Restarting a VPN client on pfSense through the CLI (SSH)

I recently had some issues with a flaky VPN service. I wanted to make a little script I could run on a different machine that would restart the VPN connection, should it break. This particular VPN connection included a DNS service for the remote .local-domain, which I decided to use for testing, but you could in theory use any valid connection test.

Either way, pulling the correct function names and options from /usr/local/www/status_services.php – following the reference to /etc/inc/service-utils.inc – I came up with this script:

#!/usr/bin/env bash
if ! nslookup -timeout=2 remote.server.local >/dev/null 2>&1; then
    echo "VPN not OK - restarting"
    ssh my.pfsense.ip /usr/local/bin/php -q <<-EOF
        <?php
            include('service-utils.inc');
            service_control_restart("openvpn", array('vpnmode' => 'client', 'id' => '3'));
        ?>
    EOF
fi

This will connect to my pfSense box using keyless login from a trusted machine, and restart the VPN connection.

The client ID was obtained from the restart link in the pfSense web interface:

vpnid

UPDATE

I ended up finding the browser VPN ID too hackish, and made a script that looks up the ID in the pfSense config instead. Might also be useful for adapting to future issues. Here: http://www.dhampir.no/stuff/bash/pfsense-vpnreset

3 Comments

  • Muhammad says:

    i was workingon this all day. pfsense channel on freenode was useless. thanks!

  • sorin says:

    Sadly this doesn’t work with pfsense 2.4.1 because the password file is overridden by pfsense on connect.

    You can find more information on https://redmine.pfsense.org/issues/8122 — maybe you found another workaround for this. I am really interested about finding a way to automate the connection.

    • bolt says:

      I don’t use one-time passwords with OpenVPN on pfSense, sorry. But I currently have 4 VPN clients running with usernames, passwords and client certificates, and those still work fine in 2.4.1 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *