I built an advanced OpenVPN Keep-Alive Script that specifically monitors the VPN Tunnel (tun1) interface and upon ping failure, only reboots the openvpn client daemon and doesn't restart the whole router like the DDWRT built in WatchDog does. This keeps the connected Wifi Devices connected so that the WiFi stays stable. Its really annoying to have the WiFi Drop because of reboots.
**** IMPORTANT NOTE BEFORE ANY INSTALL****
At this time, there is no for dummies guide on this. I am releasing this for the semi-techies out there or at-least people who know how to SFTP into the router. This does require more advanced ddwrt skills. Don't even ask in this post how to WinSCP or SFTP into the router if you are a newbie. I am in the process of creating Visual Guides for this for 101 users. I am not responsible if you blow your router up in anyway trying to do the job of a technician if you are clearly not a techie.
**** UPDATE ****
I created a auto-installer in a few posts down... Read up.
pre-requisites are:
1) JFFS2 must be enabled under the Administration Tab
2) SSH must be enabled to install it. (Services Tab)
3) Cron will need to be enabled (Administration Tab)
How to Download:
You must be logged in to the DDWRT forum see the zip file for those who can't see the attachment on the forum.
Installation:
Install the script (sw_watchdog) into a new directory in the JFFS folder called "sw_watchdog"
/jffs/sw_watchdog/
chmod the script 755 (through a ssh terminal or telnet chmod 755 sw_watchdog) or set the permissions in winscp by right clicking the properties of the script.
Test it at the Terminal
(make sure you have a active VPN client connection)
Code:
sh /jffs/sw_watchdog/sw_watchdog
If your connection is active it will simply exit saying ping succesful.
Now lets get dirty and kill the openvpn client
Issue the command below in the terminal.
Code:
killall openvpn
Now run the script again :
Code:
sh /jffs/sw_watchdog/sw_watchdog
Test your vpn connection with your internet browser.... it should work You killed the openvpn connection and initialized the script to restart the vpn. You will be able to see it work.
The CRON job will run the checker every minute and restart openvpn upon not being able to ping through the vpn tunnel (tun1 interface) specifically.
The Method Behind the script (Development Notes).
The only way to successfully test the VPN tunnel is to ping out the VPN interface (in most instances this is tun1) For some of you, it may be tun0 or tun2 depending if you have manually set your router up (only advanced users). In that instance, you can modify the variables in the script.
The problem I ran into, is that when we PING from the VPN tun1 interface, if it has been killed or goes down, it doesnt allow us to ping to > /dev/null and simply gives a "Bad Address" error which cannot be parsed nor is reliable. So what I did, is to ping the address (google) and save the data to a textfile. What happens is this. If the text file ends up empty (because of the bad address error) it will proceed to the OpenVPN Rebooter section of the script I created. Otherwise if it detects through the grep command on the saved ping file "bytes from" (which only happens on a successful ping) it exits.
The OpenVPN Rebooter
So the OpenVPN rebooter is pretty straight forward. I use the route-down.sh in the /tmp/openvpncl to bring the route down from the ip tables and then use "killall openvpn" to terminate all openvpn instances. Then I manually start the OpenVPN daemon, wait about 20 seconds for the VPN to fully connect and initialize (can be less time on some VPN providers) and then initialize the OpenVPN route-up.sh to add the routes back to the ip tables.
The reason for having to bring the routes down and up are to get around the killswitch firewall rules that normally require a router restart to re-initialize the routes. Using this method, we mimick a restart without needing to restart.
Redudancy Check
Sometimes the VPN will connect and then disconnect within 10 seconds for bizzaar server related issues (vary) especially on services like NordVPN and PureVPN. The redundancy checker will then restart the script to verify the VPN connection has actually been re-established and if not, start the process all over again. I built this as a failsafe against CRON's timing.
If the CRON is set to 1 minute, then the script will start all over anyway within a minute, but this is super useful if you are impatient or basically want to set a highet time setting on the cron.
Purpose of the Script
Anyway, the primary purpose behind this script was Unreliability of VPN providers like PureVPN that fail constantly and then need for reliability on the router's VPN connection without having to restart the whole router.
I couldn't find anyone on the forums who already programmed this so hopefully this helps everyone one.
Terms of Use:
Free for all to Modify or Use however you want.
There is plenty of expansion and usages for this.
Help the Community
For all the techies out there, please keep me posted on results. I am sure there are going to need to be fixes or modifications made. This should work on almost all basic OpenVPN client router installs.
