Policy Based Routing guide for DDWRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4377
Location: Netherlands

PostPosted: Mon Oct 14, 2019 13:24    Post subject: Policy Based Routing guide for DDWRT Reply with quote
Policy Based Routing guide for DDWRT

This guide is intended for use with build 41174 or later.

If you have a previous build, you might need scripting to use all the advanced possibilities, see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662

The wiki (https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing) is rather outdated and with all the new and exciting functions we now have in recent builds I am trying to put together a guide.

Any help/comments/remarks are welcome.

The guide is attached to this post but is only visible when you are logged in.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Thu Oct 31, 2019 7:51; edited 5 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4377
Location: Netherlands

PostPosted: Mon Oct 14, 2019 13:25    Post subject: Reply with quote
Automatic Kill switch script for DDWRT PBR

Script attached to this post, only visible when you are logged in.


Always check if the rules are applied and working.

name: ovpn-pbr-kill-switch-xx.sh
version: 0.2 by egc, this is a modified version from @eibgrad http://www.dd-wrt.com/phpBB2/viewtopic.php?t=288852
purpose: block access LAN->WAN for IPs in OpenVPN client policy based routing
script type: firewall
dd-wrt ref: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686

Instructions:
1. Download and unzip
2. Set VPN_ENABLED_ONLY to your preference, "0" or "1"1
3. Set FW_STATE to your preference, uncomment line to set state NEW
4. Install this script in the router's firewall script: Administration/Commands, Save as Firewall, you can either place the script on permanent storage like jffs, make it executable with chmod +x /jffs/ovpn-pbr-kill-switch-02.sh or copy the text below and paste in in Administration Commands and the Save as Firewall
5. Reboot router
6. The firewall is not automatically updated after a change in the PBR field, so reboot after changing


VPN_ENABLED_ONLY
* 0 = apply rules 24/7
* 1 = apply rules only if VPN enabled (default)
Code:
VPN_ENABLED_ONLY="1" # (0 = apply rules 24/7, 1 = apply rules only if VPN enabled)


State checking: "state NEW" vs. no state
state NEW (default):
* any pre-existing LAN->WAN connections persist until/unless they timeout/close
* remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
* more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
no state:
* any pre-existing LAN->WAN connections are stopped/blocked
* remote access (WAN->LAN) is denied (even if port forwarding is enabled)
* less efficient (every LAN->WAN packet is inspected)

Code:
FW_STATE="-m state --state NEW" # uncomment/comment to disable/enable state checking


Note:
The firewall is not automatically updated after a change in the PBR field, so reboot after changing or do from CLI:
Code:
stopservice firewall && startservice firewall


Troubleshooting
For troubleshooting look at or show when asking for help:
Code:
iptables -vnL blocked-ips
iptables -vnL FORWARD



Copy text below and paste in Administration/Commands Save as Firewall

Code:
VPN_ENABLED_ONLY="1" # (0 = apply rules 24/7, 1 = apply rules only if VPN enabled)
FW_STATE="-m state --state NEW" # uncomment/comment to disable/enable state checking
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
FW_CHAIN="blocked-ips"
(iptables -D FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
iptables -F $FW_CHAIN
iptables -X $FW_CHAIN) > /dev/null 2>&1
[ -z "$(nvram get openvpncl_route)" ] && exit
[[ "$(nvram get openvpncl_enable)" == "0" && "$VPN_ENABLED_ONLY" != "0" ]] && exit
iptables -N $FW_CHAIN
echo -e "$(nvram get openvpncl_route)" |  grep -v 'to'| awk '/^[^#]/ {print $1}' | \
while read ip; do
ip=${ip//$'\r'}
[ -z "$ip" ] && continue
iptables -A $FW_CHAIN -p tcp -s $ip -j REJECT --reject-with tcp-reset
iptables -A $FW_CHAIN -s $ip -j REJECT --reject-with icmp-host-prohibited
done
iptables -I FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Fri Nov 29, 2019 17:13; edited 4 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4377
Location: Netherlands

PostPosted: Mon Oct 14, 2019 15:01    Post subject: Reply with quote
DNS LEAK with Policy Based Routing
There are often questions about a DNS leak when using Policy Based Routing.
To (hopefully) answer some questions and to provide some solutions see the attached file (only visible when you are logged in!).

A very nice utility/script has been produced by @eibgrad, this scripts scans and warns you for DNS leaks, highly recommended. See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319747

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Wed Nov 20, 2019 11:31; edited 8 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4377
Location: Netherlands

PostPosted: Tue Oct 15, 2019 13:35    Post subject: Reply with quote
Watchdog script for VPN client
If you are using PBR the normal watchdog function of DDWRT is not working, you have to do your checking via the VPN tunnel.
This also applies if you have setup the OVPN client on a WAP.

There are VPN settings to mitigate the disconnection problem (keepalive 10 60, reneg-sec 0 (this is not recommended because of safety concerns), use TCP instead of UDP, use another OVPN server), these however seldom work.

This script is also useful if you do not want the full reboot which the DDWRT watchdog is doing but only restart the VPN client.

@Sploit has written a watchdog script see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1093571#1093571
Unfortunately the scripts kills all OpenVPN instances and thus also your OpenVPN server if you are using that simultaneous with your OpenVPN client.
I have posted post a revision of that script in that thread which only kills the OpenVPN client, you can find it on the second page.

I have also made a simple solution to restart the OpenVPN client (or reboot the router), if you disable the OpenVPN Client in the GUI the script will not execute, this resumes when you enable the OpenVPN Client again.

See attached script, only visible when you are logged in!

name: ddwrt-vpn-pbr-watchdog-05.sh
version: 0.5, 08-11-2019 by egc
purpose: restarts OVPN Client or reboots router when VPN goes down
script type: jffs script called from startup script
instructions:
1. unzip and modify parameters in script if necessary, make sure not to
include Windows style line endings <CR>
2. copy modified script to /jffs (or external storage, e.g., usb)
3. make script executable:
Code:
chmod +x /jffs/ddwrt-vpn-pbr-watchdog-05.sh

4. call this script from the startup: Administration/Commands Save as
Startup after making sure it works:
Code:
sh /jffs/ddwrt-vpn-pbr-watchdog-05.sh &


Warning use at your own risk, this is a beta version

If you do not have or do not want to make permanent storage like JFFS2 or an USB stick, you can paste the following code in Administration/Commands and Save Startup, after that reboot the router:

Code:
#=======BEGIN vpn-pbr-watchdog=========
sleep=30
SCRIPT="/tmp/vpn-pbr-watchdog.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
SLEEP=300 # time (in secs) between each pass, do not set lower than 180 this gives you the ability to login and remove script from startup
#DEBUG= # uncomment/comment to enable/disable debug mode
#REBOOT= # uncomment to Reboot, comment this line to only restart OpenVPN Client
PINGIP="8.8.8.8"  # Target IP to ping to

[ ${DEBUG+x} ] && set -x
logger "Start $(basename $0)"
while sleep $SLEEP; do
   logger "sleep $SLEEP $(basename $0)"
   [ "$(nvram get openvpncl_enable)" == "0" ] && continue
   TUN=$(sed '/^[[:blank:]]*#/d;s/#.*//'  "/tmp/openvpncl/openvpn.conf" | grep -oE 'tun[0-9]'  | tail -1)
   while ! ping -qc1 -W6 -n $PINGIP -I $TUN &> /dev/null; do
      sleep 29
      if ! ping -qc1 -W6 -n $PINGIP -I $TUN &> /dev/null; then
         logger "$(basename $0) $TUN down, Reboot or Restart of OVPN Client will be executed"
         [ ${REBOOT+1} ] && reboot || restart_f openvpn
        break
      fi   
   done
done
)2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
#=======END vpn-pbr-watchdog=========

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Wed Nov 20, 2019 11:13; edited 8 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4377
Location: Netherlands

PostPosted: Tue Nov 05, 2019 12:24    Post subject: Reply with quote
for future use
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Wed Nov 06, 2019 13:40    Post subject: Reply with quote
Dear egc,

so I am on WAP mode have OVPN router and client up and running. Archer C9 on built 41418.


Can I just put your code "unchanged" in my DD-WRT startup and it will work for restarting the VPN client cause reboot is commented?
I guess I need to adjust the target IP, but which is the right IP to use here?
Edit: I use PBR 192.168.2.2/24 as PBR rule cause 192.168.2.2 is the local IP for my DD-WRT WAP router. Hope this doesn´t disturb that script.

