Jump to content
Not connected, Your IP: 3.144.123.24
airvpnclient

Solution - Eddie as init service RPi Xbian (and other Debians?)

Recommended Posts

My target system:
Headless Raspberry Pi 2 Model B Rev 1.1 system via ssh.

$ uname -a>
	Linux xbian 4.19.90+ #1 SMP PREEMPT Wed Dec 18 20:39:10 CET 2019 armv7l GNU/Linux

## based on Debian GNU/Linux 10 (buster)
My use case is to have this box come up on boot fully protected - VPN / DNS / firewall and stay that way.

My first effort was to eddie-cli in rc.local and I hit a few roadblocks but figured out the following:

1. The script  /etc/rc.local runs as root, but eddie-cli expects to be run by an unprivileged user (it is installed in /usr/bin).
2. Also, /etc/rc.local does not, by default provision a terminal (ttx) while eddie-cli depends on it.

These two issues can be addressed using the su command "su -P -c 'eddie-cli ....{options)...' User."  The command su -c lets rc.local run it as a normal user and the -P option gives rc.local access to a pseudo-terminal.

3. Even when the -batch directive is used, some forking program wants a typed password when escalating privileges during startup.

In order to get around that I gave my user password-free access via sudo by editing the sudoers file as set out here:

https://linuxhandbook.com/sudo-without-password/

The command eddie-cli executes via sudo, is /usr/lib/eddie-cli/eddie-cli-elevated, and there also exists /usr/lib/eddie-cli/eddie-cli-elevated2

Using the # visudo  command to allow nopassword sudo for just these these two commands:
 
xbian ALL=(ALL) NOPASSWD:/usr/lib/eddie-cli/eddie-cli-elevated,/usr/lib/eddie-cli/eddie-cli-elevated2

This 3-part kludge actually works well.  But better yet would be to have eddie-cli run as a proper init service.

For standard Debian 10 systems that would require writing a SystemD unit file, etc.  Or, since SystemD runs rc.local as a service, you could try just using the command that follows "exec" below at the end of the /etc/rc.local file.  Good scripting practice would also include tests so that rc.local exits with zero on success and non-zero on failure.  I think you would then be able to control eddie-cli by using systemctl against the rc.local service, but I haven't checked this out.

 Xbian, to their credit, eschews SystemD and uses instead Canonical's older Upstart init system -- an improvement over SystemV without the borg-like expansiveness of SystemD.  After digging a bit, I have put together a configuration file based on the one that existed for OpenVPN and it works exactly as advertised.  The system boots protected and I can manage eddie-cli with Upstart's start, stop, and status commands while the output is logged to /var/log/upstart/eddie-cli.log.
 
$ cat /etc/init/eddie-cli.conf

start on (net-device-up
          and local-filesystems
          and runlevel [2345])
stop on runlevel [!2345]

env PIDFILE="/var/run/eddie-cli/eddie.pid"

respawn
respawn limit 6 60

pre-start script
    if [ ! -e /var/run/eddie-cli ]; then
        mkdir -m 0770 /var/run/eddie-cli
        chown nobody:nogroup /var/run/eddie-cli
    fi
end script

exec su -P -c "/usr/bin/eddie-cli	\ 
  -netlock                       	\
  -login=airvpnclient            	\
  -password=*****************    	\  
  -server=Rotanev                	\
  -connect                       	\
  -batch"                        	\
xbian

pre-stop script
  PID=`cat $PIDFILE`
  kill -15 $PID
  sleep 3
  if [ "$?" -eq 0 ]; then
    rm -f $PIDFILE
  else
    echo "Unable to stop VPN"
  fi
end script

post-stop exec sleep 5

### I will also want to add to the post-stop command an iptables-restore command, against some tables I saved on the desktop 
### so swap for something like:

# post-stop exec "sleep 5 && /usr/sbin/iptables-legacy restore < /etc/eddie-cli/airvpn.tables && /usr/sbin/ip6tables-legacy restore < /etc/eddie-cli/airvpn.6tables"

### since if the service hits its respawn limit for some reason and stops, there would be no firewall
### and other services would be exposed.

Hope this helps someone.

 

Share this post


Link to post

Parts of this Upstart configuration are not doing what I would expect and, in particular is not identifying its PID in /var/run/eddie-cli/eddie.pid.

Here is my modified Upstart script:
 

start on (net-device-up
          and local-filesystems
          and runlevel [2345])
stop on runlevel [!2345]

emits airvpn-up airvpn-down

respawn
respawn limit 6 60

pre-start script
    if [ ! -e /var/run/eddie-cli ]; then
        mkdir -m 0770 /var/run/eddie-cli
        chown nobody:nogroup /var/run/eddie-cli
    fi
end script

exec su -P -c "/usr/bin/eddie-cli	\ 
  -netlock                       \
  -login=airvpnclient            \
  -password=My.cat.has.pings.    \
  -server=Rotanev                \
  -connect                       \
  -batch"                        \
xbian

post-start script
    PIDFILE=`service eddie-cli status | egrep -m1 -oi '([0-9]+)$'`
    echo $PIDFILE > /var/run/eddie-cli/eddie.pid
end script

pre-stop script
  PID=`cat $PIDFILE`
  kill -15 $PID
  sleep 1
  if [ "$?" -eq 0 ]; then
    rm -f $PIDFILE
  else
    echo "Unable to stop Eddie-cli"
  fi
end script

post-stop exec sleep 5

I have also created the following upstart script to run after eddie-cli starts to limit its cpu use:
 
start on started eddie-cli


exec /usr/bin/cpulimit --pid $(cat /var/run/eddie-cli/eddie.pid --limit 20

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...