multiple VPN configurations... or fast switching?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
DD-WRT Novice

Joined: 02 Jan 2020
Posts: 1

PostPosted: Thu Jan 02, 2020 20:03    Post subject: multiple VPN configurations... or fast switching? Reply with quote
I have NordVPN configured on DD-WRT v3.0-r33435M kongac (10/08/17) ... main use is to route Apple TV traffic the different countries when using TV viewing apps.

It's a hassle for the family to login to change the country via the OpenVPN Client Server IP/Name to switch countries.

Is there a fast way to do this? Thanks

Joined: 02 May 2008
Posts: 1547
Location: Canada

PostPosted: Wed Jan 08, 2020 16:53    Post subject: Reply with quote
If there is a will there is a way...

The simplest is to have a dedicated router for each VPN Connection with it own WiFi Channel.



There are ways to run more than one VPN on one router but that requires custom scripting with mapped VAPs to each VPN connection which I'm not getting into.

Home Network on Telus PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway WiFi 3xWireGuard - DDWRT r43904 Std
WHR-HP-G54 - Internal Routing - DDWRT r35531 std-special
2x E3000 - Gateway Wired IPTV - DDWRT r35652 Mega
E3000 - TRAVEL Wireless Client WireGuard(+20Mbit/s) - DDWRT r43904 Mega

Off Site 1

R7000 - Gateway, WiFi & WireGuard - DDWRT r43652 Std
WRT610Nv1 - Client Bridge - DDWRT r33679 Mega K2.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r43217 Std
E2000 - Wired PVR Blocker - DDWRT r35531

YAMon 3.4.6 | DNSCrypt-Proxy V2

Joined: 04 Aug 2018
Posts: 861
Location: Appalachian mountains, USA

PostPosted: Wed Jan 08, 2020 18:39    Post subject: Reply with quote
Yeah. Scripting.

If you are on a linux box that has ssh access to dd-wrt without a passphrase (or with ssh-agent in place to handle the passphrase for you), in your .bashrc file add two function definitions.

The first:
Router(){ ssh -p 22 root@ "$1"; }

where of course you should substitute your router's IP if it is not the default. Change the default sshd port from the default 22 if you use a different one. You can just do Router in your linux-box bash shell (terminal) to open the usual dd-wrt CLI, or you can do, for example, router 'pwd; ls' to run commands, here pwd and ls, remotely in dd-wrt.

The second:
ChangeVPN(){ Router "cd /tmp/openvpncl/
  sed -i.last '/^remote /s/ \([^ ]*\) / $1 /' openvpn.conf
  killall -HUP openvpn"; }

Then in a bash window (a terminal window) on that linux computer (not the router!), you can do ChangeVPN to change to NordVPN server If you instead include in .bashrc this alternate version of that function definition
ChangeVPN(){ Router "cd /tmp/openvpncl/
  sed -i.last '/^remote /{s/ \([^ ]*\) / $1 /;
  }' openvpn.conf; killall -HUP openvpn"; }

you can, for example, do ChangeVPN Chicago to change to the Chicago server IP indicated. Include as many of these s/Chicago/; sorts of lines in the function as you like, within reason. (There are limits, but you certainly could use more than three.) Note though that there is no error checking here. It's really basic. You could also have a third function
LastVPN(){ Router "cd /tmp/openvpncl/
  mv openvpn.conf.last openvpn.conf; killall -HUP openvpn"; }

so that you can do LastVPN in the terminal to get back to the last server you had configured.

Edit: Ignore this paragraph. This does not work, because when openvpn is trying over and over to connect to a nonexistent server, it ignores the HUP signal these send to try and restart it. More later. If you accidently do something like ChangeVPN Chicaago, and so end up with no running vpn at all because you created a remote... line in the fig with no IP address in it, you should be able to recover with either ChangeVPN Chicago or LastVPN

All this should work fine using a Mac terminal window as well though I haven't tried it. (When creating the key files for ssh using ssh-keygen, allow it to store the passphrase in the keychain.) I suppose there may be a way to use Windows' subsystem for linux to do something like this in Windows, that's way over my head. This is Unix code. linux is a simple Unix system. A Mac is Unix plus extras. Unix is simple. Windows is just a hot, hairy mess, and it's way over my head to do much of anything in it.

I mostly tested here just now, as I cobbled it up. But it was quick. I don't have enough experience with it to say for sure that there aren't snags. Caveat hackor.

And oh yes, those vpn-server IPs were actual NordVPN IPs in those locations as of sometime in November.

Five Linksys WRT1900ACSv2's on 42926, 43904:
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (AirVPN), wireguard/PBR (AzireVPN), two DNSCrypt servers (incl Quad9) routed through OpenVPN.

Joined: 20 Oct 2018
Posts: 85

PostPosted: Sun Jan 12, 2020 0:21    Post subject: Reply with quote
Nice sed solution.

Running multiple openvpns should not be hard either.

Joined: 04 Aug 2018
Posts: 861
Location: Appalachian mountains, USA

PostPosted: Tue Jan 14, 2020 16:29    Post subject: Reply with quote
If you are iPhone users running iOS 13 or later, you can also set up a Shortcut on an iPhone using the new "Run script over SSH" action. A blow-by-blow how-to would be involved, but if you have already figured out how to use Shortcut to do simple things (if not, do some online looking for examples), this one is not bad to add.

What you need is a "Dictionary" action, with the dictionary comprising text entries with locations as 1st-column keys and IP addresses in the 2nd column. Then use a "Choose from List" action with "Dictionary" chosen as the particular list to use. Finally a "Run script over SSH" action with this script:
cd /tmp/openvpncl/
sed -Ei.last "/^remote /s/ ([^ ]*) / <VARIABLE> /" openvpn.conf \
&& killall -HUP openvpn
Take care here to note that ([^ ]*) and <VARIABLE> each have a space on either side. Most importantly <VARIABLE> here is NOT intended to represent that actual string of text. Instead here it is my stand-in for you pushing the button at that spot, when you set this up, to insert the variable the scripting system carries over from the previous step. This variable will hold the IP address of your choice of server. You can rename the variable if you wish. Here I call it IP address.

In setting up the SSH step, be sure to enter root as User, as the grayed-out "root" there is not an entry so much as it is an example. There is no default. Port 22 is the default ssh port, so use that unless you have changed it in dd-wrt. Host should be set to or whatever you have used for your router IP. For Authentication select SSH Key, and under the SSH Key entry that then becomes available, choose RSA and select a length of 2048 bits.

As you are setting up the key, you'll have a chance to "share" the SSH public key. Somehow you'll need to add that shared line to the Authorized Keys window in the Secure Shell section near the end of the Services>Services page of the dd-wrt GUI. I found getting that key from my phone to my laptop where I could enter it into dd-wrt to be the trickiest part, but the details of how to do this are going to be so system dependent that I have to leave that to you to work out. Think it through. It's a public key so not as critical as a private one, but still I rejected the idea of putting it in an email to myself. I ended up using Signal.

In principle, once you have this working on one phone you can share it to another, but Apple's fine print says that when you use Shortcut sharing, you are giving them permission to appropriate your shortcut and do whatever they want with it. So personally I won't share.

If Shortcut scripting using internal variables is new to you, try first using this instead of the script above:
echo "The variable is <VARIABLE>" >test
and then ssh in and look at file test (in root's default directory of /tmp/root) just to make sure you have the dictionary thing and deailing with the variable all worked out.

I really find this the ultimate solution for changing servers on the fly. It's something that, once set up, anyone in the family can use to change the server at any time.

Five Linksys WRT1900ACSv2's on 42926, 43904:
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (AirVPN), wireguard/PBR (AzireVPN), two DNSCrypt servers (incl Quad9) routed through OpenVPN.

Joined: 01 Oct 2017
Posts: 312
Location: Earth

PostPosted: Sat Jan 18, 2020 9:47    Post subject: Reply with quote
What router?
I know this maybe not what your asking if your wanting to do this with DDWRT but Asus Merlin firmware you can have quite a few openvpn clients running at once 5 maybe can't remember off top of my head.
Depending on if you use PBR or not you could simply stop say your uk server and start Usa, Germany etc etc etc by a simple click on / off
This firmware has been ported but can mess up CFE on R7000 maybe worth looking at Voxel’s firmware r7800
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum