DD-WRT OpenVPN Restart Script

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
jaskerx
DD-WRT Novice


Joined: 24 Aug 2016
Posts: 32

PostPosted: Fri Aug 26, 2016 1:04    Post subject: DD-WRT OpenVPN Restart Script Reply with quote
My VPN drops from time to time and I don't want to power cycle my router, I'd kill for something like if this then that. Like if WDS Connection Watchdog was capable of running scripts or restarting services rather than power cycling the router. Anyways here is a script that I copied from perusing various sites, I put it in cronjob to go every two minutes.

#!/bin/bash

if ping -c 1 8.8.8.8 > /dev/null
then
: # colon is a null and is required
else
stopservice openvpn ; startservice openvpn
fi

So far no errors in the syslog, doesn't look like its stoping and starting openvpn every two minutes. I have doubts that it will work. Anyone else care to share what they would use?
Sponsor
jaskerx
DD-WRT Novice


Joined: 24 Aug 2016
Posts: 32

PostPosted: Sat Aug 27, 2016 11:42    Post subject: Reply with quote
Was kind of hoping to an answer to this problem. My firewall rules for r7000:

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Cron has:

*/2 * * * * /tmp/custom.sh - has 700 permissions

According to this site that's every two minutes:

http://crontab.guru/

There is nothing in /var/log/crontab because it doesn't exist. I do not think the script is running because there is nothing in the logs. Help?

Edit: file had 700 not 600 permissions.
jaskerx
DD-WRT Novice


Joined: 24 Aug 2016
Posts: 32

PostPosted: Sat Aug 27, 2016 15:50    Post subject: Reply with quote
Changed script to run on #!/bin/sh and added:

*/2 * * * * root /tmp/custom.sh

to cron but...no difference.
jaskerx
DD-WRT Novice


Joined: 24 Aug 2016
Posts: 32

PostPosted: Sat Aug 27, 2016 16:20    Post subject: Reply with quote
Had connection drop this was in syslog:

Aug 27 16:08:12 R7000 daemon.err openvpn[6982]: MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:16: Address in use
Aug 27 16:08:12 R7000 daemon.notice openvpn[6982]: Exiting due to fatal error

The script is not running for whatever reason. I ssh'd in and tried to ping 8.8.8.8 and I could so I don't know wtf is going on, might explain why the script wouldn't restart openvpn because it could still ping google. Its like over ssh its not going though the firewall because is was stopping all the other traffic like the iptables firewall rules are supposed to. Am I missing a firewall rule related to icmp? Why would WDS work and not this?
jaskerx
DD-WRT Novice


Joined: 24 Aug 2016
Posts: 32

PostPosted: Sat Aug 27, 2016 18:34    Post subject: Reply with quote
Changed firewall rules:

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

pings still get though when the vpn is down. I do not understand. So I switched to wget -sq google.ca in my script we'll see if this has any effect.
jaskerx
DD-WRT Novice


Joined: 24 Aug 2016
Posts: 32

PostPosted: Sat Aug 27, 2016 18:39    Post subject: Reply with quote
Well I don't get it will all those rules if I stop openvpn not a fucking thing gets through on chrome soon as I ssh into the router its like everything is excluded from the firewall doesn't make any damn sense.
buffalo0207
DD-WRT User


Joined: 30 Apr 2014
Posts: 147
Location: UK

PostPosted: Sat Aug 27, 2016 19:12    Post subject: Reply with quote
I've been looking for a VPN restartup script for ages. Hope you get it working...
jaskerx
DD-WRT Novice


Joined: 24 Aug 2016
Posts: 32

PostPosted: Sat Aug 27, 2016 19:22    Post subject: Reply with quote
Never before in all my life have I seen something this fucking dumb. I just completed a factory reset and restored my settings, no damn effect. Is the router like a DMZ or something how the hell does WDS even fucking work. So fucking mad right now...
jaskerx
DD-WRT Novice


Joined: 24 Aug 2016
Posts: 32

PostPosted: Sat Aug 27, 2016 23:07    Post subject: Reply with quote
Someone on irc brought to my attention that iptables -L wasn't showing any of my firewall rules. Am I to undertand that ddwrt creates its firewall rules on the fly? Where does it keep them? Why can't I just put my rules in with the regular rules? Are my rules even being followed?

To answer the last question they are followed inside the network but on the router itself they don't seem to be followed at all. Considering I can ping anything from the router whether the vpn is up or down rendering my script pointless I have to have an always on device inside my network running a ping or wget every two minutes and if no ping ssh into router and stop/start openvpn. I'm laughing my ass off that I even need to consider this option and am actually thinking of building a pfsense box if its going to fix this nonsense. Is ddwrt not capable of doing this?
Mike42Smith
DD-WRT User


Joined: 14 Feb 2016
Posts: 146
Location: Germany

PostPosted: Sun Aug 28, 2016 12:05    Post subject: Reply with quote
Let me explain you some points:

Quote:
if ping -c 1 8.8.8.8 > /dev/null

If you send a "ping" (or any other package) from your router it will go through the WAN interface an not the VPN interface by default. Just if in the openvpn config it set the rule to change the default gateway (like: redirect-gateway def1). However this will cause some problems for the router to connect to the VPN server. Therefore be careful setting this option. Just applicable if another routing rule is defined previously which obtain the gateway for packages to the VPN server.

Quote:

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE


Be aware to use a explicit number of row in which has the rule be insert (e.g. iptables -I FORWARD 3 -i br0 -o vlan2 -j DROP)
Otherwise will each new iptable rule be insert on the top. That insert the rules reverse like you have defined them. In your case it won't cause any problem, but maybe the next time you will remember. Wink
Anyway your first rule is just the port DHCP client get answer on a request. You don't need to open it because established and related connections are accepted by default on the INPUT chain.

Quote:
*/2 * * * * root /tmp/custom.sh

Where did you set this up? On the comand line or in the WebGUI?
All files are generated by boot because the router doesn't have any harddisk. All setting have to be stored by the nvram system. So use the WebGUI if you are not used to the nvram system.


Question:
Quote:
My VPN drops from time to time ...

Does the openvpn process crash or it just the connection terminated?
If you realize the drop please have a look into the run process with
Code:
ps



And now my recommendation:
Use the up and down script function implemented in openvpn.
All commands set up in the up script are run when the connection is established (interface goes up) and all command in the down script are run if the interface goes down.
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

You have to add the following lines into the Additional Config of openvpn:
Code:
script-security 2
down /tmp/openvpn/fw-down.sh


Further you have to add your script to the start-up script on the WebGUI that the file is generated by boot.


Code:

stopservice openvpn
echo "#!/bin/sh
stopservice openvpn
startservice openvpn
" > /tmp/openvpn/fw-down.sh

chmod u+x /tmp/openvpn/fw-down.sh
chmod go-rwx /tmp/openvpn/fw-down.sh

startservice openvpn

_________________
Ongoing experiences with:
Linksys E3000 and WRT610N v2
TP-Link Archer C9
Raspberry Pi and TP-Link TL-WR710N with OpenWRT
jaskerx
DD-WRT Novice


Joined: 24 Aug 2016
Posts: 32

PostPosted: Sun Aug 28, 2016 12:46    Post subject: Reply with quote
Thank you very much for your reply. It was my understanding that any packets sent through the router would be subject to the rules of the firewall, I guess I am wrong. Please clarify this sentence please
Quote:
Be aware to use a explicit number of row in which has the rule be insert (e.g. iptables -I FORWARD 3 -i br0 -o vlan2 -j DROP)
Otherwise will each new iptable rule be insert on the top. That insert the rules reverse like you have defined them. In your case it won't cause any problem, but maybe the next time you will remember.

Are you saying that some of the rules further down the line are being overwritten?

I was setting the crontab in the webgui, but saw nothing in the logs to indicate it was even working. The error in syslog on the router that I usually get when the vpn stops working is
Quote:
Aug 24 12:53:09 R7000 user.info : openvpn : OpenVPN daemon (Client) hanging, send SIGKILL

Quote:
Aug 26 21:14:45 R7000 daemon.notice openvpn[1997]: [server] Inactivity timeout (--ping-restart), restarting


Then because of resolve-retry infinite it'll just go in an endless loop. I will also take your recommendation to use the up and down scripts that openvpn uses although I need to do some further reading as I'm sure stop and starting the service call the same scripts.

In the end though I was just going for simplicity, and wanted this to "just work". Took my own advice laughing all the while, created a script on my server to ping google every 2 minutes and if no ping ssh into my router and stop/start openvpn. Not the most ideal approach but it damn well works and took me all of 10 minutes to set up.

Code:
#!/bin/bash

if ping -c 1 8.8.8.8 > /dev/null
then
  : # colon is a null and is required
else
  ssh r7000 'stopservice openvpn ; startservice openvpn' 
fi


This was basically easier than trying to figure out how to send pings from the LAN side of the firewall on the router.
GiveMeAGuide
DD-WRT Novice


Joined: 10 Jun 2019
Posts: 2

PostPosted: Wed Jun 12, 2019 12:56    Post subject: Reply with quote
This is a total necropost. I'm just trying to help out anyone who may stumble upon this in future (cos I've just worked through it myself), this is what worked for me... Make sure you use the right quote chars. Replace the ["] with ['], this is the one next to the [enter] key.
Code:

stopservice openvpn
echo '#!/bin/sh
stopservice openvpn
startservice openvpn
' > /tmp/openvpn/fw-down.sh

chmod u+x /tmp/openvpn/fw-down.sh
chmod go-rwx /tmp/openvpn/fw-down.sh

startservice openvpn
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jun 12, 2019 13:54    Post subject: Reply with quote
@Sploit has made an excellent solution for disconnecting VPN's.

It is a watchdog script which restarts the VPN upon disconnection see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1093602&sid=3f4af7a2a3809ee13d1f595280b6f715

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
GiveMeAGuide
DD-WRT Novice


Joined: 10 Jun 2019
Posts: 2

PostPosted: Thu Jun 13, 2019 1:25    Post subject: Reply with quote
Thanks for replying egc Smile I have not seen that post before by Sploit.

Unfortunately there are reports that enabling jffs will brick my router which is the TP-Link Archer C9 (https://wiki.dd-wrt.com/wiki/index.php/TP_Link_Archer_C9)

By the way, I used your guide to set up my openvpn server (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795&sid=d7c0a87b8ab06a9fa208261c60ebc347). Thank you so much for that Very Happy
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Jun 13, 2019 8:10    Post subject: Reply with quote
I think that is about JFFS2, which you enable in the GUI and dedicate a piece of the nvram to local storage.

A thing I do not recommend for anyone, I once bricked a router with this enabled when I tried to upgrade (there is not enough space for the uppgrade process), besides it wears out your nvram pretty quickly.

But you do not need that you have a USB port just use a USB stick for local storage and Bob's your uncle

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum