Centos – How to set up OpenVPN and Transmission to start at boot on CentOS 6

centosopenvpnstartuptransmissionupstart

I'm trying to set up Transmission with OpenVPN on a headless server running a minimal install of CentOS 6.10, and ideally these would start when I boot the system.

I'm able to get everything to run by following the steps here and here — but that only works when running the script (vpn.sh, as per the two tutorials) manually. That script looks like this:

#!/bin/sh

sudo openvpn --cd /etc/openvpn --config /etc/openvpn/conf.ovpn --script-security 2 --up /etc/openvpn/up.sh

I might add that in addition to OpenVPN and Transmission, I also have this Telegram bot that should start after all else is up, so my up.sh file also has one more line at the end and looks like this:

#!/bin/sh

/etc/init.d/transmission-daemon stop
/bin/sed s/IP_ADDRESS/$4/ /var/lib/transmission/.config/transmission/settings_template.json > /var/lib/transmission/.config/transmission/settings.json
/etc/init.d/transmission-daemon start
/etc/init.d/transmission-telegram start

Ideally, I'd be able to do something a bit more like what this post outlines, though I'm not particularly picky about whether all the traffic goes through the VPN or if only the torrent traffic does:

  1. Start OpenVPN at boot (after networking is up);
  2. If the VPN connection goes through, configure Transmission to run through it;
  3. If that goes through, run Transmission (and the Telegram bot);
  4. If at any time the VPN goes down, also bring Transmission (and the Telegram bot) down gracefully.

I tried following the steps outlined in that post, and for some reason I just can't get the event transmission-vpn-up to happen — triggered by the route-up.sh script in the tutorial — and always get initctl: Event failed. I'm not able to emit the event either by following the steps in the post, nor by passing the contents of the script manually to the command line. route-up.sh, as per the post on Ask Ubuntu, looks like this:

#! /bin/bash

/sbin/initctl emit transmission-vpn-up VPN_GATEWAY=$route_vpn_gateway LOCAL_IP=$ifconfig_local

If I pass the contents of down.sh to the command line, though, I get no such error:

/sbin/initctl emit transmission-vpn-down

Tried passing both with sudo and without it.

Is there a simple way for me to set this whole thing up? Am I missing something in particular with emitting the transmission-vpn-up specified in the other tutorial on AU, y'know, given that it's a tutorial for Ubuntu and not CentOS?

Alternatively, would it be easier to just make vpn.sh (the first chunk of code in this post) run at boot? It would be as neat or graceful if the VPN goes down, but it'd do the trick.

Quick Update:

The tutorial on Ask Ubuntu I mentioned above, particularly in the /etc/init/transmission-up.conf is trying to use /usr/sbin/ufw, which I don't have in CentOS — hence the original Event failed error message. I temporarily commented out those bits, and now I don't have any error messages.

However, even without any error messages and with the VPN up and running, it seems like something else is failing because Transmission never starts… any hints on where I could look?

Best Answer

Solutions

Here are some detailed aspect and solutions about this question (note that centos 6 is not using systemd, centos switched to systemd on v7)

Solution for centos 7

Setup OpenVPN At Boot:

We can use systemd (implement a service) to make openvpn start at boot, we need to create the service, enable it then start it. (after enabling the service it will be automatically start at boot time)

1 - Create the service: (with root)

cd /etc/systemd/system
touch openvpn-custom.service
chmod 644 openvpn-custom.service

2 - Open the service file: (with root)

open /etc/systemd/system/openvpn-custom.service with the text editor that you use example nano openvpn-custom.service

3 - Edit and setup the service file: (with root)

Paste and adapt the following code into /etc/systemd/system/openvpn-custom.service

[Unit]
Description=OpenVPN Custom Setup Script 
After=network.target network-online.target
Wants=network-online.target

[Service]
Type=forking
RemainAfterExit=yes
ExecStart=/full-path-to/your/vpn-script/vpn.sh
ExecStop=/full-path-to/a-scirpt/that-would-stop-openvpn/vpn-stop.sh

[Install]
WantedBy=multi-user.target

4 - Enable and start the service: (with root)

systemctl enable openvpn-custom.service
systemctl start openvpn-custom.service

you can check the status of the service with systemctl status openvpn-custom.service

Setup Transmission And Telegram At Boot (based on openvpn status):

Same as openvpn solution create a new service (then enable and start it) containing the following code 

[Unit]
Description=Application Depending on OpenVPN 
After=network.target network-online.target openvpn-custom.service
Wants=network-online.target openvpn-custom.service

[Service]
Type=forking
RemainAfterExit=yes
ExecStart=/full-path-to/your/ovpn-applications.sh
ExecStop=/full-path-to/a-scirpt/that-would-stop-apps/ovpn-applications-stop.sh

[Install]
WantedBy=multi-user.target

Your ovpn-applications.sh would look like something like this 

#!/bin/sh
/bin/sed s/IP_ADDRESS/$4/ /var/lib/transmission/.config/transmission/settings_template.json > /var/lib/transmission/.config/transmission/settings.json
/etc/init.d/transmission-daemon start
/etc/init.d/transmission-telegram start

After=openvpn-custom.service and Wants=openvpn-custom.service would make that service depending on openvpn and thus if openvpn service is not started or fail the other service would not start

Solution for centos 6

Setup OpenVPN At Boot:

1 - Create the service: (with root)

cd /etc/rc.d/init.d
touch openvpn-custom
chmod 755 openvpn-custom

2 - Open the service file: (with root)

open /etc/rc.d/init.d/openvpn-custom with the text editor that you use example nano openvpn-custom

3 - Edit and setup the service file: (with root)

#!/bin/bash
#
# chkconfig: 2345 55 45
# description: Custom openvpn script
# processname: openvpn
#
### BEGIN INIT INFO
# Provides: openvpn
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Short-Description: The openvpn daemon
# Description: The openvpn daemon custom script
### END INIT INFO

#/etc/rc.d/init.d/openvpn-custom
# Source function library.
. /etc/init.d/functions


start() {
        echo -n "Starting custom openvpn... "
        /full-path-to/your/vpn-script/vpn.sh
        return 0
}

stop() {
        echo -n "Shutting down custom openvpn... "
        /full-path-to/a-scirpt/that-would-stop-openvpn/vpn-stop.sh
        return 0
}

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    status)
        ;;
    restart)
        stop
        start
        ;;
    reload)
        ;;
    *)
        echo "Usage: openvpn-custom {start|stop|status|reload|restart}"
 exit 1
        ;;
esac
exit $?

4 - Enable and start the service: (with root)

chkconfig openvpn-custom on
service openvpn-custom start

you can check the status of the service with service openvpn-custom status

How to make sure openvpn only start when the network is ready

The chkconfig definition at the start of an initscript determines what S/K number it gets.

Each "runlevel" is actually just a directory (/etc/rc*.d/) full of symlinks to initscripts (/etc/init.d/) and those symlinks are named with numbered S and K entries.

S means start and K means kill. When init enters a runlevel, it starts with S01 and works its way through to S99, running each initscript to start the service which that script controls. When init leaves a runlevel, it starts with K01 and works its way through to K99, running each script to stop the service which that script controls.

man chkconfig gives an example of both the chkconfig-style service definition, and the Linux Standards Base (LSB) style service definition.

If an initscript has both types defined, the LSB definition should take precedence over the chkconfig definition.

If you have a service which depends on network connectivity, you can either make sure your service starts after /etc/rc*.d/S10network by giving it a start number after 10, or you can see that /etc/init.d/network has the LSB definition Provides: $network, so you can use the LSB definition Required-Start: $network in your initscript.

Setup Transmission And Telegram At Boot (based on openvpn status):

Same as openvpn solution create a new service (then enable and start it) containing the following code (/etc/rc.d/init.d/openvpn-apps)

#!/bin/bash
#
# chkconfig: 2345 55 45
# description: Custom openvpn-apps script
# processname: openvpn-apps
#
### BEGIN INIT INFO
# Provides: openvpn-apps
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Short-Description: The openvpn-apps daemon
# Description: The openvpn daemon custom script
### END INIT INFO
#/etc/rc.d/init.d/openvpn-apps

# Source function library.
. /etc/init.d/functions


start() {
        echo -n "Starting custom openvpn... "
        /full-path-to/your/apps.sh
        return 0
}

stop() {
        echo -n "Shutting down custom openvpn... "
        /full-path-to/your/stop-apps.sh
        return 0
}

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    status)
        ;;
    restart)
        stop
        start
        ;;
    reload)
        ;;
    *)
        echo "Usage: openvpn-apps {start|stop|status|reload|restart}"
 exit 1
        ;;
esac
exit $?

Your apps.sh would look like something like this 

#!/bin/sh
/bin/sed s/IP_ADDRESS/$4/ /var/lib/transmission/.config/transmission/settings_template.json > /var/lib/transmission/.config/transmission/settings.json
/etc/init.d/transmission-daemon start
/etc/init.d/transmission-telegram start

To make your apps.sh dependent on openvpn status you can fist delay the start of apps.sh with sleep or write a bash loop that check openvpn with ps or check the result of a ping to your openvn gateway (in apps.sh) or you could just check the result of service openvpn-custom status (in apps.sh)

Solutions (6 & 7) notes:

Fail safe openvpn:

You can setup a "fail safe" to make the network go down if openvpn is not working and thus prevent connections leaks when the vpn is not working for this you can use this or that solution

Force an application to use specific interface:

If your openvpn setup is tunneling/routing the whole system; there is no need for this but if you are not routing all the traffic through the openvpn interface you can proxify/bind/force your applications (transmission/telegram) to use the vpn; Under Linux there are several solution to bind an application to a specific interface each one have its pro and con this unix stackexchange answer explain with detailed most of the available possibilities

Related Question