Failover OpenVPN - if first provider is offline, use second.

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
swealpha
DD-WRT Novice


Joined: 09 Mar 2019
Posts: 18

PostPosted: Tue Mar 12, 2019 10:06    Post subject: Failover OpenVPN - if first provider is offline, use second. Reply with quote
Hello!
First of all you guys are great, thank you!

Do you know if it is possible to have a second OpenVPN provider as backup.

I mean for example:

#1 nordvpn.com openVPN
if nordvpn goes offline use #2.

#2 expressVPN
if expressVPN and NordVPN goes down shut down internet connection until #1 or #2 is online again.

Thank you!
Sorry for my bad English.


Last edited by swealpha on Tue Mar 12, 2019 10:21; edited 1 time in total
Sponsor
swealpha
DD-WRT Novice


Joined: 09 Mar 2019
Posts: 18

PostPosted: Tue Mar 12, 2019 10:20    Post subject: Reply with quote
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Mar 12, 2019 12:06    Post subject: Reply with quote
Possible yes, easy no.

Why do you want this?

If you want to prevent traffic going out unsecured over the WAN then implement a kill switch (easy)

VPN connections sometimes disconnect but usually reconnect again. If this is not the case there is a script to restart the VPN connection automatically on disconnect, I have a script from @Sploit somewhere which does this automatically (fairly easy).

You can setup a second VPN client but you have to do it by hand, but you need a script to start this second client when the first is down and pherhaps if this second goes down start the first client again. This script should be developed as it does not exist to my knowledge (difficult).

I think Tomato firmware has the ability to specirfy two OVPN clients in the GUI but I do not know if it has a fail over setting.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Tue Mar 12, 2019 16:29; edited 1 time in total
swealpha
DD-WRT Novice


Joined: 09 Mar 2019
Posts: 18

PostPosted: Tue Mar 12, 2019 15:51    Post subject: Reply with quote
Hello!

I want to do this because i am renting out a house and if the #1 OpenVPN provider goes offline when i am not available, it would be great to have a "backup" #2 OpenVPN provider.

or else i need to be available all the time if something brokes.

I hope you understand me.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Mar 12, 2019 16:38    Post subject: Reply with quote
Well I outlined the possibilities I can think off in my previous post.

I would not be affraid of a VPN provider going out of service, but the router not reconnecting after a disconnect is happening now and then.
But with the restart script from @Sploit that should be solved.

But the router istself can also brake down or your ISP can go out of service, but does that mean that you need a second ISP through a different network with a different VPN provider and setup on a second router, with failover?

My former employer (a large hospital) had that kind of infrastructure LOL

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Thu Mar 28, 2019 23:59    Post subject: Coding... Reply with quote
I am in the process of developing an advanced version of my openvpn keepalive.

I currently (as of last night) worked the majority of the bugs out of the process.

There are limitations working with the BusyBox shell vs Full Linux, so I have had some issues with various things.

My primary focus on the project is making sure with Stupid VPN Providers like Nordvpn, that my keepalive script will automatically jump to the next server in the database, and remove a bad server from the list and add it to a "failed server" database.

I am using JFFS for the storage, and everything is up and working.

Upon server failure (my scripts check for various problems before deaming the server bad) it connects to the next server in the list.

NordVPN's server structure is terrible, but they are starting to make their server CERTS identical across their newer servers.


The feature I am coding tonight (if the variable is turned on) will pick a random server from the database.

This will be usefull for vpn services like PIA or Ipvanish that IF the server address fails, it will hop to a random server in the database.

For example:

DATABASE EXAMPLE:

us-siliconvalley.privateinternetaccess.com
us-west.privateinternetaccess.com
us-texas.privateinternetaccess.com
us-midwest.privateinternetaccess.com

The script will pick one of those at random and try it.

The ability to NOT remove the servers from the database can be turned off or on as well (good for PIA or Ipvanish) because the server may come back online shortly.

Option to reboot once the new server is added is available
Option to reboot once openvpn tunnel wifi is available

Any feature requests that you guys can think of I will take into consideration and code.





I will be working on implementing the complex tunnel switching from Static IP to Shared IP.

This isnt too complex now that I have the core built, because we can just tell the script to launch a script on a specific problem (or variable) and that script changes the nvram variables to update with the StatIc settings or Dynamic settings, and reset after X minutes, etc.

Also the random server feature will have the option to just pick a random server and connect every time the script is ran (From a CRON timer for example)

This is cool if you want your IP to change all the time


@ egc Very Happy Hello

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Mar 29, 2019 11:52    Post subject: Reply with quote
@Sploit looking forward to your script, your contributions are very much appreciated !
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Sun Mar 31, 2019 8:30    Post subject: Almost Ready Reply with quote
So far so good.

I am really hammering the features and bug testing it right now.

So far here are the TESTED Features

1) Reboot Router on New Server Install
2) Delete Bad Servers from Database (Option Flag)
3) Append Bad Servers to a "Failed" Database (Option Flag)
4) Randomize Server Selection (Will Attempt to connect to a random server in the database)
5) Always Randomize on Script Execution (Used with a longer CRON delay to Change the Server simply because you want a Random Server Every so often)
6) Top to Bottom server switching (On failed Server, simply tries the next server in this listz starting from the TOP of the database and going to the BOTTOM. Makes sense huh?
7) Email via GMAIL on Server Failure (with server address that failed)
Cool Email via GMAIL on server reconnect (With New Server Address)
9) Option to execute a custom script for each specific server in the database
-- This is useful for sooooo many reasons, including failover OR Switching to a whole other VPN Provider.
10) Separate Variables File for easy tweaking
11) Cleaned up Scripting and Heavily Commented for people familiar with bash scripting to understand why I did what I did



### Failsafes and Error Checking

I have had to incorporate numerous error logic checks to make sure Endless Broken Loops dont happen.
The failsafes include preventing un needed script execution, if it detects things are running correctly it quits.

#### Still being debugged or developed...

1) Automated Removal Script (Including NVRAM Variables I set)
2) Option to Trim the Failed Server database to any specific KB size or set amount of lines (Easy... Just gotta do it)
3) Anything else anyone might need that can be done or suggestions.

I am very near release of the beta


I am Looking for beta testers.

Intermediate to Advanced ddwrt users only please.
Will require use of WinSCP to install.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Mon Apr 01, 2019 10:15    Post subject: Reply with quote
@Sploit, I would love to test it, but I am going on vacation for the forthcoming two weeks, but will want to test it when I come back.

I can test it with PIA on an R6400v2 with Kong 38580 build.

I use PBR (using my own implementation: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662), I use the patched SFE module which works with PBR and the PBR kill switch script from @Eibgrad.

Furthermore the router also hosts an OVPN server to complicate matters.

So not your average setup Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Mon Apr 01, 2019 16:34    Post subject: Reply with quote
In a nordvpn setup you can add a remote-random line and some modest number of lines (I have no idea what the practical limt is) like remote us2586.nordvpn.com 1194 to the Additional Config. Port 1194 is fixed and should not be changed, but you specify a different server on each such line. This server set you are creating includes the server you name in the Server IP/Name window as well, so don't leave that blank. The key is that you must select servers that use the came CA Cert and TLS Auth Key. (If you are using linux, compare file lengths and then diff them if lengths match.)

I've been using such a setup with a dozen or so servers for some months, and it works great. I get a randomly chosen server at boot and on Apply (in Services>VPN), and if the server tried is is down or is not responding when the connection is attempted, it just picks another at random and tries again.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 109
Location: DE

PostPosted: Sun May 05, 2019 17:27    Post subject: Re: Coding... Reply with quote
sploit wrote:
I am in the process of developing an advanced version of my openvpn keepalive.
...
Also the random server feature will have the option to just pick a random server and connect every time the script is ran (From a CRON timer for example)

This is cool if you want your IP to change all the time


@ egc Very Happy Hello


You might be interested if you haven't seen this:

https://github.com/TobseTobse/DD-WRT_NordVPN

is doing most of your featureset. Working stable since end of last year here. Limited to NordVPN though. It is not changing NVRAM settings of OpenVPN.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
@m0eb@
DD-WRT User


Joined: 26 Dec 2015
Posts: 289

PostPosted: Mon Sep 02, 2019 11:52    Post subject: Re: Coding... Reply with quote
kooper2013 wrote:

You might be interested if you haven't seen this:

https://github.com/TobseTobse/DD-WRT_NordVPN

is doing most of your featureset. Working stable since end of last year here. Limited to NordVPN though. It is not changing NVRAM settings of OpenVPN.


That script is outdated - but still useful. I had seen this first when if was WIP and not working for me. Thanks for re-directing me to this page.

The script works like a charm - and then suddenly reboots the router for no apparent reason. I discovered it has to do with the startup script used. Cron often fails to start the jobs on time ... but I just read the following thread, which may be a workaround to this issue
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=263036

All new UDP servers of Nord VPN have the same ca.crt and tls-auth these days. All settings are also the same, and the only varying parameter is the server IP and name. One can use server name instead of IP address and avoid downloading the script for every server.

I am using this script, but have commented all lines asking for reboot. I update 8-10 servers manually from countries which give highest speed and put these in the serverconfig directory.

Wish there were a simpler script to check speed and randomly change to another server (from a given list) at given intervals. That would reduce the many lines of code used in this. A few months ago, this would have been the only script in the world for this purpose for NordVPN.

_________________
PROFESSIONAL STUDENT
my.Mistakes my.Learning ... provided I have the patience & persistence to learn
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum