OpenVPN Client Route Script

bobbysullivann · January 2, 2020, 5:04pm

I’m at a loss and wanted to see if any Linux gurus on here can assist.

I’m following this tutorial…

https://www.pantz.org/software/openvpn/openvpn_with_private_internet_access_and_port_forwarding.html

…to segment a vpn client connection to a single interface on my Raspberry Pi so I can make specific programs utilize it while others communicate outside of the VPN.

This configuration worked flawlessly when I was on PIA but now that I moved to surfshark, it’s not.

Here’s what the client.conf should look like according to the tutorial…

Here’s my what client.conf looks like using surfshark…

Basically, I just added the last three lines to enable user scripting, pass the environmental variables to the route-up command, and execute openvpn-route.sh script.

This is the script that runs…

Also, according to the tutorial I need to run this command to create a table that the script references…

sudo bash -c 'echo "1 rt2" >> /etc/iproute2/rt_tables'

With all this in place, I run the script…

sudo openvpn --config /etc/openvpn/surfshark/surfshark.conf

The connection to the VPN is successful but I get the following error…

The script echoes “No env vars found.”

Is there something in my client.conf file that is preventing the env vars to be set or passed to the script?

Thank you in advance for the assistance!

cburn11 · January 2, 2020, 11:37pm

Your route-up script tests four env variables and if any is zero length, it returns “no env variables …”. You could add printenv > /tmp/openvpn-route-up.out before in the if block before exit 1 and see specifically which are missing. Maybe that would point you to an error in your conf file.

bobbysullivann · January 4, 2020, 10:57pm

It’s working now!

I deleted my previous post because the script was failing to run at all because of unknown commands and syntax errors until I ran it against a program called dos2unix. Still don’t understand what that program does but it fixed the issue lol.

Here is the output of the openvpn-route-up.out file…

link_mtu=1584
common_name=us-lax-v003.prod.surfshark.com
proto_1=udp
script_type=route-up
untrusted_port=1194
tls_digest_sha256_2=4f:0c:40:bc:83:76:2a:63:f3:ce:bb:38:c5:43:fd:55:61:d5:15:0e:33:c4:60:70:23:41:c0:8c:6c:>
tls_digest_sha256_0=bd:64:d8:7f:ff:7e:df:90:5f:af:24:7e:78:c6:4b:b0:31:16:be:43:f7:0d:fd:92:bb:23:a1:65:99:>
tls_digest_sha256_1=4a:92:b1:ef:b4:bf:81:ed:30:4d:92:13:6e:a6:73:9e:b0:65:73:91:62:e7:82:1f:92:ff:ab:b2:44:>
tls_digest_2=0b:00:32:92:6f:b3:fc:89:4d:91:9d:33:50:4a:55:4a:2f:a7:8a:d1
tls_digest_0=c9:9a:df:e2:36:c0:bf:49:52:f2:64:d2:e0:f1:03:d1:96:0e:f5:a7
tls_digest_1=eb:c2:e9:7c:e8:c3:42:68:77:e5:66:28:0e:e7:35:13:c7:f0:2c:64
script_context=init
PWD=/home/frunk
dev=tun1
untrusted_ip=38.95.110.71
daemon=0
tun_mtu=1500
remote_port_1=1194
foreign_option_1=dhcp-option DNS 162.252.172.57
foreign_option_2=dhcp-option DNS 149.154.159.92
verb=3
route_vpn_gateway=10.8.8.1
tls_serial_2=14644944541690560422
tls_serial_0=11321823433126137188
tls_serial_1=13200304258218253675
X509_2_O=Surfshark
X509_2_C=VG
tls_serial_hex_0=9d:1f:32:6d:45:2d:4d:64
tls_serial_hex_1=b7:30:e6:c8:de:2c:dd:6b
tls_serial_hex_2=cb:3d:4b:77:ea:c2:ff:a6
tls_id_1=C=VG, O=Surfshark, CN=Surfshark Intermediate CA
tls_id_0=CN=us-lax-v003.prod.surfshark.com
trusted_ip=38.95.110.71
tls_id_2=C=VG, O=Surfshark, CN=Surfshark Root CA
X509_2_CN=Surfshark Root CA
remote_1=us-lax.prod.surfshark.com
ifconfig_local=10.8.8.3
daemon_pid=2000
trusted_port=1194
daemon_start_time=1578178015
SHLVL=1
route_net_gateway=10.255.255.254
ifconfig_netmask=255.255.255.0
X509_0_CN=us-lax-v003.prod.surfshark.com
X509_1_O=Surfshark
X509_1_C=VG
daemon_log_redirect=0
X509_1_CN=Surfshark Intermediate CA
dev_type=tun
config=/etc/openvpn/surfshark/surfshark.conf
ifconfig_broadcast=10.8.8.255
_=/usr/bin/printenv

The script was exiting because the ‘ifconfig_remote’ variable identifying the VPN’s server’s IP address was not present. That variable is known as either ‘untrusted_ip’ or ‘trusted_ip’ (go figure).

I renamed the env variable in the script to look for ‘$untrusted_ip’ and it worked!

Thank you so much, cburn11! I really appreciate the time you took to help me figure this out.