Community discussions

MikroTik App
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Script on other RB

Mon Nov 29, 2021 12:03 am

Hi everyone ... I am creating a configuration for a VPN client on which I would like a script to start up once connected which creates its server route and self-destructs ...

I managed to generate the script ....

But the problems are two, if I use the variables it does not accept them in the second routerboard ...

If I run it from system script it doesn't work ... advice?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script on other RB

Mon Nov 29, 2021 8:06 am

When you are running a script with more than one command in terminal, you need to wrap it in {}
And use local if variable are not needed in other scripts.

Some like this:
{
:local clientIP [/ip address get [find where interface=sstp-out1] value-name=address]
:local LanIP [/ip dhcp-server network get value-name=address number=0]
/system ssh address=10.10.114.1 user=shh "/ip route add dest-address=$LanIP gateway=$clientIP distance=1
}
In a scripte, the outer {} not needed.
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Script on other RB

Mon Nov 29, 2021 11:04 am

thanks for the answer ... so why launching it from system script doesn't run like in terminal? it seems not to login to the second routerboard
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Script on other RB

Mon Nov 29, 2021 11:20 am

So it runs from a terminal, but not in a script?
That I can not help with.
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Script on other RB

Mon Nov 29, 2021 1:05 pm

exactly ... maybe it's not feasible to login to another routerboard from system script
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Script on other RB

Mon Nov 29, 2021 3:15 pm

exactly ... maybe it's not feasible to login to another routerboard from system script
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Script on other RB

Mon Nov 29, 2021 10:10 pm

I managed to log in to the second routerboard but I have problems entering data using the variables ... I try to post a screen, maybe someone can help me
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Script on other RB

Tue Nov 30, 2021 12:32 am

Variables are ok, they just need to have correct values. In this case the address, which you use for gateway, needs to have mask stripped from it. This works for me as system script:
:local addr [/ip address get [find where interface=test1 disabled=no] value-name=address]
:set addr [:pick $addr 0 [:find $addr "/"]]
:local lan [/ip dhcp-server network get value-name=address number=0]
/system ssh-exec address=192.168.80.181 user=testadmin "/ip route add dst-address=$lan gateway=$addr"
Getting it to work as script executed by VPN client is another challenge, because if I remember correctly, it runs under some system account and you can't add ssh key for it. Maybe it can work if you wrap it in system script, where owner user has a key, I'm not sure.

In any case, the whole thing looks incredibly insecure, because you'll have to give clients admin access to server. It also won't work well, if you don't have all clients and their routers under your control, because half of them will have some same popular LAN subnet like 192.168.0.0/24.
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Script on other RB

Tue Nov 30, 2021 3:19 pm

therefore, the login takes place ... I do not use a key because that username is accessible only from the VPN subnet, but I could also use a key if necessary ... the clients will be many ... but this is the idea, to create a conf in which the user inserts the variables of the ip classes in the head and when he then launches the script this script will be activated which inserts the route into the server ... if you look carefully, I am entering the dst-address of the 10.10 classes. which will all be different ... so with the first variables of the script the correct data are imported which are in this case dst-address 10.10.110.0/24 and gateway 10.10.114.4 ... if I indicate the ip in the route after login, the route is created correctly on the server ... if I use variables no ... how would you change this?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Script on other RB

Wed Dec 01, 2021 3:58 am

As I wrote, the script works for me, even with variables. The problem I had with your original one was IP address it got from "/ip address", because it contains netmask. Even if it's single address, it still has /32 mask appended, and that can't be used as value for route's gateway. After I stripped the mask, it worked.

Other than that, I still think it's wrong approach. Either you have everything under your control and you can add routes on server to individual users:
/ppp secret
add name=user1 <other options> routes=10.0.1.0/24
add name=user2 <other options> routes=10.0.2.0/24
add name=user3 <other options> routes=10.0.3.0/24
...
Or you don't have everything under control and then you're creating something not completely reliable and big security hole as bonus.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Script on other RB

Wed Dec 01, 2021 5:44 am

this part its showing an error

:set addr [:pick $addr 0 [:find $addr "/"]]

for me that one it works:

/system ssh address=vpn-ip user=admin command="/ip route add dst-address=192.168.x.x gateway=10.10.z.z"
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Script on other RB

Wed Dec 01, 2021 6:11 am

btw what is the differences between ssh and ssh-exec
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Script on other RB

Wed Dec 01, 2021 12:30 pm

let's say that I have to create a monitoring system for a guy who does industrial automation and is not very experienced in mikrotik ... the purpose is that he creates the server-side user and runs the script after modifying the variables in the head as per instructions that I will deliver to you, the purpose is that once launched on the new client, the functioning of the routes is complex for him ... and then by doing so, once the client is configured, a script is activated that copies the DHCP network as a variable which will be the dst -address of the route and then copies the l.ip that is assigned by the server itself to the client and inserts it as the gateway of the route ... finally if the result indicates exit-code 0 as output a string will be inserted that sets the user led as interface transmit of the VPN, so the user knows that the client is usable ... after which the script will be self-destructed
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Script on other RB

Wed Dec 01, 2021 12:31 pm

between SSh and ssh-exec it changes that SSHexec is used to run script from system script ... SSH to run it from terminal
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Script on other RB

Thu Dec 02, 2021 12:23 am

I'm not sure if I get it. You want multiple SSTP clients configured on remote routers that are probably not really under your control, otherwise you'd know what LAN subnets they have. So you'll need someone who will configure such router for outbound SSTP connection, and that person will obviously need access to it, so they will also see the required info. They could simply send it to you using e-mail, sms, or whatever, and you'd add it to server, but I can see how that may not be practical. So you want an automated way how to get it to server. Let's assume that ssh connection to main router is ok security-wise, because you can trust that person. So it should be easy, in addition to SSTP config, that person will be given simple script script that they will run manually. If they can be trusted to configure SSTP client, they should manage to run a script too. But then the part with self-destructing script doesn't make sense. So I'm obviously missing something...
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: Script on other RB

Thu Dec 02, 2021 11:31 pm

the script that self-destructs thought to avoid that every ten seconds the route is re-created on the server indefinitely.....
however I managed to do it all automatically ... thanks for the valuable advice

Who is online

Users browsing this forum: marcelofares and 30 guests