VPN - systemd and NetworkManager dispatcher

Hello everyone !

Switching recently from other distros to Fedora, did not find any related query so here is my first post.

To have a Vpn launched from its own provided script, I did create a systemd unit and enable it:

[Unit]

Description=Vpn auto-connect
Wants=network-online.target

[Service]
Type=forking
ExecStart=/usr/bin/vpn-connect.sh
ExecStop=/usr/bin/vpn-disconnect.sh

#Restart=always
#RestartSec=10

[Install]
WantedBy=multi-user.target

So it does start it at boot and connects.
Systemd creates its own Cgroup:

CGroup: /system.slice/vpn-autoconnect.service
└─12171 openvpn xxxxxxxxx

systemd[1]: Started Vpn auto-connect

Now when the connection is lost, or resuming from suspend, openvpn process stays on and no more connectivity.
So the systemd service needs to be restarted.

As per systemd documentation, network-online.target is only valid at first time connection happens.
So I found out to use NetworkManager-dispatcher, with a script like:

/etc/NetworkManager/dispatcher.d/01-vpn
#!/usr/bin/sh

case “$2” in
up)
/bin/systemctl restart myvpn || :
;;
down)
/bin/systemctl stop myvpn || :
;;
esac

So when:

  • issue a systemctl restart NetworkManager,
  • vpn connects.
    BUT:
  • right after, the unit is stopped;
  • it loops on and off indefinitely.

It does not seem to be a timeout as I changed delays without effects.
Also, I found that the dispatcher unit has Kill=process. So the dispatcher ending does not kill the vpn Cgroup.

Has anyone got any clue ?!
It must be obvious once one knows the exact internals but I could not find anything.

I could see:
https://ask.fedoraproject.org/t/make-systemd-give-a-command-to-start-an-application/4561
But not sure what exactly was the solution.

Thanks in advance !
Jean

Hi,

Found !
The VPN script creates an interface, so the dispatcher goes into an infinite loop.
Just added a condition in the dispatcher script on the connection as [ “$1” != “VPN-connection-name” ]

Solved.
Thanks

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.