How can I run OpenVPN as root in the background, in a script?
TL;DR: Use sudo -b
or, better, openvpn [...] --daemon
.
Since you're running openvpn
(and, less specifically, since you wish to run a program as root in the background), the most commonly dispensed information about how to run commands in the background does not address your situation. You said:
I've tried to append a & to the cpenvpn command and to place nohop in front of it. Both does not work.
Your command is:
sudo openvpn ~/my_connection.ovpn
Under sudo
's default configuration, if you haven't recently entered your password for sudo
in the same terminal (or have logged out and back in on that terminal) then it will ask for your password. But if you run the command in the background by appending &
then you won't be shown the [sudo] password for user:
line or given the opportunity to type it in.
So in this situation, running the command, entering your password, and sending it to the background afterwards is an reasonable way to do it, for interactive use.
But it's not the only way and, as you say, you will not want to do that in a script.
Way 1: Make sure sudo
has a fresh timestamp.
You can ensure that sudo
has a current timestamp when it is used to run your command, by first running:
sudo -v
Then, after that, you can run:
sudo openvpn ~/my_connection.ovpn &
However, it is usually better to avoid &
(and nohup
) altogether when you want to run a command in the background with sudo
. This is especially the case for scripting.
Way 2: Use sudo -b
. In general, this is usually what you want.
Instead, you can run sudo
itself in the foreground, but pass the -b
flag so sudo
causes the command to be run in the background.
sudo -b openvpn ~/my_connection.ovpn
This is usually a better way, especially if you are putting the command in a script. With sudo -b
you don't get job control, but in a shell script job control is disabled by default and you shouldn't usually use it.
As man sudo
explains:
-b, --background
Run the given command in the background. Note that it is not
possible to use shell job control to manipulate background
processes started by sudo. Most interactive commands will
fail to work properly in background mode.
This works because nothing is running in the background until after sudo has recieved your password (if necessary) and determined that you are permitted to run the command.
Way 3: But for openvpn
, you should probably just run it with --daemon
.
openvpn
will run in the background automatically if you run it with the --daemon
option:
sudo openvpn ~/my_connection.ovpn --daemon
Pass --daemon
after your .opvn
filename rather than before; the argument following --daemon
, if any, is interpreted as the name that the daemonized openvpn
process should use. (Do not also append &
.)
Whether or not this is appropriate depends on whether or not any interaction must occur after openvpn
has been run but before it daemonizes. And that depends, in part, on what is set up in ~/my_connection.ovpn
. But if openvpn
couldn't immediately daemonize, then all the other ways of immediately running it in the background will break, too.
Therefore, in any situation where you know you want openvpn
to start running in the background, and you know you won't want to bring it back into the foreground, you should strongly consider the method of invoking it with the --daemon
option. This is specific to openvpn
--most programs do not support a --daemon
option, though many server programs do have some such option. (The name and syntax vary, however.)
To decide whether or not to use this option (and how you want to use it), I recommend you read the openvpn
manual page, especially in the section on --daemon
. It has a lot of useful information, and I am only quoting the first paragraph here:
--daemon [progname]
Become a daemon after all initialization functions are
completed. This option will cause all message and error output
to be sent to the syslog file (such as /var/log/messages),
except for the output of scripts and ifconfig commands, which
will go to /dev/null unless otherwise redirected. The syslog
redirection occurs immediately at the point that --daemon is
parsed on the command line even though the daemonization point
occurs later. If one of the --log options is present, it will
supercede syslog redirection.
The optional progname parameter [...]
Way 4: Sometimes it's reasonable to run the whole script as root.
If you have a script that carries out multiple actions as root, it doesn't have any significant activity that would reasonably be run not as root, and there's never anything useful to come from running the script as a non-root user, then the user of the script should probably just run it as root.
If this is the case, then you should remove sudo
from commands in the script. When the script runs as root, there's no need for sudo
. (Though the root user can, by default, run any command as any user including itself with sudo
and doesn't need a password to do so. So if you do leave instances of sudo
in the script then it will probably still work.)
If you have any instances of sudo
in the script that are actually used to run commands as some other user than root (with -u user
), then you should still keep those instances.
If the whole script is being run as root, then most of the typical ways of making commands run in the background apply, including appending &
and, where needed, the use of nohup
(which you already know about). For this, though, you should still strongly consider using openvpn
with the --daemon
option.
TL;DR Run it in daemon mode: openvpn --config Windscribe-Japan.ovpn --daemon
Passing the configuration (.ovpn) filename to openvpn
command works only if no other options are specified. If I specify --daemon
option then openvpn tries to parse the filename as an options parameter and throws Options error: I'm trying to parse "Windscribe.ovpn" as an --option parameter but I don't see a leading '--'.
Answer:
To avoid this, the file name has to be specified with --config
option. For example, openvpn --config Windscribe.ovpn --daemon
. Then tail the syslog with tail -f /var/log/syslog
, for further inspection.
You can also check the before and after output of this curl command curl ifconfig.co
to make sure that VPN is connected.
Note: This will keep the daemon running even after you logout from the SSH session.
You can just copy your
.conf file into /etc/openvpn/
Then ask 'service openvpn@confName start' to handle all the daemonizing and sudo for you.
See https://unix.stackexchange.com/a/366680/198666