#=======BEGIN vpn-pbr-watchdog=========
sleep=30
SCRIPT="/tmp/vpn-pbr-watchdog.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
SLEEP=300 # time (in secs) between each pass, do not set lower than 180 this gives you the ability to login and remove script from startup
#DEBUG= # uncomment/comment to enable/disable debug mode
#REBOOT= # uncomment to Reboot, comment this line to only restart OpenVPN Client
PINGIP="8.8.8.8" # Target IP to ping to

[ ${DEBUG+x} ] && set -x
logger "Start $(basename $0)"
TUN=$(cat /tmp/openvpncl/openvpn.conf | grep "dev " | cut -d " " -f 2) 2>/dev/null # name of OVPN client tunnel interface (default is tun1)
[ -z $TUN ] && TUN=tun1
while sleep $SLEEP; do
logger "sleep $SLEEP $(basename $0)"
# quit if OpenVPN client has been disabled
[ "$(nvram get openvpncl_enable)" == "0" ] && break
while ! ping -qc1 -W6 -n $PINGIP -I $TUN > /dev/null; do
logger "$(basename $0) $TUN down, Reboot or Restart of OVPN Client will be executed"
sleep 15
[ ${REBOOT+1} ] && reboot || restart_f openvpn
break
done
done
)2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
#=======END vpn-pbr-watchdog=========


Last edited by boris03 on Wed Nov 06, 2019 14:37; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4377
Location: Netherlands

PostPosted: Wed Nov 06, 2019 14:36    Post subject: Reply with quote
Yes a WAP has its default via br0 and not via the tun1 interface so I do not think the DDWRT watchdog will work, so yes you also need one of the above solutions.

You can just use the script as is, it will only restart the OVPN client and not reboot as it is.
The target ip 8.8.8.8 is Google and is the most used so just leave it.

This is not tested on a WAP so let me know if it works.

When you add this to startup, there will be a script created : /tmp/vpn-pbr-watchdog.sh

You can check if it is created by telnetting into your router and do:
Code:
cat /tmp/vpn-pbr-watchdog.sh

You can check if the script runs by telnetting into your router and do:
Code:
ps


The script also writes every 300 seconds into your syslog:
Nov 6 14:42:40 R7800 user.notice root: sleep 300 vpn-pbr-watchdog.sh

when you telnet into your router and do:
Code:
grep vpn-pbr /var/log/messages

You see everything the script is doing also if it restarts (Assuming you have Syslog turned on under Services/System Log)

If the script is not doing what you want then edit the startup and remove the "#" before DEBUG that enables debug mode.
Then send output of:
Code:
grep vpn-pbr /var/log/messages


If you want to trigger a VPN connect you can telnet into your router and do:
Code:
iptables -I OUTPUT -o tun1 -j REJECT
This will block the tun1 (OVPN clients interface)
When you see it is working you either have to reboot the router or delete the rule with:
Code:
iptables -D OUTPUT -o tun1 -j REJECT


Pulling the network cable should also work Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Wed Nov 06, 2019 15:58; edited 2 times in total
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Wed Nov 06, 2019 15:05    Post subject: Reply with quote
I think it is running - when I ps it shows now:

1479 root /bin/sh /tmp/vpn-pbr-watchdog.sh
1480 root /bin/sh /tmp/vpn-pbr-watchdog.sh
1481 root logger -t vpn-pbr-watchdog.sh[1479]
1489 root sleep 300
1495 root dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -p 22
1497 root -sh
1575 root ps

grep vpn-pbr /var/log/messages
shows just nothing I was waiting more then 5 min.
WIll it only work when I remove the # before Debug?

And now when I want to test I just use
"iptables -I OUTPUT -o tun1 -j REJECT"
to stop the OVPN client and wait until the script tries to restart?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4377
Location: Netherlands

PostPosted: Wed Nov 06, 2019 15:16    Post subject: Reply with quote
boris03 wrote:
I think it is running - when I ps it shows now:

1479 root /bin/sh /tmp/vpn-pbr-watchdog.sh
1480 root /bin/sh /tmp/vpn-pbr-watchdog.sh
1481 root logger -t vpn-pbr-watchdog.sh[1479]
1489 root sleep 300
1495 root dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -p 22
1497 root -sh
1575 root ps

grep vpn-pbr /var/log/messages
shows just nothing I was waiting more then 5 min.
WIll it only work when I remove the # before Debug?

