Connect VPN during CI/CD

Hello,

I need to connect to a VPN server during my deployment in .gitlab-ci.yml
I’m using openvpn but my issue is that openvpn command keep console with no return and my CI still running for ever.

I would need that my process continue if connection is ok.

Do you have an idea?

Here is my command:
sudo /usr/sbin/openvpn /home/gitlab-runner/myconf.conf

I have tried with & to put in background. Process go forward but still running at the end.

Note: I added this command in /etc/sudoers for my gitlab-runner user.

Thank you for your help

Hi Louis,

Have you tried running openvn as a deamon ?

Your command would become:
sudo /usr/sbin/openvpn --config /home/gitlab-runner/myconf.conf --daemon

Also, if your server requires authentication with a username and password, you can create a secrets.txt file with your credentials and add this to your command.
sudo /usr/sbin/openvpn --config /home/gitlab-runner/myconf.conf --auth-user-pass secrets.txt --daemon

–secrets.txt–

username
password

After this you can continue with your deploy actions.

If you have more questions, please feel free to ask.

1 Like

I would recommend you to use FastestVPN, it works very well on all platforms, further they have 7 days money back policy so in case if you have any issue, so you can refund your money back.

I know this is an old thread, but it is google result #1 when looking for this topic so I’ll share my solution here.

before_script:
  ##
  ## VPN
  ## Inspiration from: https://torguard.net/knowledgebase.php?action=displayarticle&id=138
  ## And http://forum.gitlab.com/t/connect-vpn-during-ci-cd/7585
  ## Content from Variables to files: https://stackoverflow.com/a/49418265/4396362
  ## Waiting for opnevpn connect would be better than sleeping, the closest would be https://askubuntu.com/questions/28733/how-do-i-run-a-script-after-openvpn-has-connected-successfully
  ## Maybe this would work https://unix.stackexchange.com/questions/403202/create-bash-script-to-wait-and-then-run
  ##
  - which openvpn || (apt-get update -y -qq && apt-get install -y -qq openvpn) # Install openvpn if not available.
  - cat <<< $CLIENT_OVPN > /etc/openvpn/client.conf # Move vpn config from gitlab variable to config file.
  - cat <<< $VPN_U > /etc/openvpn/pass.txt # Move vpn user from gitlab variable to pass file.
  - cat <<< $VPN_P >> /etc/openvpn/pass.txt # Move vpn password from gitlab variable to pass file.
  - cat <<< "auth-user-pass /etc/openvpn/pass.txt" >> /etc/openvpn/client.conf # Tell vpn config to use password file.
  - cat <<< "log /etc/openvpn/client.log" >> /etc/openvpn/client.conf # Tell vpn config to use log file.
  - openvpn --config /etc/openvpn/client.conf --daemon # Start openvpn with config as a deamon.
  - sleep 30s # Wait for some time so the vpn can connect before doing anything else.
  - cat /etc/openvpn/client.log # Print the vpn log.
  - ping -c 1 <IP> # Ping the server I want to deploy to. If not available this stops the deployment process.

  ##
  ## SSH
  ## Inspiration for gitlab from https://docs.gitlab.com/ee/ci/ssh_keys/
  ## Inpsiration for new key from https://www.thomas-krenn.com/de/wiki/OpenSSH_Public_Key_Authentifizierung_unter_Ubuntu
  ##
  - which ssh-agent || (apt-get update -y -qq && apt-get install openssh-client -y -qq) # Install ssh-agent if not available.
  - eval $(ssh-agent -s) # Run ssh-agent.
  - mkdir -p ~/.ssh # Create ssh directory.
  - cat <<< $SSH_PRIVATE_KEY > ~/.ssh/id_rsa # Move ssh key from gitlab variable to file.
  - chmod 700 ~/.ssh/id_rsa  # Set permissions so only I am allowed to access my ssh key.
  - ssh-add # Add the key (no params -> default file name assumed).
  - cat <<< $SSH_KNOWN_HOSTS_DMS > ~/.ssh/known_hosts # Add the servers SSH Key to known_hosts prevent man in the middle attack.

When you add this before_script you are connected via VPN and you can simply use ssh and rsync as:
ssh username@ ‘command to execute’

I’m not completely happy with the sleep, but it was the easiest, yet reliable thing I could come up with.
If you have any suggestions for improvements let me know :slight_smile:

HTH

5 Likes

This is good, however my VPN connection expects Authenticator code as well

@bechtold did you run this on a gitlab shared runner? Asking because I’m getting the error

Options error: You must define TUN/TAP device (--dev)

which I believe is caused by the docker environment not passing the network devices, or something like that. I don’t fully understand it though since shared runners are running in privileged mode so should have full access.

Yes, I did and didn’t setup anything else. Maybe something changed on the shared runners? Haven’t been working on that project for a while, so I can’t say if it still works.

Thanks for your reply! Would you mind sharing your .gitlab-ci.yml if you still have it? Much appreciated.