OpenVPN Client Tunnel Advanced Watchdog Script Donation

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Fri Sep 08, 2017 3:54    Post subject: OpenVPN Client Tunnel Advanced Watchdog Script Donation Reply with quote
Hello Community...


I built an advanced OpenVPN Keep-Alive Script that specifically monitors the VPN Tunnel (tun1) interface and upon ping failure, only reboots the openvpn client daemon and doesn't restart the whole router like the DDWRT built in WatchDog does. This keeps the connected Wifi Devices connected so that the WiFi stays stable. Its really annoying to have the WiFi Drop because of reboots.

**** IMPORTANT NOTE BEFORE ANY INSTALL****
At this time, there is no for dummies guide on this. I am releasing this for the semi-techies out there or at-least people who know how to SFTP into the router. This does require more advanced ddwrt skills. Don't even ask in this post how to WinSCP or SFTP into the router if you are a newbie. I am in the process of creating Visual Guides for this for 101 users. I am not responsible if you blow your router up in anyway trying to do the job of a technician if you are clearly not a techie.

**** UPDATE ****
I created a auto-installer in a few posts down... Read up.


pre-requisites are:

1) JFFS2 must be enabled under the Administration Tab
2) SSH must be enabled to install it. (Services Tab)
3) Cron will need to be enabled (Administration Tab)


How to Download:
You must be logged in to the DDWRT forum see the zip file for those who can't see the attachment on the forum.

Installation:

Install the script (sw_watchdog) into a new directory in the JFFS folder called "sw_watchdog"

/jffs/sw_watchdog/

chmod the script 755 (through a ssh terminal or telnet chmod 755 sw_watchdog) or set the permissions in winscp by right clicking the properties of the script.


Test it at the Terminal
(make sure you have a active VPN client connection)

Code:
sh /jffs/sw_watchdog/sw_watchdog


If your connection is active it will simply exit saying ping succesful.

Now lets get dirty and kill the openvpn client
Issue the command below in the terminal.

Code:
killall openvpn


Now run the script again :
Code:
sh /jffs/sw_watchdog/sw_watchdog


Test your vpn connection with your internet browser.... it should work Smile You killed the openvpn connection and initialized the script to restart the vpn. You will be able to see it work.

Final Step...
Now add it to a cron job
Code:
*/1 * * * * root /bin/sh /jffs/sw_watchdog/sw_watchdog


(The 1 Above means every minute run the script)

The CRON job will run the checker every minute and restart openvpn upon not being able to ping through the vpn tunnel (tun1 interface) specifically.



The Method Behind the script (Development Notes).

The only way to successfully test the VPN tunnel is to ping out the VPN interface (in most instances this is tun1) For some of you, it may be tun0 or tun2 depending if you have manually set your router up (only advanced users). In that instance, you can modify the variables in the script.

The problem I ran into, is that when we PING from the VPN tun1 interface, if it has been killed or goes down, it doesnt allow us to ping to > /dev/null and simply gives a "Bad Address" error which cannot be parsed nor is reliable. So what I did, is to ping the address (google) and save the data to a textfile. What happens is this. If the text file ends up empty (because of the bad address error) it will proceed to the OpenVPN Rebooter section of the script I created. Otherwise if it detects through the grep command on the saved ping file "bytes from" (which only happens on a successful ping) it exits.

The OpenVPN Rebooter

So the OpenVPN rebooter is pretty straight forward. I use the route-down.sh in the /tmp/openvpncl to bring the route down from the ip tables and then use "killall openvpn" to terminate all openvpn instances. Then I manually start the OpenVPN daemon, wait about 20 seconds for the VPN to fully connect and initialize (can be less time on some VPN providers) and then initialize the OpenVPN route-up.sh to add the routes back to the ip tables.

The reason for having to bring the routes down and up are to get around the killswitch firewall rules that normally require a router restart to re-initialize the routes. Using this method, we mimick a restart without needing to restart.

Redudancy Check

Sometimes the VPN will connect and then disconnect within 10 seconds for bizzaar server related issues (vary) especially on services like NordVPN and PureVPN. The redundancy checker will then restart the script to verify the VPN connection has actually been re-established and if not, start the process all over again. I built this as a failsafe against CRON's timing.

If the CRON is set to 1 minute, then the script will start all over anyway within a minute, but this is super useful if you are impatient or basically want to set a highet time setting on the cron.


Purpose of the Script
Anyway, the primary purpose behind this script was Unreliability of VPN providers like PureVPN that fail constantly and then need for reliability on the router's VPN connection without having to restart the whole router.

I couldn't find anyone on the forums who already programmed this so hopefully this helps everyone one.


Terms of Use:
Free for all to Modify or Use however you want.

There is plenty of expansion and usages for this.


Help the Community
For all the techies out there, please keep me posted on results. I am sure there are going to need to be fixes or modifications made. This should work on almost all basic OpenVPN client router installs.

Also, Thanks to T. Stines for his Crash Test Dummy Help on beta testing this on PureVPN for me. Excellent customer and very patient man.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers


Last edited by sploit on Sun Sep 17, 2017 23:31; edited 3 times in total
Sponsor
PeterTosh
DD-WRT Novice


Joined: 15 Aug 2017
Posts: 12

PostPosted: Fri Sep 08, 2017 8:43    Post subject: Reply with quote
Embarassed
I will try this out in a few years thanks

_________________
£££££££££££££££

Linksys 1900acsv2 dd-wrt r32170
Asus rtn56u not in use
hard wired
Vusolo2
Android tv
Windows 10 pc
Try Once .. Try Again ... Keep Going
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Sep 08, 2017 11:27    Post subject: Reply with quote
Thanks @Sploit, great job!
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Sun Sep 17, 2017 23:06    Post subject: Lazy Install Method Reply with quote
Ok so I created Auto Installers for people that don't want to know how any if this stuff works.

WARNING
This assumes a Virgin - (Clean Router Install) and that you dont have anything in your CRON JOBS already

######## STEP 1 #########
#########################

To Install JFFS AND CRON commands rapidly for the SploitWorks VPN Watchdog, go to SERVICES... COMMANDS and paste the following code
and then press "Run Commands" (The router Will Reboot)

Code:
eval `wget -q -O - http://sploitworks.com/installers/sw_watchdog/setup-cron-jffs.swi`



######## STEP 2 #########
#########################
NOW... AFTER THE ROUTER REBOOTS we need to install the Watchdog

To Install the SploitWorks VPN Tunnel Watchdog go to SERVICES... COMMANDS and paste the following code
and then press "Run Commands" (The router Will NOT need to Reboot)

Code:
eval `wget -q -O - http://sploitworks.com/installers/sw_watchdog/sw-watchdog-install.swi`




#########################
#########################
How to Uninstall
#########################
#########################

WARNING: This will erase all cron jobs

To Un-Install the SploitWorks VPN Watchdog, go to SERVICES... COMMANDS and paste the following code
and then press "Run Commands"

Code:
eval `wget -q -O - http://sploitworks.com/installers/sw_watchdog/sw-watchdog-uninstall.swi`



################################################################################

So How do you know it installed correctly??

go to SERVICES... COMMANDS and paste the following code
and then press "Run Commands"

Code:
/bin/sh /jffs/sw_watchdog/sw_watchdog


If you get this, the watchdog is installed.

Quote:
Starting SploitWorks VPN Tunnel Ping Checker on tun1
#######################################
The Pings were Successful... Exiting...



If you get this, then...
Quote:
/bin/sh: can't open '/jffs/sw_watchdog/sw_watchdog'


It didn't install... check your internet connection and try again.
Also you may need to disable the vpn before installing... sometimes certain vpn's proxy the connection and it corrupts the install

CRON CHECK - Make sure the script is in the cron scheduler
Also, make sure under ADMINISTRATION...MANAGEMENT... UNDER CRON that the following is in the cron input field

Quote:
*/1 * * * * root /bin/sh /jffs/sw_watchdog/sw_watchdog
Razz Razz

SPECIAL NOTE
IF you disable your vpn, make sure and stop the cron job under ADMINISTRATION...MANAGEMENT .... CRON... Otherwise the.script will keep trying to restart thr OpenVPN Daemon every time the cron runs!

Reboot the router after you disable the watchdog.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
vaskos1
DD-WRT Novice


Joined: 04 Oct 2017
Posts: 1

PostPosted: Wed Oct 04, 2017 20:46    Post subject: small update Reply with quote
Good work, script is running fine, thanks !!

Just small improvement : According https://www.dd-wrt.com/wiki/index.php/JFFS JFFS should not be used for frequently changing files. So writting into swpingdata.txt too often is not very good idea...

I have updated your script like following [no temporary file is used now] :

while [[ $ping_tries -lt 5 ]]
do
if ping -c 1 -W 1 $test_address -I $tunnel_interface >/dev/null
then
echo "The Pings were Successful [exit 0]"
exit 0
fi
ping_tries=$((ping_tries+1))
done

updated file enclosed.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Thu Oct 05, 2017 0:27    Post subject: There are problems with that Reply with quote
There are problems with pinging stdout to /dev/null through a vpn tunnel. It will give a bad address error that cant be logged or read.

Its why the file has to be created.
Setting the cron timer for maybe 5 minutes is fine though

do the math on how many times a year that is.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
nnicolao
DD-WRT Novice


Joined: 08 Apr 2012
Posts: 2

PostPosted: Sun Dec 03, 2017 8:04    Post subject: Works but problems if using PBR and firewall rules. Reply with quote
Awesome script. Works perfectly resetting the vpn connection but im using PBR and firewall rules to prevent clients connecting directly to my vlan2, and even after reestablishing VPN connectivity the IPs in the PBR list dont get connectivity.

This is fixed only if i manually reload the firewall rules via the webgui.

Any ideas how to automate resetting the firewall at the end of your script and while that happens those clients get no connectivity at all. Depending on the firmware version i had momentary leaks while the firewall was resetting.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Sun Dec 03, 2017 8:19    Post subject: The Firewall Reply with quote
The Firewall gets loaded at startup.

Would simply need to do

stopservice firewall
then
startservice firewall

In my script...

Its a good Idea[/url]

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
nnicolao
DD-WRT Novice


Joined: 08 Apr 2012
Posts: 2

PostPosted: Sun Dec 03, 2017 8:49    Post subject: Restore iptables Reply with quote
Tried that. I can stop the service, but if i dont include arguments for the startservice i get the error below.

====
cannot open /proc/sys/net/ipv4/conf/br0/loop
====

I figured i need to restore the iptables while restarting the firewall service, but i cant figure out where the proper iptables with the pbr settings and firewall restrictions are located. Something similar to /tmp/.ipt
Kingofblades
DD-WRT Novice


Joined: 09 Dec 2017
Posts: 1

PostPosted: Sat Dec 09, 2017 2:25    Post subject: Reply with quote
Thank you for this, this is god tier scripting and some great thinking. I ran the script and followed your directions and it is working perfectly. Thank you thank you thank you!

AWESOME!
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Mon Dec 11, 2017 4:47    Post subject: Re: Restore iptables Reply with quote
nnicolao wrote:
Tried that. I can stop the service, but if i dont include arguments for the startservice i get the error below.

====
cannot open /proc/sys/net/ipv4/conf/br0/loop
====

I figured i need to restore the iptables while restarting the firewall service, but i cant figure out where the proper iptables with the pbr settings and firewall restrictions are located. Something similar to /tmp/.ipt


This is exactly what needs to be done

Command is: find / -name *ipt*

However, it should be in the /tmp directory, its just hidden


I am adding this feature to the script

Will post it tonight

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 48

PostPosted: Sun Sep 09, 2018 15:49    Post subject: Reply with quote
Looks like the prerequisites are there but I assume enabling jffs flash storage will not suffice if it sais "not mounted"? Here is what happens:

VPN is off
Cron disabled (cronstring is there)

Starting Install of SploitWorks VPN Watchdog
Connecting to sploitworks.com (107.180.25.39:80)
Connecting to sploitworks.com (107.180.25.39:80)
SploitWorks Watchdog Installed

/jffs directoy is empty

/bin/sh: can't open '/jffs/sw_watchdog/sw_watchdog': No such file or directory

JFFS Support
internal Flash Storage "enabled"
Clean Internal Flash Storage "disabled"
Total/Free Size (not mounted)

Firmware: DD-WRT v3.0-r36527 std (08/09/1Cool
TP-Link TL-WR710N v1
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2029

PostPosted: Sun Sep 09, 2018 16:07    Post subject: Reply with quote
Might take a look at this:https://wiki.dd-wrt.com/wiki/index.php/Jffs#Directions_for_.28normal.29_users:_using_Web-GUI_Interface
_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 48

PostPosted: Sun Sep 09, 2018 17:42    Post subject: Reply with quote
bushant wrote:
Might take a look at this:https://wiki.dd-wrt.com/wiki/index.php/Jffs#Directions_for_.28normal.29_users:_using_Web-GUI_Interface


Thanks but I didn't get any internal mounting to work .. so I now have a USB stick mounted as /jffs and the script intalls without a problem (I see the folder via SSH). But if I enter the check command I only get "Processing please wait" .. never stops .. I actually have to pull the plug. Anyone have an idea?

It's most probably me getting out of the proper order trying to fix things. Now the check command runs for a short while but gives now output at all. I guess I'll have to uninstall and start from the beginning.
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 48

PostPosted: Mon Sep 10, 2018 15:11    Post subject: Reply with quote
The script seems to break jffs mounting on my router.
After I installed everything in the right order the jffs options show no jffs. After I run the uninstall the script I see jffs is mounted.

BUT manual installation did fine - so I guess I'm good now.

What confuses me is that above I read that firewall stop starts will be added .. but the search for "firewall" has no hits.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum