Detection VPN connection ASUS Merlin Router [Solved]

[Chris12]

@waaren, thanks for the new version of the script. I replaced the old script (and activated the script)

Code: Select all

 2021-03-25 07:15:00.146 Status: dzVents: Info: SSH_0.20210324: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-03-25 07:15:00.157 Status: dzVents: Debug: SSH_0.20210324: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-03-25 07:15:00.158 Status: dzVents: Debug: SSH_0.20210324: Executing Command: sudo ssh -p 2211 192.168.1.1 ' /usr/local/ashscripts/nvram get vpn_client1_state ;'
2021-03-25 07:15:00.407 Status: dzVents: Debug: SSH_0.20210324: Error ==>> Host key verification failed.
2021-03-25 07:15:00.407 Status: dzVents: Debug: SSH_0.20210324: Host key verification failed.
2021-03-25 07:15:00.407 ::ERROR::
2021-03-25 07:15:00.407
2021-03-25 07:15:00.407 Status: dzVents: Debug: SSH_0.20210324: Constructed timed-command: Off
2021-03-25 07:15:00.407 Status: dzVents: Debug: SSH_0.20210324: Executing Command: sudo ssh -p 2211 192.168.1.1 'service stop_vpnclient1 ; service start_vpnclient1 ;'
2021-03-25 07:15:00.636 Status: dzVents: Debug: SSH_0.20210324: Error ==>> Host key verification failed.
2021-03-25 07:15:00.636 Status: dzVents: Info: SSH_0.20210324: ------ Finished VPN Status
2021-03-25 07:15:00.641 Status: LUA: BuienRadar module
2021-03-25 07:15:00.694 Status: Notification: SSH_0.20210324
2021-03-25 07:15:00.407 Error: dzVents: Error: (3.0.18) SSH_0.20210324: Result: Host key verification failed.
2021-03-25 07:15:00.407 ::ERROR::
2021-03-25 07:15:00.407 : OpenVPN not connected. Check it out
2021-03-25 07:15:01.814 Notification sent (email) => Success 

When I check this by using putty from my Synology NAS to the ASUS router, there is no issue or password asked.
Domoticz runs on this same NAS as a package

Code: Select all

Chris@DS415:~$ ssh [email protected] -p 2211

ASUSWRT-Merlin RT-AC86U 386.1_2 Fri Feb 12 22:48:22 UTC 2021
Admin@RT-AC86U-6B08:/tmp/home/root#

Via what user is the ssh command in the script done to the router?
Maybe if possible the user should be a variable too in the script.

[waaren]

Via what user is the ssh command in the script done to the router?

The user executing the domoticz binary

Maybe if possible the user should be a variable too in the script.

Something like below?

Code: Select all

local scriptVersion = '0.20210325_01'
local scriptVar  =  'SSH_' .. scriptVersion

--[[

This dzVents script is used to monitor open VPN state of a ASUS RT-AC86U router loaded with asuswrt-merlin firmware

The script use io.popen to trigger a nvram and when required do a service restart command on a remote system via ssh
(the router must be accessible by the user that is running the domoticz service, via password-less
SSH (with public / private key setup)

Before activating the script:
    Read the GETTING STARTED section of the dzVents wiki.
    Change the values in the script to reflect your setup

]]--

return
{
    on =
    {
        timer =
        {
            'every minute', -- change to required frequency
        },
    },

    logging =
    {
        level = domoticz.LOG_DEBUG, -- set to LOG_ERROR when tested and OK
        marker = scriptVar,
    },

    execute = function(dz, item)

        local remoteHost = '192.168.192.1'   -- change to router IP
        local message = 'OpenVPN not connected. Check it out'
        local remoteUser = 'Admin'
        local port = 2211
        local VPNStatus = dz.devices(1155)
        
        -- =======================================================================
        --               NO changes required below this line
        -- =======================================================================

