Select Page
This entry has been published on 2017-08-07 and may be out of date.

Last Updated on 2017-08-07.

[:en] 

In a previous post, I explained how to set up Mikrotik Routerboards as a VPN gateway.

This post is about how to remotely switch the VPN on and off via Smart Home visualization OpenHAB 2, so it affects your whole LAN. You can even switch to other VPN servers, conveniently via phone or browser interface.

Basic procedure: User starts a command via OpenHAB interface -> SSH commands are executed via shell -> RouterOS accepts the commands.

SSH preparation

First we need to establish a simple and secure connection between your server (e.g. Ubuntu, running OpenHAB) and your routerboard, which can be used in scripts without passwords.

On your OH server, execute:

su - openhab -s /bin/bash #the Linux user which is running the OpenHAB process
mkdir /ssh-mikrotik
cd /ssh-mikrotik
ssh-keygen -t rsa #as location, choose /ssh-mikrotik/id_rsa

Copy the file /ssh-mikrotik/id_rsa.pub to your Mikrotik device, e.g. via WinSCP and RouterOS WinBox (or FTP / terminal).

Then open WinBox -> System -> Users and create a user “openhab” with full permissions. If you want, restrict it to a certain IP address.

In “SSH keys” tab, import the file id_rsa.pub you copied before, and assign it to Mikrotik user “openhab”.

Test the SSH connection on your OH server:

ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "echo asdf" # assuming 10.1.0.11 is your RouterOS device

 

Scripts

You need some scripts on your OH server to get the VPN state and be able to control it.

#!/bin/bash

if [ "$1" = "ON" ]
then
        echo "enabling vpn"
        ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "/interface pptp-client enable myvpn" #assuming your VPN runs via PPTP and is called "myvpn"
fi

if [ "$1" = "OFF" ]
then
        echo "disabling vpn"
        ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "/interface pptp-client disable myvpn"
fi

 

<?php

$result = `ssh -l openhab -i /ssh-mikrotik/id_rsa  10.1.0.11 "/interface pptp-client print where name=myvpn"`;

#echo $result;

$lines = explode("\n", $result);

//offline?
if (count($lines) < 5)
{
        echo "error";
        exit;
}

$line = $lines[1];

$expl = explode(" ",$line);

#var_dump($expl);

if ($expl[3] == "R")
{
        echo "ON";
}
else
{
        echo "OFF";
}

?>

Make both scripts executable by the openhab user:

chmod a+x openhab /ssh-mikrotik/vpn-*

You can later extend these scripts e.g. to be able to switch to another VPN host. Use the commands like in WinBox terminal, e.g. “/interface pptp-client set myvpn connect-to=example.com”.

Execute the scripts in your OH server’s shell manually to see if they work (they must be able to run under user openhab).

OpenHAB2 configuration

The last step is to configure OH visualization.

We use the Exec binding for OH2, so make sure it is enabled in runtime.cfg (or in your preferred OH admin interface).

Thing exec:command:Vpn-Control [command="/ssh-mikrotik/vpn-control.sh %2$s", interval=0, autorun=true] 
Thing exec:command:Vpn-Status [command="/usr/bin/php /ssh-mikrotik/vpn-status.php", interval=3600, timeout=15]
String VPN "VPN" <network> (All) { channel="exec:command:Vpn-Control:input", channel="exec:command:Vpn-Status:output", autoupdate="true"}
Switch item=VPN

You should now be able to control your VPN interface via OpenHAB:

[:]