Maybe some of you will be interested, how I solved it. As the configuration through the webinterface was not working properly (sometimes VPN on, sometimes VPN off), I decided to use scripting.
For this reason I switched off the VPN in the webinterface. New challenge: VPN-config is not available after reboot. Also the generated VPN-configuration was not proper. For example "cipher" is not needed, when VPN-Server is negotiating, so I edited the configuration.
data-ciphers AES-256-CBC:BF-CBC:AES-256-GCM & data-ciphers-fallback AES-256-CBC are equal to server-configuration and IMHO not available in the webinterface
VPN-config:
client
nobind
persist-key
persist-tun
tls-client
auth sha512
ca /etc/vuci-uploads/MYCA.crt
cert /etc/vuci-uploads/MYCERT.crt
dev tap
key /etc/vuci-uploads/MYKEYFILE.key
port 11192
proto udp
remote X.X.X.X
resolv-retry infinite
status /tmp/openvpn-status_ISHQstat.log
user root
verb 5
data-ciphers AES-256-CBC:BF-CBC:AES-256-GCM
data-ciphers-fallback AES-256-CBC
auth-nocache
script-security 2
down /etc/openvpn/updown.sh
up /etc/openvpn/updown.sh
Solution to make configuration available:
I deployed the config on a webserver, that is always reachable from the router, as long mobile connection is available
Solution to make the VPN-configuration available, once mobile connection is ready: hotplug.d
This script will be launched, once the device "wwan0" comes with the action "ifup". If wwan0 is down, we don't need openvpn
cat /etc/hotplug.d/iface/99-openvpn
#!/bin/sh
#/etc/hotplug.d/iface/99-openvpn
VPNSCRIPT=/usr/bin/dl_vpn.sh
log() {
logger -p 4 -t "$(basename $script)" "$@"
}
if [ "$ACTION" == "ifup" -a $DEVICE == "wwan0" ]; then
log "wwan0 up - Mobile data connected"
/bin/sh $VPNSCRIPT
elif [ "$ACTION" == "ifdown" -a $DEVICE == "wwan0" ]; then
log "wwan0 down - Mobile data disconnected"
killall openvpn
fi
Script to switch VPN on:
The script is downloading the client configuration and launching openvpn in daemon-mode
#!/bin/sh
#/bin/sh /usr/bin/dl_vpn.sh
VPNGW="X.X.X.X"
SISGW="X.X.X.X"
FQDN=$(cat /proc/sys/kernel/hostname)
HOSTNAME=${FQDN%%.*}
FILENAME=$HOSTNAME"_openvpn-ISHQstat.conf"
URL="https://"$VPNGW"/"$FILENAME
FILENAME="/var/etc/openvpn-ISHQstat.conf"
log() {
/usr/bin/logger -t dl_vpn.sh "$@"
}
bailout() {
/usr/bin/logger -t dl_vpn.sh "$@"
exit
}
if ping -c 1 $VPNGW &> /dev/null
then
/usr/bin/wget $URL -O $FILENAME --no-check-certificate
sleep 2
test -f $FILENAME || bailout "$FILENAME not available"
pgrep -f openvpn-ISHQstat.conf || /usr/sbin/openvpn --status /var/run/openvpn.ISHQstat.status --cd /var/etc --config /var/etc/openvpn-ISHQstat.conf --daemon
ping -c 2 $SISGW
else
log "could not download VPN_config file"
fi