # Now the magic line
> +       # This first checks whether there is a route, and if there
> isn't it will:
> +       # 1. Get the local machine's VPN IP (up to and including awk)
> +       # 2. Add a new route to 192.168.0.0/16 via that IP addres
> (from xargs on)
> +       # 3. Print "Fixed VPN" and exit with code 2 to indicate that
> it changed
> +       # Note: I've been told that the grep and awk can be in one
> command, and I believe that, but I find this clearer.
> +       (ip route show | grep '192.168.0.0/16') || ((ip route show |
> grep '192.168.0.' | awk '{print $1}' | xargs ip route add
> 192.168.0.0/16 via) && echo "Fixed VPN" && exit 2); +fi diff --git
> a/roles/openvpn/client/tasks/main.yml
> b/roles/openvpn/client/tasks/main.yml index 76817a2..67e44b1 100644
> --- a/roles/openvpn/client/tasks/main.yml +++
> b/roles/openvpn/client/tasks/main.yml @@ -17,6 +17,9 @@
>    - { file: client.conf,
>        dest: /etc/openvpn/openvpn.conf,
>        mode: '0644' }
> +  - { file: fix-routes.sh,
> +      dest: /etc/openvpn/fix-routes.sh,
> +      mode: '0755' }
>    - { file:
> "{{ private }}/files/vpn/openvpn/keys/{{ inventory_hostname }}.crt",
> dest: "/etc/openvpn/client.crt", mode: '0600' }
> 
> 
> 
> With kind regards,
> Patrick Uiterwijk
> Fedora Infra
> _______________________________________________
> infrastructure mailing list
> infrastructure@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org

pgpjo9cDa6dPE.pgp
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org