Improve init/openvpn handler

* Create systemd service for signaling OpenVPN client after suspend * Use tun instead of tap * Update DNS server/domain upon (dis)connect * Include necessary templates
2017-04-29 22:09:31 +03:00 · 2017-04-29 22:09:31 +03:00 · cc4f13086e
parent e87d1c574b
commit cc4f13086e
3 changed files with 17 additions and 1 deletions
--- a/MANIFEST.in
+++ b/MANIFEST.in
@ -5,6 +5,8 @@ include certidude/templates/*.ovpn
 include certidude/templates/*.conf
 include certidude/templates/*.ini
 include certidude/templates/mail/*.md
+include certidude/templates/client/*.timer
+include certidude/templates/client/*.service
 include certidude/static/js/*.js
 include certidude/static/css/*.css
 include certidude/static/fonts/*.woff2
--- a/certidude/cli.py
+++ b/certidude/cli.py
@ -190,6 +190,10 @@ def certidude_request(fork, renew):
                if os.path.exists("/bin/systemctl"):
                    click.echo("Re-running systemd generators for OpenVPN...")
                    os.system("systemctl daemon-reload")
+                if not os.path.exists("/etc/systemd/system/openvpn-reconnect.service"):
+                    with open("/etc/systemd/system/openvpn-reconnect.service", "wb") as fh:
+                        fh.write(env.get_template("client/openvpn-reconnect.service").render(context))
+                    click.echo("Created /etc/systemd/system/openvpn-reconnect.service")
                click.echo("Starting OpenVPN...")
                os.system("service openvpn start")
                continue
@ -534,7 +538,7 @@ def certidude_setup_openvpn_client(authority, remote, config, proto):
    config.write("remote %s\n" % remote)
    config.write("remote-cert-tls server\n")
    config.write("proto %s\n" % proto)
-    config.write("dev tap\n")
+    config.write("dev tun\n")
    config.write("nobind\n")
    config.write("key %s\n" % client_config.get(authority, "key path"))
    config.write("cert %s\n" % client_config.get(authority, "certificate path"))
@ -545,6 +549,8 @@ def certidude_setup_openvpn_client(authority, remote, config, proto):
    config.write("group nogroup\n")
    config.write("persist-tun\n")
    config.write("persist-key\n")
+    config.write("up /etc/openvpn/update-resolv-conf")
+    config.write("down /etc/openvpn/update-resolv-conf")

    click.echo("Generated %s" % config.name)
    click.echo("Inspect generated files and issue following to request certificate:")
--- a/certidude/templates/client/openvpn-reconnect.service
+++ b/certidude/templates/client/openvpn-reconnect.service
@ -0,0 +1,8 @@
+[Unit]
+Description=Restart OpenVPN after suspend
+
+[Service]
+ExecStart=/usr/bin/pkill --signal SIGHUP --exact openvpn
+
+[Install]
+WantedBy=sleep.target