Script not executed after provisioning about usg-kpn-ftth HOT 15 CLOSED

fixed by https://github.com/coolhva/usg-kpn-ftth/blob/e3c851eb2b121de2ed3106ca486d2e9ee5ed8c46/setvpn.sh , please test :)

from usg-kpn-ftth.

so the logic is as follows:

setvpn.sh is started after a reboot (or manually through SSH) and will check if the post-commit hook file is present, if not it will create it.

This post-commit hook will run when a configuration change is committed. This post-commit hook will, if the VPN configuration is reverted back to what the controller is sending, create a file in the crontab folder which contains instruction to run the setvpn.sh script in the next minute.

the setvpn.sh script will, after validating that the post-commit hook exists check if the crontab file exists and delete it so it will not execute the next minute.

Then setvpn.sh checks if the configuration needs an update and if so it will update the configuration.

So a three step solution all contained in setvpn.sh ;-) I hope you guys enjoy using your VPN now, knowing that with every configuration change it will set the VPN parameters correct again.

from usg-kpn-ftth.

I recognize this problem, I have a USG-3P with firmcode 4.4.52.5363511. After a reboot VPN doesn't work, I have to SSH into it and execute the command you mention and than VPN works again.
Would be nice to get this fixed..

from usg-kpn-ftth.

I have the same problem.
Took a while to figure that out, just as I was installing it for the very first time...
Just re-run the .sh script(s) with sudo in your /config/scripts/post-config.d/ folder for the time being.

from usg-kpn-ftth.

I have the same problem.
Took a while to figure that out, just as I was installing it for the very first time...
Just re-run the .sh script(s) with sudo in your /config/scripts/post-config.d/ folder for the time being.

For me it also took some time to figure out why the VPN wasn't working anymore, but for now the workaround is to execute the script manually by SSH into the USG and command to run it. Would be nice if we can find a fix to run the script automatically again after a reboot/rep-provisioning :)

from usg-kpn-ftth.

I'm working trying to understand why it does not execute (or maybe it fails).

from usg-kpn-ftth.

Observations so far:

When rebooting the USG the config is applied correctly and my VPN works. Before rebooting my VPN did not work so something is changing the configuration but I do not know what and when. I added config revisions to see if that helps finding who is changing what:

Added to config.gateway.json

    "system": {
        "config-management": {
            "commit-revisions": "20"
        }

$ show system commit
0   2021-03-06 14:20:17 by unifiadmin via cli
    commit
1   2021-03-06 14:12:01 by unifiadmin via cli
    commit
2   2021-03-06 14:11:22 by root via init
    commit
$ show system commit diff 0
[edit vpn ipsec ipsec-interfaces]
-interface eth0
>interface pppoe2

also added logging to the setvpn script:

$ cat setvpn.sh
#!/bin/vbash
readonly logFile="/var/log/postprovisionvpn.log"

source /opt/vyatta/etc/functions/script-template

echo "setvpn.sh exeuted at $(date)" >> ${logFile}

configure >> ${logFile}
echo "Setting ipsec-interface to pppoe2" >> ${logFile}
set vpn ipsec ipsec-interfaces interface pppoe2 >> ${logFile}
echo "Deleting dhcp interface" >> ${logFile}
delete vpn l2tp remote-access dhcp-interface eth0 >> ${logFile}
echo "Setting outside-address to 0.0.0.0" >> ${logFile}
set vpn l2tp remote-access outside-address 0.0.0.0 >> ${logFile}
echo "Commiting" >> ${logFile}
commit
exit

Interesting is that the configuration was already good before executing the setvpn.sh because it cannot find the dhcp interface to delete

$ cat /var/log/postprovisionvpn.log
setvpn.sh exeuted at Sat Mar  6 14:05:56 CET 2021
Setting ipsec-interface to pppoe2
The specified configuration node already exists
Deleting dhcp interface
Nothing to delete (the specified value does not exist)
Setting outside-address to 0.0.0.0
The specified configuration node already exists
Commiting

after a force provision I see that the config is changed back and VPN stops working

$ show system commit
0   2021-03-06 14:33:51 by root via other
    commit
1   2021-03-06 14:20:17 by unifiadmin via cli
    commit
...
$ show system commit diff 0
[edit unifi mgmt]
>cfgversion 7804895ff911ec78
[edit vpn ipsec ipsec-interfaces]
-interface pppoe2
+interface eth0
[edit vpn l2tp remote-access]
+dhcp-interface eth0
-outside-address 0.0.0.0

So besides the force commit there is also another process changing the config to bring it back in the non-working state. I'm going to see if I can run a script after commit or maybe use scheduled tasks.

from usg-kpn-ftth.

@Pillen @xHuubx @stehof2 did you find the time to test the latest setvpn.sh?

from usg-kpn-ftth.

@coolhva okay I just uploaded the new setvpn.sh to the post-config.d folder, now I need to find a time-slot to reboot the USG.. I will try to do this tonight and let you know.

from usg-kpn-ftth.

from usg-kpn-ftth.

Okay when I SSH to my USG, what command should I give it ?

I tried:

sudo /config/scripts/post-config.d/setvpn.sh

but it didn't work (command not found)

from usg-kpn-ftth.

the setvpn.sh was set to 655, I changed it to 755 and than fired the command as mentioned above

sudo /config/scripts/post-config.d/setvpn.sh

I am not sure what to see but I didn't got a error message, I tried VPN and it worked, does this conclude it works?
Or should a reboot confirm it ?

from usg-kpn-ftth.

fixed by https://github.com/coolhva/usg-kpn-ftth/blob/e3c851eb2b121de2ed3106ca486d2e9ee5ed8c46/setvpn.sh , please test :)

Thanks, that seems to do the trick on my system. Since I'm using a USG-Pro-4 I need to delete the DHCP-Interface from eth2, that's the only thing I changed in the script and this is the output in the postprovisionvpn.log after a re-provision and the VPN is working:

VPN changes reverted, adding crontab
setvpn.sh exeuted at Mon Mar  8 20:19:01 CET 2021
removing setvpn from cron
Setting ipsec-interface to pppoe2
Deleting dhcp interface
Setting outside-address to 0.0.0.0
Commiting
VPN changes were already applied

Can't reboot the system right now because my girlfriends is watching tv (and you know what will happen if I reboot now) :) but I assume that a reboot won't be an issue with this script, nice work! Will do the reboot tomorrow and leave the outcome right here.

from usg-kpn-ftth.

Needed to find some time.

setvpn.sh exeuted at Tue Mar  9 10:15:13 CET 2021
set-vpn-hook.sh does not exists, creating hook now
VPN changes reverted, adding crontab
setvpn.sh exeuted at Tue Mar  9 10:25:01 CET 2021
removing setvpn from cron
Setting ipsec-interface to pppoe2
Deleting dhcp interface
Setting outside-address to 0.0.0.0
Commiting
VPN changes were already applied

Re-provisioned the USG afterwards.
And VPN is connecting!

from usg-kpn-ftth.

Re-provisioned the USG afterwards.
And VPN is connecting!

Nice, also did a reboot of the USG today and as expected, the VPN is still working when the boot finishes, great work!

from usg-kpn-ftth.