And now when I want to test I just use
"iptables -I OUTPUT -o tun1 -j REJECT"
to stop the OVPN client and wait until the script tries to restart?


Yes it runs Smile

grep vpn-pbr /var/log/messages should show the script reporting also without DEBUG turned on
Have a look at the GUI: Status/syslog (maybe you have syslog not turned on? You can turn it on on Services page under System log)

The iptables rule should trigger a restart (I hope, not tested on a WAP)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Wed Nov 06, 2019 15:33    Post subject: Reply with quote
root@DD-WRT:~# grep vpn-pbr /var/log/messages
Nov 6 16:24:56 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
root@DD-WRT:~# iptables -I OUTPUT -o tun1 -j REJECT
root@DD-WRT:~# grep vpn-pbr /var/log/messages
Nov 6 16:24:56 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
root@DD-WRT:~#

But I couldn´t notice a restart when I check in status still Connected SUCCESS

the log is more then uggly, this is just the last page

Nov 6 16:30:12 DD-WRT daemon.warn openvpn[3740]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1412)
Nov 6 16:30:12 DD-WRT daemon.notice openvpn[3740]: TCP/UDP: Preserving recently used remote address: [AF_INET]84.17.49.142:443
Nov 6 16:30:12 DD-WRT daemon.notice openvpn[3740]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Nov 6 16:30:12 DD-WRT daemon.notice openvpn[3740]: UDPv4 link local: (not bound)
Nov 6 16:30:12 DD-WRT daemon.notice openvpn[3740]: UDPv4 link remote: [AF_INET]84.17.49.142:443
Nov 6 16:30:12 DD-WRT daemon.notice openvpn[3740]: TLS: Initial packet from [AF_INET]84.17.49.142:443, sid=e5244601 374ba70f
Nov 6 16:30:12 DD-WRT daemon.warn openvpn[3740]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 6 16:30:12 DD-WRT daemon.notice openvpn[3740]: VERIFY OK: depth=1, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
Nov 6 16:30:12 DD-WRT daemon.notice openvpn[3740]: VERIFY OK: depth=0, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost VPN Server Node frankfurt-s07, emailAddress=info@cyberghost.ro
Nov 6 16:30:12 DD-WRT daemon.warn openvpn[3740]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1486', remote='link-mtu 1574'
Nov 6 16:30:12 DD-WRT daemon.warn openvpn[3740]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1412', remote='tun-mtu 1500'
Nov 6 16:30:12 DD-WRT daemon.notice openvpn[3740]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Nov 6 16:30:12 DD-WRT daemon.notice openvpn[3740]: [CyberGhost VPN Server Node frankfurt-s07] Peer Connection Initiated with [AF_INET]84.17.49.142:443
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: SENT CONTROL [CyberGhost VPN Server Node frankfurt-s07]: 'PUSH_REQUEST' (status=1)
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: PUSH: Received control message: 'PUSH_REPLY,sndbuf 393216,rcvbuf 393216,comp-lzo no,redirect-gateway def1,dhcp-option DNS 185.93.180.131,dhcp-option DNS 194.187.251.67,dhcp-option DNS 38.132.106.139,route 10.233.200.1,to
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: Pushed option removed by filter: 'redirect-gateway def1'
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: NOTE: --mute triggered...
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: 2 variation(s) on previous 3 message(s) suppressed by --mute
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: Socket Buffers: R=[180224->360448] S=[180224->360448]
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: OPTIONS IMPORT: route options modified
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: NOTE: --mute triggered...
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: 3 variation(s) on previous 3 message(s) suppressed by --mute
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: Data Channel: using negotiated cipher 'AES-256-GCM'
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: TUN/TAP device tun1 opened
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: TUN/TAP TX queue length set to 100
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: /sbin/ifconfig tun1 10.233.203.182 pointopoint 10.233.203.181 mtu 1412
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: /sbin/route add -net 84.17.49.142 netmask 255.255.255.255 gw 192.168.2.1
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: /sbin/route add -net 10.233.200.1 netmask 255.255.255.255 gw 10.233.203.181
Nov 6 16:30:13 DD-WRT daemon.notice openvpn[3740]: Initialization Sequence Completed
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4377
Location: Netherlands

PostPosted: Wed Nov 06, 2019 15:57    Post subject: Reply with quote
you can always pull the network cable to test
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Wed Nov 06, 2019 16:10    Post subject: Reply with quote
Now i see all 5 minutes it tries something to do, does it tell you something?
But the OVPN client is connected, maybe it doesn´t read it correctly?

