Posted: Sun Sep 18, 2022 2:50 Post subject: [SOLVED]Restart OpenVPN client when disconnected on WAP
Hello,
Next to my topic Not all traffic goes through VPN Client on DD-WRT AP, I solved my problem and now everything goes through the VPN (provided I choose an IP manually and define router C as a gateway on the clients of course), I now have another problem that I would like to solve.
When I previously used my router as a gateway with an OpenVPN client, I had few disconnects, and when that happened, the connection would automatically hang before the router restarted until the server responded again.
To do this, I had this line in the Firewall commands iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -m state --state NEW -j REJECT, and I had activated the Watchdog with a 360 second interval by pointing to my VPN's first DNS server in the Keep Alive tab of the Administration menu.
I would like to get the same result.
According to the DDWRT OpenVPN Client Setup guide by egc, I have this line in the Firewall commands iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr).
I have the Killswitch box checked in the OpenVPN client, as well as the Watchdog activated with the IP of the first DNS server of my VPN and a Ping Timeout of 30.
But the expected result is not there, when the VPN connection is lost, the clients no longer have access to the Internet, but when the VPN connection comes back (which does not always seem to be the case), the clients do not find their internet access without ordering the router to restart.
The router is connected LAN-LAN to the main router, and it is set according to the chapter OpenVPN Client on a Wireless Access Point (WAP) page 12 of the DDWRT OpenVPN Client Setup guide by egc either :
Quote:
OpenVPN Client on a Wireless Access Point (WAP)
Set up as a WAP to recap (do no more and no less!) on Setup page:
• Disable WAN
• Set Local IP Address inside scope of primary router e.g. if primary router is 192.168.1.1 set WAP as 192.168.1.2 / 24
• Set Gateway and Local DNS to the primary router
• DHCP off
• Leave DNSMasq on
• Leave the router in Gateway mode do not use Router mode!
• Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre )
Make sure to add the following rule to Administration/Commands and Save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
But the kill switch works, my NAS sends me a notification when the VPN connection does not work anymore, the problem is that it does not find the connection when the VPN works again without me restarting the router.
Joined: 18 Mar 2014 Posts: 12813 Location: Netherlands
Posted: Mon Sep 19, 2022 9:18 Post subject:
First about the VPN settings, most providers have not optimal settings for DDWRT and sometimes they are even outright wrong.
You do normally not need anything in the Additional config as outlined in the Client setup guide.
However I do not think that this is your problem as the VPN seems to operate.
When a VPN server is busy, VPN provider have a habit to kick users off, when the watchdog tries to reconnect to the server, it can still be busy (or down for maintenance) so to make sure you can connect to your VPN provider you have to add more addresses of VPN servers so that your VPN client can/will try different VPN servers. The GUI has settings for this
Normally the killswitch does not work on a WAP (as PYB already noted), you have to add that manually as outlined in the guide.
The fact that you do not have internet access when the VPN is not working might indicate problems in your setup (and I mean the setup of your LAN clients).
You first have to research if the problem is the VPN client which does not reconnect or your clients which do not reconnect to your router or if they reconnect it might be a DNS problem of your clients.
So trigger the VPN watchdog, I use 8.8.8.8 as watchdog IP:
iptables -I OUTPUT -d 8.8.8.8 -j DROP
This rule will block 8.8.8.8 so the watchdog should be triggered.
You can see if the rule is hit with:
iptables -vnL OUTPUT
You see the packet counter increased
After the VPN has has been restarted again (you can view the process with: grep -i openvpn /var/log/messages)
Remove the block rule:
iptables -D OUTPUT -d 8.8.8.8 -j DROP
Now check if the VPN is up and connected from Status/OpenVPN
You can check if the router itself uses the VPN with:
traceroute 8.8.8.8
You should see the VPN being used
If this works the problem is your client.
From the client (if it is Windows) you can also do from a command prompt:
tracert 8.8.8.8
If this works but you do not have internet your DNS settings are the problem.
I am traveling and have a travel router with me which I use with VPN (mostly WireGuard but it also has OpenVPN) to connect to my home, I set it up as a WAP with OpenVPN just as you did and after a simulated restart of the VPN client my LAN client had no problem reconnecting
If you cannot find the problem there is also the possibility that the watchdog restarts the whole router instead of only restarting the VPN Client, also described in the Client setup guide, but normally that is not necessary and not desirable as it will stop all traffic during the boot process _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
I performed your test, according to your indications the problem would be the DNS settings. I do not understand why.
On my main router I have the following DNS 91.239.100.100 and 89.233.43.71 from UncensoredDNS.
My WAP router (with OpenVPN) has the main router address as the gateway, the same for the Local DNS.
On my various clients, the IP address is set manually in accordance with that reserved via MAC address on the main router, I define the WAP router as gateway, and I set the DNS servers indicated by my VPN here either 10.0.254.2 and 198.245.51.147 in my case.
Joined: 18 Mar 2014 Posts: 12813 Location: Netherlands
Posted: Tue Sep 20, 2022 8:49 Post subject:
The instructions like almost all instructions are not "optimal"
The only items you can use in the additional config are:
resolv-retry infinite
keepalive 10 60
The others are redundant
Their DNS instructions are outright wrong.
But you have used your own DNS servers for the main router and set the WAP to the Main router so that is OK.
For your clients which you point to the WAP you also have to point the DNS to the WAP.
If the VPN is not working then the WAP points to the main router so without WAP you effectively use the Main router ( and now we have the explanation why you do not have internet access without VPN even if the killswitch is not working, it is the DNS)
But when the VPN is working the VPN provider usually pushes the VPN DNS server to the WAP and the WAP will start using the VPN DNS server and thus your connected clients will use the VPN DNS server.
So basically the whole process is designed to automatically switch to the VPN DNS server when the VPN is activated.
In the OpenVPN Status you should be able to see if the VPN DNS server is pushed and with ipleak.net you can check it on your clients.
This is from my own VPN client:
Quote:
0220920 10:51:40 PUSH: Received control message: 'PUSH_REPLY route 192.168.1.0 255.255.255.0 vpn_gateway dhcp-option DNS 8.8.4.4 route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.8.0.2 255.255.255.0
DNS server 8.8.4.4 is pushed and then used by my clients
The instructions like almost all instructions are not "optimal"
The only items you can use in the additional config are:
resolv-retry infinite
keepalive 10 60
The others are redundant
I have defined the additional config as you recommend.
egc wrote:
Their DNS instructions are outright wrong.
But you have used your own DNS servers for the main router and set the WAP to the Main router so that is OK.
For your clients which you point to the WAP you also have to point the DNS to the WAP.
If the VPN is not working then the WAP points to the main router so without WAP you effectively use the Main router ( and now we have the explanation why you do not have internet access without VPN even if the killswitch is not working, it is the DNS)
But when the VPN is working the VPN provider usually pushes the VPN DNS server to the WAP and the WAP will start using the VPN DNS server and thus your connected clients will use the VPN DNS server.
So basically the whole process is designed to automatically switch to the VPN DNS server when the VPN is activated.
There must be a misunderstanding from one of us:
When the VPN is unavailable or the OpenVPN client is not started, I'm happy not to have internet, and I don't want traffic to go through the main router instead.
In this case, the setting of my clients as specified is not correct?
My problem is that once the VPN is reconnected, I don't have internet (through VPN) on my clients until I restart the WAP router.
egc wrote:
In the OpenVPN Status you should be able to see if the VPN DNS server is pushed and with ipleak.net you can check it on your clients.
This is from my own VPN client:
Quote:
0220920 10:51:40 PUSH: Received control message: 'PUSH_REPLY route 192.168.1.0 255.255.255.0 vpn_gateway dhcp-option DNS 8.8.4.4 route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.8.0.2 255.255.255.0
DNS server 8.8.4.4 is pushed and then used by my clients
If the VPN provider does not push a DNS server you can add one manually in the OpenVPN additional config.
I checked and my VPN client is pushing a DNS server.
On the other hand, I hadn't thought of doing a test with ipleak.net before, and I found that I don't have any leaks with certain devices (iPad for example), but that I have some with others (Android Smartphone).
I read your DDWRT VPN and DNS guide, and I tried the first two points of the chapter "Stopping roque clients", it doesn't solve the problem.
Can we force the VPN tunnel to exclusively use the DNS pushed by the VPN and/or those added by ourselves in the additional config.
After various tests, and despite your statements, it seems that the problem lies with the Killswitch checkbox in the OpenVPN client configuration.
When the checkbox is checked, from the moment there was a disconnection from the VPN, the client no longer has a connection, even if the VPN reconnects. (And I set the DNS on the client to the IP address of the WAP router as you recommend.)
When the checkbox is unchecked, the client remains connected, but the problem that then arises is that if the VPN fails to reconnect, the client is connected to the net without VPN.
egc wrote:
DNSmasq should exclusively use the pushed DNS server.
You can check with: cat /tmp/resolv.dnsmasq
After the VPN is up and working it should show the pushed DNS server.
Yes indeed, thank you.
egc wrote:
But of course clients (or web browsers!) might use their own DNS servers instead of using DNSMasq or use IPv6 DNS server, that is sometimes difficult to control.
Apparently, it is Android which gives priority to Google's DNS, all the servers found have as ISP: Google.
Joined: 18 Mar 2014 Posts: 12813 Location: Netherlands
Posted: Thu Sep 22, 2022 6:15 Post subject:
Great you solved it, about the DNS, that is why I wrote:
Quote:
But of course clients (or web browsers!) might use their own DNS servers
You can redirect regular DNS on Port 53 and block port 853 (DoT) with the settings in the GUI but blocking DoH on port 443 (used by Webbrowsers) is very difficult (it can and is described in the VPN and DNS guide) but you have found that problem and disabled it on the client/webbrowser.
About the Killswitch, no it does not always work on a WAP you really have to set it manually to be sure. If you are interested why read on.
Note I wrote "not always".
It does work when the watchdog restarts the OpenVPN, but not when the router restarts or when you press Apply in the OpenVPN GUI.
To complicate matters further on older builds it worked when the router restarts and also when you pressed Apply in the OpenVPN GUI but it did not work if the firewall restarts after the VPN is up.
This strange behaviour comes from the fact there are actually two killswitches.
One in the OpenVPN code to make sure that when the OpenVPN is started the killswitch is active, this one works.
The same code is in the Firewall so if the firewall restarts (which removes all existing firewall rules) the killswitch is again activated.
But on a WAP where there is no WAN the firewall does not make FORWARD rules at all and thus the killswitch is not reinstated when the firewall is restarted on a WAP.
As on recent builds the firewall is always restarted together with the OpenVPN when you press apply in the OpenVPN GUI the killswitch is briefly made by the OpenVPN code but then disabled by the restarting Firewall.
Of course not the behaviour we want but it is outlined in the Documentation that you manually need to set the killswitch on a WAP.
So patching this erratic behaviour was not high on my priority list but your post moved it up on the list and a patch is underway but still needs testing and as I am traveling it can take some weeks.
For all of you who make their own builds (unfortunately not many) I attached the patch.