        --commands to execute remote
        local commands =
        {
            status = ' /usr/local/ashscripts/nvram get vpn_client1_state ',
            stop = 'service stop_vpnclient1 ',
            start = 'service start_vpnclient1 ',
        }
        commands.restart = commands.stop .. '; ' .. commands.start

        local function osCommand(cmd)
            dz.log('Executing Command: ' .. cmd,dz.LOG_DEBUG)

            local fileHandle = assert(io.popen(cmd .. ' 2>&1 || echo ::ERROR::', 'r'))
            local commandOutput = assert(fileHandle:read('*a'))
            local returnTable = {fileHandle:close()}

            if commandOutput:find '::ERROR::' then     -- something went wrong
            dz.log('Error ==>> ' .. tostring(commandOutput:match('^(.*)%s+::ERROR::') or ' ... but no error message ' ) ,dz.LOG_DEBUG)
            else -- all is fine!!
                dz.log('ReturnCode: ' .. returnTable[3] .. '\ncommandOutput:\n' .. commandOutput, dz.LOG_DEBUG)
            end
            return commandOutput,returnTable[3] -- rc[3] contains returnCode
        end

        local function buildSSHCommand(cmd)
            local sshBOL = "sudo ssh -p " .. port .. ' '  .. remoteUser .. '@' .. remoteHost .. " \'"
            local sshEOL = ";\'"

            local cmd = sshBOL .. cmd .. sshEOL
            return cmd
        end

        -- Main
        local result, rc = osCommand(buildSSHCommand(commands.status))
        dz.log(result,dz.LOG_DEBUG)
        if tonumber(result) ~= 2 then
            dz.log('Result: ' .. result .. ': ' .. message, dz.LOG_ERROR)
            dz.notify(scriptVar, message, dz.PRIORITY_HIGH)
            VPNStatus.switchOff().checkFirst()
            osCommand(buildSSHCommand(commands.restart))
        else
            dz.log('openVPN connected', dz.LOG_DEBUG)
            VPNStatus.switchOn().checkFirst()
        end

    end
}

[Chris12]

Hi @waaren,

with the new script I see this in the logging:

Code: Select all

 2021-03-25 09:35:00.257 Status: dzVents: Info: SSH_0.20210325_01: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-03-25 09:35:00.269 Status: dzVents: Debug: SSH_0.20210325_01: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-03-25 09:35:00.269 Status: dzVents: Debug: SSH_0.20210325_01: Executing Command: sudo ssh -p 2211 [email protected] ' /usr/local/ashscripts/nvram get vpn_client1_state ;'
2021-03-25 09:35:00.501 Status: dzVents: Debug: SSH_0.20210325_01: Error ==>> Host key verification failed.
2021-03-25 09:35:00.501 Status: dzVents: Debug: SSH_0.20210325_01: Host key verification failed.
2021-03-25 09:35:00.501 ::ERROR::
2021-03-25 09:35:00.501
2021-03-25 09:35:00.501 Status: dzVents: Debug: SSH_0.20210325_01: Constructed timed-command: Off
2021-03-25 09:35:00.501 Status: dzVents: Debug: SSH_0.20210325_01: Executing Command: sudo ssh -p 2211 [email protected] 'service stop_vpnclient1 ; service start_vpnclient1 ;'
2021-03-25 09:35:00.732 Status: dzVents: Debug: SSH_0.20210325_01: Error ==>> Host key verification failed.
2021-03-25 09:35:00.732 Status: dzVents: Info: SSH_0.20210325_01: ------ Finished VPN Status
2021-03-25 09:35:00.738 Status: LUA: BuienRadar module
2021-03-25 09:35:00.776 Status: Notification: SSH_0.20210325_01
2021-03-25 09:35:00.501 Error: dzVents: Error: (3.0.18) SSH_0.20210325_01: Result: Host key verification failed.
2021-03-25 09:35:00.501 ::ERROR::
2021-03-25 09:35:00.501 : OpenVPN not connected. Check it out
2021-03-25 09:35:01.973 Notification sent (email) => Success 

Looking at this part:

Code: Select all

Executing Command: sudo ssh -p 2211 [email protected] ' /usr/local/ashscripts/nvram get vpn_client1_state ;'

Why is there: /usr/local/ashscripts/ nvram get vpn_client1_state
And is the syntax of the command OK? because when using the cli I can succesfully do this: ssh [email protected] -p 2211 (with the port part after the IP)

Chris@DS415:~$ sudo ssh -p 2211 [email protected]
The authenticity of host '[192.168.1.1]:2211 ([192.168.1.1]:2211)' can't be established.

[waaren]

And is the syntax of the command OK? because when using the cli I can succesfully do this: ssh [email protected] -p 2211 (with the port part after the IP)

The location of the -p parm should not matter. Changed it in below version. The ash is my test location you can just take it out.

Code: Select all

local scriptVersion = '0.20210325_03'
local scriptVar  =  'SSH_' .. scriptVersion

--[[

This dzVents script is used to monitor open VPN state of a ASUS RT-AC86U router loaded with asuswrt-merlin firmware

The script use io.popen to trigger a nvram and when required do a service restart command on a remote system via ssh
(the router must be accessible by the user that is running the domoticz service, via password-less
SSH (with public / private key setup)

Before activating the script:
    Read the GETTING STARTED section of the dzVents wiki.
    Change the values in the script to reflect your setup

]]--

return
{
    on =
    {
        timer =
        {
            'every minute', -- change to required frequency
        },
    },

    logging =
    {
        level = domoticz.LOG_DEBUG, -- set to LOG_ERROR when tested and OK
        marker = scriptVar,
    },

    execute = function(dz, item)

        local remoteHost = '192.168.1.1'   -- change to router IP
        local message = 'OpenVPN not connected. Check it out'
        local remoteUser = 'Admin'
        local port = 2211
        local VPNStatus = dz.devices(1155)
        
        -- =======================================================================
        --               NO changes required below this line
        -- =======================================================================

        --commands to execute remote
        local commands =
        {
            status = ' nvram get vpn_client1_state ',
            stop = 'service stop_vpnclient1 ',
            start = 'service start_vpnclient1 ',
        }
        commands.restart = commands.stop .. '; ' .. commands.start

        local function osCommand(cmd)
            dz.log('Executing Command: ' .. cmd,dz.LOG_DEBUG)

            local fileHandle = assert(io.popen(cmd .. ' 2>&1 || echo ::ERROR::', 'r'))
            local commandOutput = assert(fileHandle:read('*a'))
            local returnTable = {fileHandle:close()}

            if commandOutput:find '::ERROR::' then     -- something went wrong
            dz.log('Error ==>> ' .. tostring(commandOutput:match('^(.*)%s+::ERROR::') or ' ... but no error message ' ) ,dz.LOG_DEBUG)
            else -- all is fine!!
                dz.log('ReturnCode: ' .. returnTable[3] .. '\ncommandOutput:\n' .. commandOutput, dz.LOG_DEBUG)
            end
            return commandOutput,returnTable[3] -- rc[3] contains returnCode
        end

        local function buildSSHCommand(cmd)
            local sshBOL = "sudo ssh " .. remoteUser .. "@" .. remoteHost .. " -p " .. remotePort .. " \'"
            local sshEOL = ";\'"

            local cmd = sshBOL .. cmd .. sshEOL
            return cmd
        end

        -- Main
        local result, rc = osCommand(buildSSHCommand(commands.status))
        dz.log(result,dz.LOG_DEBUG)
        if tonumber(result) ~= 2 then
            dz.log('Result: ' .. result .. ': ' .. message, dz.LOG_ERROR)
            dz.notify(scriptVar, message, dz.PRIORITY_HIGH)
            VPNStatus.switchOff().checkFirst()
            osCommand(buildSSHCommand(commands.restart))
        else
            dz.log('openVPN connected', dz.LOG_DEBUG)
            VPNStatus.switchOn().checkFirst()
        end

    end
}

[Chris12]

Ok, loaded the new script and saved it succesfully:

Code: Select all

 2021-03-25 10:01:00.570 Error: dzVents: Error: (3.0.18) SSH_0.20210325_03: An error occurred when calling event handler VPN Status
2021-03-25 10:01:00.570 Error: dzVents: Error: (3.0.18) SSH_0.20210325_03: ...icz/var/scripts/dzVents/generated_scripts/VPN Status.lua:70: attempt to concatenate a nil value (global 'remotePort') 

Found that the defined port parameter name should be remotePort instead, changed that.

The logfile now:

Code: Select all

 2021-03-25 10:04:00.180 Status: dzVents: Info: SSH_0.20210325_03: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-03-25 10:04:00.181 Status: dzVents: Debug: SSH_0.20210325_03: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-03-25 10:04:00.181 Status: dzVents: Debug: SSH_0.20210325_03: Executing Command: sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state ;'
2021-03-25 10:04:00.409 Status: dzVents: Debug: SSH_0.20210325_03: Error ==>> Host key verification failed.
2021-03-25 10:04:00.409 Status: dzVents: Debug: SSH_0.20210325_03: Host key verification failed.
2021-03-25 10:04:00.409 ::ERROR::
2021-03-25 10:04:00.409
2021-03-25 10:04:00.409 Status: dzVents: Debug: SSH_0.20210325_03: Constructed timed-command: Off
2021-03-25 10:04:00.409 Status: dzVents: Debug: SSH_0.20210325_03: Executing Command: sudo ssh [email protected] -p 2211 'service stop_vpnclient1 ; service start_vpnclient1 ;'
2021-03-25 10:04:00.409 Error: dzVents: Error: (3.0.18) SSH_0.20210325_03: Result: Host key verification failed.
2021-03-25 10:04:00.409 ::ERROR::
2021-03-25 10:04:00.409 : OpenVPN not connected. Check it out
2021-03-25 10:04:01.797 Notification sent (email) => Success

When I manually run the command on the cli:
sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state'

Code: Select all

Chris@DS415:~$ sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state'
The authenticity of host '[192.168.1.1]:2211 ([192.168.1.1]:2211)' can't be established.

without 'sudo' it goes fine:

Code: Select all

Chris@DS415:~$ ssh [email protected] -p 2211 'nvram get vpn_client1_state'
2
Chris@DS415:~$

So I removed the sudo part out of the script:

Code: Select all

 2021-03-25 10:11:00.176 Status: dzVents: Info: SSH_0.20210325_03: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-03-25 10:11:00.190 Status: dzVents: Debug: SSH_0.20210325_03: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-03-25 10:11:00.190 Status: dzVents: Debug: SSH_0.20210325_03: Executing Command: ssh [email protected] -p 2211 'nvram get vpn_client1_state ;'
2021-03-25 10:11:00.278 Status: dzVents: Debug: SSH_0.20210325_03: Error ==>> Host key verification failed.
2021-03-25 10:11:00.278 Status: dzVents: Debug: SSH_0.20210325_03: Host key verification failed.
2021-03-25 10:11:00.278 ::ERROR::
2021-03-25 10:11:00.278
2021-03-25 10:11:00.278 Status: dzVents: Debug: SSH_0.20210325_03: Constructed timed-command: Off
2021-03-25 10:11:00.279 Status: dzVents: Debug: SSH_0.20210325_03: Executing Command: ssh [email protected] -p 2211 'service stop_vpnclient1 ; service start_vpnclient1 ;'
2021-03-25 10:11:00.369 Status: dzVents: Debug: SSH_0.20210325_03: Error ==>> Host key verification failed.
2021-03-25 10:11:00.369 Status: dzVents: Info: SSH_0.20210325_03: ------ Finished VPN Status
2021-03-25 10:11:00.562 Status: Notification: SSH_0.20210325_03
2021-03-25 10:11:00.278 Error: dzVents: Error: (3.0.18) SSH_0.20210325_03: Result: Host key verification failed.
2021-03-25 10:11:00.278 ::ERROR::
2021-03-25 10:11:00.278 : OpenVPN not connected. Check it out
2021-03-25 10:11:01.577 Notification sent (email) => Success

I can also see a ';' behind the command, maybe that is causing the issue?
I removed the ';' in the script at the sshEOL part.

But still the hostkey verification failed:

Code: Select all

 2021-03-25 10:14:00.232 Status: dzVents: Info: monit: ------ Finished Monit-status-data
2021-03-25 10:14:00.233 Status: dzVents: Info: SSH_0.20210325_03: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-03-25 10:14:00.233 Status: dzVents: Debug: SSH_0.20210325_03: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-03-25 10:14:00.233 Status: dzVents: Debug: SSH_0.20210325_03: Executing Command: ssh [email protected] -p 2211 'nvram get vpn_client1_state '
2021-03-25 10:14:00.330 Status: dzVents: Debug: SSH_0.20210325_03: Error ==>> Host key verification failed.
2021-03-25 10:14:00.330 Status: dzVents: Debug: SSH_0.20210325_03: Host key verification failed.
2021-03-25 10:14:00.330 ::ERROR::
2021-03-25 10:14:00.330
2021-03-25 10:14:00.330 Status: dzVents: Debug: SSH_0.20210325_03: Constructed timed-command: Off
2021-03-25 10:14:00.331 Status: dzVents: Debug: SSH_0.20210325_03: Executing Command: ssh [email protected] -p 2211 'service stop_vpnclient1 ; service start_vpnclient1 '
2021-03-25 10:14:00.419 Status: dzVents: Debug: SSH_0.20210325_03: Error ==>> Host key verification failed.
2021-03-25 10:14:00.419 Status: dzVents: Info: SSH_0.20210325_03: ------ Finished VPN Status
2021-03-25 10:14:00.504 Status: Notification: SSH_0.20210325_03
2021-03-25 10:14:00.330 Error: dzVents: Error: (3.0.18) SSH_0.20210325_03: Result: Host key verification failed.
2021-03-25 10:14:00.330 ::ERROR::
2021-03-25 10:14:00.330 : OpenVPN not connected. Check it out
2021-03-25 10:14:01.447 Notification sent (email) => Success

I'm thinking it is still an issue with the user running the specific command, becuase when I log in on my NAS cli with user 'admin' the command does not run OK:

Code: Select all

admin@DS415:~$ ssh [email protected] -p 2211 'nvram get vpn_client1_state '
The authenticity of host '[192.168.1.1]:2211 ([192.168.1.1]:2211)' can't be established.

with the user 'Chris' logged in to the NAS cli it works fine:

Code: Select all

Chris@DS415:~$ ssh [email protected] -p 2211 'nvram get vpn_client1_state '
2

[waaren]

with the user 'Chris' logged in to the NAS cli it works fine:

You defined passwordless access for user Chris but you should do the same for the user executing domoticz.

The sudo should not cause a problem.
The ; is just a separator between commands.

[Chris12]

with the user 'Chris' logged in to the NAS cli it works fine:

You defined passwordless access for user Chris but you should do the same for the user executing domoticz.

The sudo should not cause a problem.
The ; is just a separator between commands.

Ok, that user is the user defined in domoticz settings for 'webste protection' ?
In my case that user is named 'domoticz'.

[waaren]

Ok, that user is the user defined in domoticz settings for 'webste protection' ?
In my case that user is named 'domoticz'.

The user executing domoticz can be found using the command

Code: Select all

sudo ps -ef | grep domo 

from the CLI

it will show something like

Code: Select all

root     18496     1  0 Mar11 ?        01:52:39 /usr/local/domoticz/bin/domoticz -www 8084 -wwwroot /usr/local/domoticz/www/ -sslcert /usr/local/domoticz/server_cert.pem -approot /usr/local/domoticz/ -userdata /usr/local/domoticz/var/ -dbase /usr/local/domoticz/var/domoticz.db -log /usr/local/domoticz/var/domoticz.log

The user can be found by looking at the first column of the output. (Here it is root)

[Chris12]

thanks @waaren, it now works as expected! repeated the procedure for password-less SSH for the root user as well.

Code: Select all

  2021-03-25 11:10:00.363 Status: dzVents: Info: SSH_0.20210325_03: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-03-25 11:10:00.364 Status: dzVents: Debug: SSH_0.20210325_03: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-03-25 11:10:00.364 Status: dzVents: Debug: SSH_0.20210325_03: Executing Command: ssh [email protected] -p 2211 'nvram get vpn_client1_state '
2021-03-25 11:10:00.534 Status: dzVents: Debug: SSH_0.20210325_03: ReturnCode: 0
2021-03-25 11:10:00.534 commandOutput:
2021-03-25 11:10:00.534 2
2021-03-25 11:10:00.534
2021-03-25 11:10:00.534 Status: dzVents: Debug: SSH_0.20210325_03: 2
2021-03-25 11:10:00.534
2021-03-25 11:10:00.534 Status: dzVents: Debug: SSH_0.20210325_03: openVPN connected
2021-03-25 11:10:00.534 Status: dzVents: Debug: SSH_0.20210325_03: Constructed timed-command: On
2021-03-25 11:10:00.534 Status: dzVents: Info: SSH_0.20210325_03: ------ Finished VPN Status

The device in domoticz shows the 'on' value as well.

Tested it by manually in the router turning OFF the VPN service.
It is noticed by the VPN script, a message sent to my email, and the VPN service is started again within seconds!

Code: Select all

  2021-03-25 11:12:00.383 Status: dzVents: Info: SSH_0.20210325_03: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-03-25 11:12:00.384 Status: dzVents: Debug: SSH_0.20210325_03: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-03-25 11:12:00.384 Status: dzVents: Debug: SSH_0.20210325_03: Executing Command: ssh [email protected] -p 2211 'nvram get vpn_client1_state '
2021-03-25 11:12:00.552 Status: dzVents: Debug: SSH_0.20210325_03: ReturnCode: 0
2021-03-25 11:12:00.552 commandOutput:
2021-03-25 11:12:00.552 0
2021-03-25 11:12:00.552
2021-03-25 11:12:00.552 Status: dzVents: Debug: SSH_0.20210325_03: 0
2021-03-25 11:12:00.552
2021-03-25 11:12:00.553 Status: dzVents: Debug: SSH_0.20210325_03: Constructed timed-command: Off
2021-03-25 11:12:00.553 Status: dzVents: Debug: SSH_0.20210325_03: Constructed timed-command: Off
2021-03-25 11:12:00.553 Status: dzVents: Debug: SSH_0.20210325_03: Executing Command: ssh [email protected] -p 2211 'service stop_vpnclient1 ; service start_vpnclient1 '
2021-03-25 11:12:00.553 Error: dzVents: Error: (3.0.18) SSH_0.20210325_03: Result: 0
2021-03-25 11:12:00.553 : OpenVPN not connected. Check it out
2021-03-25 11:12:01.832 Notification sent (browser) => Success
2021-03-25 11:12:01.834 (VPN Status ON/OFF) Light/Switch (VPN Status ON/OFF)
2021-03-25 11:12:01.748 Status: dzVents: Debug: SSH_0.20210325_03: ReturnCode: 0
2021-03-25 11:12:01.748 commandOutput:
2021-03-25 11:12:01.748
2021-03-25 11:12:01.748 Done.
2021-03-25 11:12:01.748
2021-03-25 11:12:01.748 Done.
2021-03-25 11:12:01.748
2021-03-25 11:12:01.748 Status: dzVents: Info: SSH_0.20210325_03: ------ Finished VPN Status
2021-03-25 11:12:01.749 Status: EventSystem: Script event triggered: /usr/local/domoticz/dzVents/runtime/dzVents.lua
 

Maybe one little adaption can be made to the script, that whenever the VPN is down an email message is now sent every 1 minute.
Can this be changed to sending (whenever the VPN stays down for a reason) messages every 5/10/15/30min, or every 1/4/8/12/24h (if possible a parameter in the script, so it can be configured to whatever you like). Otherwise the emailbox can be flooded with hundreds of messages, when for example you're a day away with no access.

[waaren]

It now works as expected.

Maybe one little adaption can be made to the script, that whenever the VPN is down an email message is now sent every 1 minute.
Can this be changed to sending (whenever the VPN stays down for a reason) messages every 5/10/15/30min, or every 1/4/8/12/24h (if possible a parameter in the script, so it can be configured to whatever you like).

Something like this ?

Code: Select all

local scriptVersion = '0.20210325_04'
local scriptVar  =  'SSH_' .. scriptVersion

--[[

This dzVents script is used to monitor open VPN state of a ASUS RT-AC86U router loaded with asuswrt-merlin firmware

The script use io.popen to trigger a nvram and when required do a service restart command on a remote system via ssh
(the router must be accessible by the user that is running the domoticz service, via password-less
SSH (with public / private key setup)

Before activating the script:
    Read the GETTING STARTED section of the dzVents wiki.
    Change the values in the script to reflect your setup

]]--

return
{
    on =
    {
        timer =
        {
            'every minute', -- change to required frequency
        },
    },

    logging =
    {
        level = domoticz.LOG_DEBUG, -- set to LOG_ERROR when tested and OK
        marker = scriptVar,
    },

    execute = function(dz, item)

        local remoteHost = '192.168.1.1'   -- change to router IP
        local notConnectedMessage = 'OpenVPN not connected. Check it out'
        local reconnectedMessage = 'OpenVPN (re)connected'
        local remoteUser = 'Admin'
        local remotePort = 2211
        local VPNStatus = dz.devices(1155)
        local notifyFrequency = 60 -- frequency in minutes
        
        -- =======================================================================
        --               NO changes required below this line
        -- =======================================================================

        --commands to execute remote
        local commands =
        {
            status = ' nvram get vpn_client1_state ',
            stop = 'service stop_vpnclient1 ',
            start = 'service start_vpnclient1 ',
        }
        commands.restart = commands.stop .. '; ' .. commands.start

        local function osCommand(cmd)
            dz.log('Executing Command: ' .. cmd,dz.LOG_DEBUG)

            local fileHandle = assert(io.popen(cmd .. ' 2>&1 || echo ::ERROR::', 'r'))
            local commandOutput = assert(fileHandle:read('*a'))
            local returnTable = {fileHandle:close()}

            if commandOutput:find '::ERROR::' then     -- something went wrong
            dz.log('Error ==>> ' .. tostring(commandOutput:match('^(.*)%s+::ERROR::') or ' ... but no error message ' ) ,dz.LOG_DEBUG)
            else -- all is fine!!
                dz.log('ReturnCode: ' .. returnTable[3] .. '\ncommandOutput:\n' .. commandOutput, dz.LOG_DEBUG)
            end
            return commandOutput,returnTable[3] -- rc[3] contains returnCode
        end

        local function buildSSHCommand(cmd)
            local sshBOL = "sudo ssh " .. remoteUser .. "@" .. remoteHost .. " -p " .. remotePort .. " \'"
            local sshEOL = ";\'"

            local cmd = sshBOL .. cmd .. sshEOL
            return cmd
        end

        -- Main
        local result, rc = osCommand(buildSSHCommand(commands.status))
        dz.log(result,dz.LOG_DEBUG)
        if tonumber(result) ~= 2 then
            if VPNStatus.state == 'On' or VPNStatus.lastUpdate.minutesAgo > notifyFrequency then
                dz.log('Result: ' .. result .. ': ' .. notConnectedMessage, dz.LOG_ERROR)
                dz.notify(scriptVar, notConnectedMessage, dz.PRIORITY_HIGH)
                VPNStatus.switchOff().checkFirst()
            end
            osCommand(buildSSHCommand(commands.restart))
        else
            if VPNStatus.state == 'Off' then
                dz.log(reconnectedMessage, dz.LOG_DEBUG)
                dz.notify(scriptVar, reconnectedMessage, dz.PRIORITY_LOW)
                VPNStatus.switchOn().checkFirst()
            end
        end
    end
}

[Chris12]

Ok, difficult to test if messages wil apear every xx minutes as the script directly kicks-in whenever the VPN is down but scripts works fine.

Maybe add a status message as well when the status is still connected (2) after the every 1min check?
Something like: 'OpenVPN still connected!!'

Code: Select all

 2021-03-25 11:53:00.334 Status: dzVents: Info: SSH_0.20210325_04: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-03-25 11:53:00.345 Status: dzVents: Debug: SSH_0.20210325_04: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-03-25 11:53:00.346 Status: dzVents: Debug: SSH_0.20210325_04: Executing Command: sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state ;'
2021-03-25 11:53:00.650 Status: dzVents: Debug: SSH_0.20210325_04: ReturnCode: 0
2021-03-25 11:53:00.650 commandOutput:
2021-03-25 11:53:00.650 2
2021-03-25 11:53:00.650
2021-03-25 11:53:00.650 Status: dzVents: Debug: SSH_0.20210325_04: 2
2021-03-25 11:53:00.650
2021-03-25 11:53:00.650 Status: dzVents: Info: SSH_0.20210325_04: ------ Finished VPN Status

edit: I did change the 'port' parameter in the script, to 'remotePort' and left 'sudo' and the ';', that works fine!

[waaren]

Maybe add a status message as well when the status is still connected (2) after the every 1min check?

With the example available in the script, you should be able to create your own messages with the frequency you want.

[Chris12]

Ok, I also noticed that with the current script I do get an email message every 1 minute telling me 'OpenVPN reconnected'. The VPN is not down or was down at that moment (it has only been down when it manually did the test).

There only should be messages whenever the VPN connection state was down en brought back up again by the script.

[waaren]

Ok, I also noticed that with the current script I do get an email message every 1 minute telling me 'OpenVPN reconnected'. The VPN is not down or was down at that moment (it has only been down when it manually did the test).

There only should be messages whenever the VPN connection state was down en brought back up again by the script.

I modified the last posted version. Please try and solve any remaining issues yourself. Happy to help if you run into troubles doing that but first try.

[Chris12]

I did a quick test to see if the script looks at the correct values to determine VPN ON or OFF:

VPN ON:

Code: Select all

root@CVR-DS415:~/.ssh# sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state ;'
2

VPN OFF:

Code: Select all

root@CVR-DS415:~/.ssh# sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state ;'
0

So it is value 2 for ON and value 0 when OFF.

Does the script look at the correct value as I can see in the log a ReturnCode (0) and a commandOutput (2) value.

Code: Select all

2021-03-25 11:53:00.346 Status: dzVents: Debug: SSH_0.20210325_04: Executing Command: sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state ;'
2021-03-25 11:53:00.650 Status: dzVents: Debug: SSH_0.20210325_04: ReturnCode: 0
2021-03-25 11:53:00.650 commandOutput:
2021-03-25 11:53:00.650 2

[Chris12]

Ok, I also noticed that with the current script I do get an email message every 1 minute telling me 'OpenVPN reconnected'. The VPN is not down or was down at that moment (it has only been down when it manually did the test).

There only should be messages whenever the VPN connection state was down en brought back up again by the script.

I modified the last posted version. Please try and solve any remaining issues yourself. Happy to help if you run into troubles doing that but first try.

With the latest version I do not have the email message issue anymore!

[Chris12]

Hello @waaren,

Today I noticed that the VPN on my ASUS WRT router was not working anymore,
so I checked the script output in domoticz and the output of the VPN via putty:

domoticz:

Code: Select all

2021-05-03 08:29:00.304 Status: dzVents: Info: SSH_0.20210325_04: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-05-03 08:29:00.316 Status: dzVents: Debug: SSH_0.20210325_04: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-05-03 08:29:00.316 Status: dzVents: Debug: SSH_0.20210325_04: Executing Command: sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state ;'
2021-05-03 08:29:00.608 Status: dzVents: Debug: SSH_0.20210325_04: ReturnCode: 0
2021-05-03 08:30:00.612 commandOutput:
2021-05-03 08:30:00.612 2 

Putty:

Code: Select all

Chris@DS415:~$ sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state ;'
2

In my router the VPN status was showing: "OpenVPN My-VPN - Connected"
But without the statistics, which means that the VPN was not completely up.
I check the VPN client details in the router, and there the "service state" was OFF instead of ON (when working fine).

So there seems to be another check needed to check if the service state is actually ON/OFF, as the result of 'nvram get vpn_client1_state' gives an output of 2 in both cases (VPN completelly active, and service state OFF / service state ON)

[Chris12]

I did some searching on google, and I found that it maybe can also be the case that the number of connection attempts of OVPN are set to low (was set to 15 in my config). In case that my complete internet connection is down (provider disconnects), then OVPN will try that ammount of connections retries, if to low then it will stop I guess with connection attempts and leaves the VPN service-state to OFF and the VPN script won't detect it.

So I set the connection retry attempts to infinity (0).

Maybe you can enhance the script to check the actual WAN connection as well?
I will try to find the actual asus wrt commands to do so.

[waaren]

Maybe you can enhance the script to check the actual WAN connection as well?
I will try to find the actual asus wrt commands to do so.

Does a

Code: Select all

ping 8.8.8.8 -c1 -w1 # = Google dns

work in normal circumstances? If so I could add this check to the script when VPN is up once every n minutes.

[Chris12]

Hi waaren,

Just checked:

Code: Select all

root@DS415:~# ping 8.8.8.8 -c1 -w1 # = Google dns
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=7.44 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 7.447/7.447/7.447/0.000 ms

So this works.

I expect when the connection retries are now set to infinity, that the OVPN will go up whenever het WAN is there again (15 times was the previous value, and I think thats like 15x30sec = 6min). But it always nice to have an extra check/fallback done via the script.
And maybe 1 email message as well when the wan=down detection has been done (and 1 email when up again), so I can manually check if everything is back up and running as expected after that. Detection based on missed like 5 (number configurable in script) pings?


One other question:
when looking at the domoticz log of the currect VPN script I can see this

Code: Select all

2021-05-03 11:04:00.086 Status: dzVents: Info: SSH_0.20210325_04: ------ Start internal script: VPN Status:, trigger: "every minute"
2021-05-03 11:04:00.086 Status: dzVents: Debug: SSH_0.20210325_04: Processing device-adapter for VPN Status ON/OFF: Switch device adapter
2021-05-03 11:04:00.086 Status: dzVents: Debug: SSH_0.20210325_04: Executing Command: sudo ssh [email protected] -p 2211 'nvram get vpn_client1_state ;'
2021-05-03 11:04:00.404 Status: dzVents: Debug: SSH_0.20210325_04: ReturnCode: 0
2021-05-03 11:04:00.404 commandOutput:
2021-05-03 11:04:00.404 2
2021-05-03 11:04:00.404
2021-05-03 11:04:00.404 Status: dzVents: Debug: SSH_0.20210325_04: 2
2021-05-03 11:04:00.404
2021-05-03 11:04:00.404 Status: dzVents: Info: SSH_0.20210325_04: ------ Finished VPN Status 

Where in the script are the 'empty' lines defined? And can the 'commandOutput:' have the result value directly behing it, like the 'ReturnCode' has?