the network cable i will try now

Nov 6 16:50:57 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
Nov 6 16:50:57 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: ping: sendto: Operation not permitted
Nov 6 16:50:57 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed
Nov 6 16:51:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) successfully stopped
Nov 6 16:51:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: Sorry, rule does not exist.
Nov 6 16:51:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) starting/restarting...
Nov 6 16:56:12 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
Nov 6 16:56:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: ping: sendto: Operation not permitted
Nov 6 16:56:12 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed
Nov 6 16:56:27 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) successfully stopped
Nov 6 16:56:27 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: Sorry, rule does not exist.
Nov 6 16:56:27 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) starting/restarting...
Nov 6 17:01:27 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
Nov 6 17:01:27 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: ping: sendto: Operation not permitted
Nov 6 17:01:27 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed
Nov 6 17:01:42 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) successfully stopped
Nov 6 17:01:42 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: Sorry, rule does not exist.
Nov 6 17:01:42 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) starting/restarting...
Nov 6 17:06:42 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
Nov 6 17:06:42 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: ping: sendto: Operation not permitted
Nov 6 17:06:42 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed
Nov 6 17:06:57 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) successfully stopped
Nov 6 17:06:57 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: Sorry, rule does not exist.
Nov 6 17:06:57 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) starting/restarting...
root@DD-WRT:~#
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Wed Nov 06, 2019 16:15    Post subject: Reply with quote
so just unplugged and plugged the network cable
VPN client is connected again, was it the script or is this standard funtionality

this is the log for the two minutes

Nov 6 17:11:57 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
Nov 6 17:11:57 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: ping: sendto: Operation not permitted
Nov 6 17:11:57 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed
Nov 6 17:12:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) successfully stopped
Nov 6 17:12:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: Sorry, rule does not exist.
Nov 6 17:12:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) starting/restarting...
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4377
Location: Netherlands

PostPosted: Wed Nov 06, 2019 16:18    Post subject: Reply with quote
boris03 wrote:
Now i see all 5 minutes it tries something to do, does it tell you something?
But the OVPN client is connected, maybe it doesn´t read it correctly?

the network cable i will try now

Nov 6 16:50:57 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
Nov 6 16:50:57 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: ping: sendto: Operation not permitted
Nov 6 16:50:57 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed
Nov 6 16:51:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) successfully stopped
Nov 6 16:51:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: Sorry, rule does not exist.
Nov 6 16:51:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) starting/restarting...
Nov 6 16:56:12 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
Nov 6 16:56:12 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: ping: sendto: Operation not permitted
Nov 6 16:56:12 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed
Nov 6 16:56:27 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) successfully stopped
Nov 6 16:56:27 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: Sorry, rule does not exist.
Nov 6 16:56:27 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) starting/restarting...
Nov 6 17:01:27 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
Nov 6 17:01:27 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: ping: sendto: Operation not permitted
Nov 6 17:01:27 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed
Nov 6 17:01:42 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) successfully stopped
Nov 6 17:01:42 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: Sorry, rule does not exist.
Nov 6 17:01:42 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) starting/restarting...
Nov 6 17:06:42 DD-WRT user.notice root: sleep 300 vpn-pbr-watchdog.sh
Nov 6 17:06:42 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: ping: sendto: Operation not permitted
Nov 6 17:06:42 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed
Nov 6 17:06:57 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) successfully stopped
Nov 6 17:06:57 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: Sorry, rule does not exist.
Nov 6 17:06:57 DD-WRT user.notice vpn-pbr-watchdog.sh[1479]: openvpn : OpenVPN daemon (Client) starting/restarting...
root@DD-WRT:~#


Yes it tells you the OVPN client is restarting:

Nov 6 17:06:42 DD-WRT user.notice root: vpn-pbr-watchdog.sh tun1 down, Reboot or Restart of OVPN Client will be executed

You can also see on the OVPN status page the time the OVPN client (re)started

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Wed Nov 06, 2019 16:31    Post subject: Reply with quote
You are the man:-)

So it works - Proof of concept for you working also on WAP routers, and I leave it like it is!


The only thing what would be great for other dummy users like me, if you could achieve to include it in the Web GUI with two flags for restart and reboot.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum