Last Updated on 2017-08-07.
[:en]
In a previous post, I explained how to set up Mikrotik Routerboards as a VPN gateway.
This post is about how to remotely switch the VPN on and off via Smart Home visualization OpenHAB 2, so it affects your whole LAN. You can even switch to other VPN servers, conveniently via phone or browser interface.
Basic procedure: User starts a command via OpenHAB interface -> SSH commands are executed via shell -> RouterOS accepts the commands.
SSH preparation
First we need to establish a simple and secure connection between your server (e.g. Ubuntu, running OpenHAB) and your routerboard, which can be used in scripts without passwords.
On your OH server, execute:
su - openhab -s /bin/bash #the Linux user which is running the OpenHAB process mkdir /ssh-mikrotik cd /ssh-mikrotik ssh-keygen -t rsa #as location, choose /ssh-mikrotik/id_rsa
Copy the file /ssh-mikrotik/id_rsa.pub to your Mikrotik device, e.g. via WinSCP and RouterOS WinBox (or FTP / terminal).
Then open WinBox -> System -> Users and create a user “openhab” with full permissions. If you want, restrict it to a certain IP address.
In “SSH keys” tab, import the file id_rsa.pub you copied before, and assign it to Mikrotik user “openhab”.
Test the SSH connection on your OH server:
ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "echo asdf" # assuming 10.1.0.11 is your RouterOS device
Scripts
You need some scripts on your OH server to get the VPN state and be able to control it.
#!/bin/bash
if [ "$1" = "ON" ]
then
echo "enabling vpn"
ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "/interface pptp-client enable myvpn" #assuming your VPN runs via PPTP and is called "myvpn"
fi
if [ "$1" = "OFF" ]
then
echo "disabling vpn"
ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "/interface pptp-client disable myvpn"
fi
<?php
$result = `ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "/interface pptp-client print where name=myvpn"`;
#echo $result;
$lines = explode("\n", $result);
//offline?
if (count($lines) < 5)
{
echo "error";
exit;
}
$line = $lines[1];
$expl = explode(" ",$line);
#var_dump($expl);
if ($expl[3] == "R")
{
echo "ON";
}
else
{
echo "OFF";
}
?>
Make both scripts executable by the openhab user:
chmod a+x openhab /ssh-mikrotik/vpn-*
You can later extend these scripts e.g. to be able to switch to another VPN host. Use the commands like in WinBox terminal, e.g. “/interface pptp-client set myvpn connect-to=example.com”.
Execute the scripts in your OH server’s shell manually to see if they work (they must be able to run under user openhab).
OpenHAB2 configuration
The last step is to configure OH visualization.
We use the Exec binding for OH2, so make sure it is enabled in runtime.cfg (or in your preferred OH admin interface).
Thing exec:command:Vpn-Control [command="/ssh-mikrotik/vpn-control.sh %2$s", interval=0, autorun=true] Thing exec:command:Vpn-Status [command="/usr/bin/php /ssh-mikrotik/vpn-status.php", interval=3600, timeout=15]
String VPN "VPN" <network> (All) { channel="exec:command:Vpn-Control:input", channel="exec:command:Vpn-Status:output", autoupdate="true"}
Switch item=VPN
You should now be able to control your VPN interface via OpenHAB:
[:]