So this is a script โ really a series of scripts โ I bashed (heh) together in a few minutes last night to check when my VPN connection goes down, with a tiny pinhole in the firewall just enough to send an email, and then send another one when it comes back up. Obviously this is useless if the whole internet connection is down, but that isnโt the use case as I donโt have a backup internet connection anyway (although two ISPs with multihomed BGP and my own /24 on each would be damn sweet). Iโm using Ubuntu 16.10, by the way.
This first thing to do was putting an entry at the bottom of /etc/network/interfaces like this:
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
up vpnup
The โup vpnupโ might not be strictly necessary, but some guides suggested it was and it works, so Iโm leaving it. This kicks off a script in /etc/network/if-up.d called vpnup that deletes a file present in /var/run. Iโll explain why later. (If you donโt know, the contents of /var/run are deleted on each reboot.)
Do sudo chmod +x /etc/network/if-up.d/vpnup
That script looks like this:
#!/bin/sh
if [ "$IFACE" = tun0 ]; then
rm /var/run/vpnup
fi
The tun0 is my VPN connection.
Then in crontab I have an entry that runs every minute that does some things and kicks off some other bits in a script depending on what events occur. That crontab entry looks like this:
*/1 * * * * /usr/local/bin/vpndrop.sh >> /dev/null 2>&1
That script โvpndrop.shโ is below, but first Iโll explain it.
The first bit is a ping of four packets that attempts to ping a VPN gateway. If it canโt be pinged, then (after a function declaration and some other crap I should really move), it echoes to a log file and then sends an email (if the base internet connection still works). No leaks โ only port 587 is open, and only to a specific address range.
Then it sleeps for three seconds and restarts the Network Manager service. This is because there are a few bugs in Network Manager (actually loads of bugs, but two I care about) that requires restarting it when VPN drops. One is that DNS resolution doesnโt work when VPN drops and then reconnects โ at least with certain providers. Hmm, the other bug I seem to have forgotten but there is a second one, not as major. Will add if I recall it.
Then it sleeps again to allow the network connection to fully recover, and then attempts to reconnect to the VPN.
Another five second sleep to allow that to happen, and then it looks for the file in /var/run. If it does find that file (meaning that tun0 and thus the VPN did not come back up), it does nothing in this bit. It just exits. Then it sleeps for 10 and always attempts to write the file I am looking for when the VPN comes up.
There is probably a better way to to do this, but I care the most about knowing for sure when the VPN comes up again so I want that file to be destroyed when it is definitely up so I get an email.
I wonโt even go through the nightmare it is configuring an MTA in Linux to relay mail to an outside server. Iโm using exim4, and for being an โeasyโ MTA it took me a long time to get anything to work and many painful steps. Explaining all that would require another tutorial five times as long as this one, so you are on your own there.
Do sudo chmod +x /usr/local/bin/vpndrop.sh
But hereโs the script:
#!/bin/bash
if ! ping -c 4 10.15.20.2; then
timestamp()
{
date +"%Y-%m-%d %T"
}
FLAGFILE=/var/run/vpnup
echo "$(timestamp): Damn! That sumbitch disconnected." >> /home/myusername/vpndisconnect.log
echo "VPN disconnected at $(timestamp)" | mail -s "VPN disconnection notice" -r "VPN Alert
sleep 3
sudo systemctl restart NetworkManager.service
sleep 3
nmcli con up id YourVPNConnectionHere
fi
sleep 5
if [ -e $FLAGFILE ]; then
exit 0
else
echo "VPN reconnected at $(timestamp)" | mail -s "VPN reconnection notice" -r "VPN Alert
fi
sleep 10
if [ ! -e $FLAGFILE ]; then
touch $FLAGFILE
fi
Note that Iโve replaced all my private info โ including IP addresses โ with dummies and aliases.
Yes, I could replace the โsleepโ statements with better checking, but the script works for me and I donโt really need (or want) that complexity. Iโm not launching rockets here.
Any questions, put on your own rocket and send them my way. Iโll answer with as much as I know.
16.10 and Network Manager is still broken?
Network Manager seems to be buggy in stages; works ok for a few years, then regresses. For instance, VPN auto-reconnect used to work fine for at least two years and now it’s totally broken again.
The reason I didn’t use the /etc/network/if-up.d directory for the entire script is no matter what (even if I specify) the interface is that it kicks off the script four times (once for each interface), so I’d get four alert emails for the same damn thing. Easier than creating lock files and that sort of thing.
It’s “by design” as I understand it, so it means I had to work around the idiotic design to do what I wanted.
But now it’s all working great so I’m leaving it as is.