Posted: Fri Aug 26, 2016 1:04 Post subject: DD-WRT OpenVPN Restart Script
My VPN drops from time to time and I don't want to power cycle my router, I'd kill for something like if this then that. Like if WDS Connection Watchdog was capable of running scripts or restarting services rather than power cycling the router. Anyways here is a script that I copied from perusing various sites, I put it in cronjob to go every two minutes.
#!/bin/bash
if ping -c 1 8.8.8.8 > /dev/null
then
: # colon is a null and is required
else
stopservice openvpn ; startservice openvpn
fi
So far no errors in the syslog, doesn't look like its stoping and starting openvpn every two minutes. I have doubts that it will work. Anyone else care to share what they would use?
Aug 27 16:08:12 R7000 daemon.err openvpn[6982]: MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:16: Address in use
Aug 27 16:08:12 R7000 daemon.notice openvpn[6982]: Exiting due to fatal error
The script is not running for whatever reason. I ssh'd in and tried to ping 8.8.8.8 and I could so I don't know wtf is going on, might explain why the script wouldn't restart openvpn because it could still ping google. Its like over ssh its not going though the firewall because is was stopping all the other traffic like the iptables firewall rules are supposed to. Am I missing a firewall rule related to icmp? Why would WDS work and not this?
Well I don't get it will all those rules if I stop openvpn not a fucking thing gets through on chrome soon as I ssh into the router its like everything is excluded from the firewall doesn't make any damn sense.
Never before in all my life have I seen something this fucking dumb. I just completed a factory reset and restored my settings, no damn effect. Is the router like a DMZ or something how the hell does WDS even fucking work. So fucking mad right now...
Someone on irc brought to my attention that iptables -L wasn't showing any of my firewall rules. Am I to undertand that ddwrt creates its firewall rules on the fly? Where does it keep them? Why can't I just put my rules in with the regular rules? Are my rules even being followed?
To answer the last question they are followed inside the network but on the router itself they don't seem to be followed at all. Considering I can ping anything from the router whether the vpn is up or down rendering my script pointless I have to have an always on device inside my network running a ping or wget every two minutes and if no ping ssh into router and stop/start openvpn. I'm laughing my ass off that I even need to consider this option and am actually thinking of building a pfsense box if its going to fix this nonsense. Is ddwrt not capable of doing this?
If you send a "ping" (or any other package) from your router it will go through the WAN interface an not the VPN interface by default. Just if in the openvpn config it set the rule to change the default gateway (like: redirect-gateway def1). However this will cause some problems for the router to connect to the VPN server. Therefore be careful setting this option. Just applicable if another routing rule is defined previously which obtain the gateway for packages to the VPN server.
Be aware to use a explicit number of row in which has the rule be insert (e.g. iptables -I FORWARD 3 -i br0 -o vlan2 -j DROP)
Otherwise will each new iptable rule be insert on the top. That insert the rules reverse like you have defined them. In your case it won't cause any problem, but maybe the next time you will remember.
Anyway your first rule is just the port DHCP client get answer on a request. You don't need to open it because established and related connections are accepted by default on the INPUT chain.
Quote:
*/2 * * * * root /tmp/custom.sh
Where did you set this up? On the comand line or in the WebGUI?
All files are generated by boot because the router doesn't have any harddisk. All setting have to be stored by the nvram system. So use the WebGUI if you are not used to the nvram system.
Question:
Quote:
My VPN drops from time to time ...
Does the openvpn process crash or it just the connection terminated?
If you realize the drop please have a look into the run process with
Code:
ps
And now my recommendation:
Use the up and down script function implemented in openvpn.
All commands set up in the up script are run when the connection is established (interface goes up) and all command in the down script are run if the interface goes down.
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
You have to add the following lines into the Additional Config of openvpn:
Code:
script-security 2
down /tmp/openvpn/fw-down.sh
Further you have to add your script to the start-up script on the WebGUI that the file is generated by boot.
Thank you very much for your reply. It was my understanding that any packets sent through the router would be subject to the rules of the firewall, I guess I am wrong. Please clarify this sentence please
Quote:
Be aware to use a explicit number of row in which has the rule be insert (e.g. iptables -I FORWARD 3 -i br0 -o vlan2 -j DROP)
Otherwise will each new iptable rule be insert on the top. That insert the rules reverse like you have defined them. In your case it won't cause any problem, but maybe the next time you will remember.
Are you saying that some of the rules further down the line are being overwritten?
I was setting the crontab in the webgui, but saw nothing in the logs to indicate it was even working. The error in syslog on the router that I usually get when the vpn stops working is
Then because of resolve-retry infinite it'll just go in an endless loop. I will also take your recommendation to use the up and down scripts that openvpn uses although I need to do some further reading as I'm sure stop and starting the service call the same scripts.
In the end though I was just going for simplicity, and wanted this to "just work". Took my own advice laughing all the while, created a script on my server to ping google every 2 minutes and if no ping ssh into my router and stop/start openvpn. Not the most ideal approach but it damn well works and took me all of 10 minutes to set up.
Code:
#!/bin/bash
if ping -c 1 8.8.8.8 > /dev/null
then
: # colon is a null and is required
else
ssh r7000 'stopservice openvpn ; startservice openvpn'
fi
This was basically easier than trying to figure out how to send pings from the LAN side of the firewall on the router.
This is a total necropost. I'm just trying to help out anyone who may stumble upon this in future (cos I've just worked through it myself), this is what worked for me... Make sure you use the right quote chars. Replace the ["] with ['], this is the one next to the [enter] key.
Thanks for replying egc I have not seen that post before by Sploit.
Unfortunately there are reports that enabling jffs will brick my router which is the TP-Link Archer C9 (https://wiki.dd-wrt.com/wiki/index.php/TP_Link_Archer_C9)
By the way, I used your guide to set up my openvpn server (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795&sid=d7c0a87b8ab06a9fa208261c60ebc347). Thank you so much for that
Joined: 18 Mar 2014 Posts: 12904 Location: Netherlands
Posted: Thu Jun 13, 2019 8:10 Post subject:
I think that is about JFFS2, which you enable in the GUI and dedicate a piece of the nvram to local storage.
A thing I do not recommend for anyone, I once bricked a router with this enabled when I tried to upgrade (there is not enough space for the uppgrade process), besides it wears out your nvram pretty quickly.