Also, Thanks to T. Stines for his Crash Test Dummy Help on beta testing this on PureVPN for me. Excellent customer and very patient man. _________________ My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Last edited by sploit on Sun Sep 17, 2017 23:31; edited 3 times in total
To Install JFFS AND CRON commands rapidly for the SploitWorks VPN Watchdog, go to SERVICES... COMMANDS and paste the following code
and then press "Run Commands" (The router Will Reboot)
######## STEP 2 #########
#########################
NOW... AFTER THE ROUTER REBOOTS we need to install the Watchdog
To Install the SploitWorks VPN Tunnel Watchdog go to SERVICES... COMMANDS and paste the following code
and then press "Run Commands" (The router Will NOT need to Reboot)
#########################
#########################
How to Uninstall
#########################
######################### WARNING: This will erase all cron jobs
To Un-Install the SploitWorks VPN Watchdog, go to SERVICES... COMMANDS and paste the following code
and then press "Run Commands"
go to SERVICES... COMMANDS and paste the following code
and then press "Run Commands"
Code:
/bin/sh /jffs/sw_watchdog/sw_watchdog
If you get this, the watchdog is installed.
Quote:
Starting SploitWorks VPN Tunnel Ping Checker on tun1
#######################################
The Pings were Successful... Exiting...
If you get this, then...
Quote:
/bin/sh: can't open '/jffs/sw_watchdog/sw_watchdog'
It didn't install... check your internet connection and try again.
Also you may need to disable the vpn before installing... sometimes certain vpn's proxy the connection and it corrupts the install
CRON CHECK - Make sure the script is in the cron scheduler
Also, make sure under ADMINISTRATION...MANAGEMENT... UNDER CRON that the following is in the cron input field
SPECIAL NOTE
IF you disable your vpn, make sure and stop the cron job under ADMINISTRATION...MANAGEMENT .... CRON... Otherwise the.script will keep trying to restart thr OpenVPN Daemon every time the cron runs!
Posted: Wed Oct 04, 2017 20:46 Post subject: small update
Good work, script is running fine, thanks !!
Just small improvement : According https://www.dd-wrt.com/wiki/index.php/JFFS JFFS should not be used for frequently changing files. So writting into swpingdata.txt too often is not very good idea...
I have updated your script like following [no temporary file is used now] :
while [[ $ping_tries -lt 5 ]]
do
if ping -c 1 -W 1 $test_address -I $tunnel_interface >/dev/null
then
echo "The Pings were Successful [exit 0]"
exit 0
fi
ping_tries=$((ping_tries+1))
done
Posted: Sun Dec 03, 2017 8:04 Post subject: Works but problems if using PBR and firewall rules.
Awesome script. Works perfectly resetting the vpn connection but im using PBR and firewall rules to prevent clients connecting directly to my vlan2, and even after reestablishing VPN connectivity the IPs in the PBR list dont get connectivity.
This is fixed only if i manually reload the firewall rules via the webgui.
Any ideas how to automate resetting the firewall at the end of your script and while that happens those clients get no connectivity at all. Depending on the firmware version i had momentary leaks while the firewall was resetting.
Posted: Sun Dec 03, 2017 8:49 Post subject: Restore iptables
Tried that. I can stop the service, but if i dont include arguments for the startservice i get the error below.
====
cannot open /proc/sys/net/ipv4/conf/br0/loop
====
I figured i need to restore the iptables while restarting the firewall service, but i cant figure out where the proper iptables with the pbr settings and firewall restrictions are located. Something similar to /tmp/.ipt
Thank you for this, this is god tier scripting and some great thinking. I ran the script and followed your directions and it is working perfectly. Thank you thank you thank you!
Joined: 16 Apr 2016 Posts: 307 Location: California
Posted: Mon Dec 11, 2017 4:47 Post subject: Re: Restore iptables
nnicolao wrote:
Tried that. I can stop the service, but if i dont include arguments for the startservice i get the error below.
====
cannot open /proc/sys/net/ipv4/conf/br0/loop
====
I figured i need to restore the iptables while restarting the firewall service, but i cant figure out where the proper iptables with the pbr settings and firewall restrictions are located. Something similar to /tmp/.ipt
This is exactly what needs to be done
Command is: find / -name *ipt*
However, it should be in the /tmp directory, its just hidden
Might take a look at this:https://wiki.dd-wrt.com/wiki/index.php/Jffs#Directions_for_.28normal.29_users:_using_Web-GUI_Interface
Thanks but I didn't get any internal mounting to work .. so I now have a USB stick mounted as /jffs and the script intalls without a problem (I see the folder via SSH). But if I enter the check command I only get "Processing please wait" .. never stops .. I actually have to pull the plug. Anyone have an idea?
It's most probably me getting out of the proper order trying to fix things. Now the check command runs for a short while but gives now output at all. I guess I'll have to uninstall and start from the beginning.
The script seems to break jffs mounting on my router.
After I installed everything in the right order the jffs options show no jffs. After I run the uninstall the script I see jffs is mounted.
BUT manual installation did fine - so I guess I'm good now.
What confuses me is that above I read that firewall stop starts will be added .. but the search for "firewall" has no hits.