Posted: Sun Sep 13, 2015 23:59 Post subject: how do I restart OpenVPN via commandline?
so I telnet into my router and change some OpenVPN settings. How do I manually restart OpenVPN including clearing the IP routes first?
I tried these commands and it seems the IP routes weren't cleared. It did work when I restarted OpenVPN via the web admin.
# /tmp/openvpncl/route-down.sh
# /usr/bin/killall openvpn
# sleep (60) (just to make sure any of the ports being hold unto by OpenVPN has been released)
# /usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --daemon
You shouldn't need to call route-down.sh explicitly. When you killall openvpn, it sends a signal (SIGTERM) to the service to terminate normally and cleanly, which should result in OpenVPN calling its scripts, including route-down.sh.
And frankly, if you check out those scripts, you’ll find they probably don’t contain any routes anyway. More likely only firewall changes. Most of the routing changes occur dynamically, by OpenVPN, in response to information received from the OpenVPN server (e.g., pushed routes). And as long as OpenVPN server is terminated normally (and that includes killall), it should remove those same routes.
Here's what I use:
Code:
# kill active openvpn client
if killall -q openvpn; then
# restart dns server (if running)
if pidof dnsmasq > /dev/null 2>&1; then
sleep 2; stopservice dnsmasq
sleep 2; startservice dnsmasq
fi
sleep 10
fi
The reason I also restart dnsmasq is that OpenVPN may have altered the DNS path, but doesn't normally reset it when it shuts down (at least that's been my experience). But if I restart dnsmasq, it seems to set things back properly.
hi eibgrad,
we meet again ..Im still trying to find a way to keep my tunnel up after our last conversation (thread). I think this script is my solution when the tunnel goes down. Can you please verify that the route-down.sh is the place to save the above script? Should I delete the existing firewall rules first?
Thank you!
EDIT: just learned that I need jjfs which I do not have to this 1043ND router so I will use USB instead and let you know the outcome.
EDIT2: I think I need pass your script inside route.down.sh using the Administration->Commands, start-up box with "echo" something?? so much to learn so little time..
My router although has ext2.ko present cannot automount a usb flash to make a permanent partition for scripts...
EDIT3: FINALY, crude solution but works nicely. I managed to mount USB flash ext2 with new dd-wrt version, previous one had mount bug. Now when for any reason my VPN tunnel goes down the "down" script is executed with the following:
this reboots the router since restarting openvpn service (killall etc) gave me fatal errors in the log about management IP and port still in use and then it just quit. It was not a DNS resolve issue it seems. After quit there is no reconnection.
a timestamp entry is written to restart.log so I can check how many times a day this is happening.
the reboot takes less than 60 seconds. everything is up and running afterwards.
using the USB flash drive I can save my scripts and logs without loosing them upon reboot. This 1043ND router has not JFFS since it is using VPN and those two seem to have trouble working together, thus JFFS was removed by developers (thats what I read at least). Thus a flash disk is required.
This will ping google from the tunnel (may be tun1 or tun0). and if it fails it will restart the service.
if it works, it will do nothing.
to check if you're using tun1 or tun0 go to "status" then "bandwidth" and you'll see all your connections and their nicknames. such as eth0 and tun1
You can set the begining to perform more than hourly checks.
the first digit is minutes. a solid number means that minute exactly so the 0 above implies on the hour.
the */1 means every hour. if you do 1 it will only do it at 1 am. a */2 will imply every 2 hours. some examples
*/10 * * * * will perform it every ten minutes.
* */2 * * * will perform it every minute of every even hour of the day
a 0 * * * * is just as good as 0 */1 * * * but i like to know what i'm setting. */1 is equal to *.
crontab.guru has tons of examples if you want more knowledge.
You shouldn't need to call route-down.sh explicitly. When you killall openvpn, it sends a signal (SIGTERM) to the service to terminate normally and cleanly, which should result in OpenVPN calling its scripts, including route-down.sh.
And frankly, if you check out those scripts, you’ll find they probably don’t contain any routes anyway. More likely only firewall changes. Most of the routing changes occur dynamically, by OpenVPN, in response to information received from the OpenVPN server (e.g., pushed routes). And as long as OpenVPN server is terminated normally (and that includes killall), it should remove those same routes.
Here's what I use:
Code:
# kill active openvpn client
if killall -q openvpn; then
# restart dns server (if running)
if pidof dnsmasq > /dev/null 2>&1; then
sleep 2; stopservice dnsmasq
sleep 2; startservice dnsmasq
fi
sleep 10
fi
The reason I also restart dnsmasq is that OpenVPN may have altered the DNS path, but doesn't normally reset it when it shuts down (at least that's been my experience). But if I restart dnsmasq, it seems to set things back properly.
Hi eibgrad,
I'm tring to restart my OpenVPN client when the tunnel goes down.
I'm really new to scripting in DD-WRT.
I read that there are several folder where a script can be place.
Where I should place my script to restart the OpenVPN client?
Jan 19 2022: v1 posted, original single mode script for OpenVPN monitor
Jan 19 2022: Edited to reflect V2 of the script. This enables you to embed multiple script modes. In essence, you can put multiple scripts in this and call the mode you need. Solves the problem of "what if I need more than one script..." Currently only one mode supported: openvpnmonitor. Might add an internet connection test with reboot in V3 as not happy with the script that is native to dd-wrt. BTW, this script was inspired by that native internet test and reboot under Administration > Keel Alive > WDS/Connection Watchdog (/etc/config/wdswatchdog.sh).
Jan 20 2022: It took all of 20 minutes this morning to build test and deploy v3. This adds mode internetmonitor, which tests ping to google and then reboots after 30 minutes. The difference between this and the similar feature, found under Administration > Keep Alive > WDS/Connection Watchdog, is the built in Keep Alive feature will test ping the target every X specified seconds, e.g. 30 minutes, and then if it fails, retest every 10 seconds, three times, followed by a reboot. But the thing I don't like about this, is I think it's better for a script to test every minute and then if it is down for 30 minutes perform the reboot. With the built in feature, the connection test is not beginning the 30 minute timer after the ping target goes down.
Original message follows with the edits to reflect V3
Here is my contribution on this topic. This will test every 60 seconds and if the far end of the tunnel is down, it will test every 5 minutes for a total of 10 minutes and if it is still down it will bring things back. This is also helpful in the event that the openvpn PID exits, therefore automates the healing process.
Edit the WDS_WATCHDOG_IPS2 value to reflect the IP address of something on the other end of the tunnel. e.g. far end router IP address.
MODE="GENERAL INFO"
MESSAGE="JJWatMYSELF's v3(20220120) script, discussion found at https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1256142#1256142"; outputlog
MESSAGE="Inspired by DD-WRT Administration > Keep Alive > WDS/Connection Watchdog (/etc/config/wdswatchdog.sh), solves some short-comings and extends functions"; outputlog
case $1 in
openvpnmonitor)
WDS_WATCHDOG_INTERVAL=60
WDS_WATCHDOG_INTERVAL2=300
WDS_WATCHDOG_IPS2=192.168.1.254
MODE="OpenVPN Monitor"
MESSAGE="Starting monitor of $WDS_WATCHDOG_IPS2 every $WDS_WATCHDOG_INTERVAL seconds - If it goes down, there will be with two evaluation intervals at $WDS_WATCHDOG_INTERVAL2 seconds each, before VPN restart will be triggered"; outputlog
while sleep $WDS_WATCHDOG_INTERVAL
do
for ip in $WDS_WATCHDOG_IPS2
do
if ! ping -c 1 $ip > /tmp/null
then
MESSAGE="ping $ip dropped one, evaluating restart for 1 of 2 intervals of $WDS_WATCHDOG_INTERVAL2 seconds"; outputlog
sleep $WDS_WATCHDOG_INTERVAL2
if ! ping -c 1 $ip > /tmp/null
then
MESSAGE="ping $ip dropped two, evaluating restart for 2 of 2 intervals of $WDS_WATCHDOG_INTERVAL2 seconds"; outputlog
sleep $WDS_WATCHDOG_INTERVAL2
if ! ping -c 1 $ip > /tmp/null
then
MESSAGE="ping $ip dropped three, evaluation concluded, restart needed"; outputlog
/usr/sbin/nvram commit
MESSAGE="Killing VPN"; outputlog
killall openvpn > /tmp/null 2>&1
MESSAGE="Restarting DNSMASQ"; outputlog
stopservice dnsmasq > /tmp/null 2>&1
sleep 2
startservice dnsmasq > /tmp/null 2>&1
sleep 2
MESSAGE="Starting VPN"; outputlog
openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --route-pre-down /tmp/openvpncl/route-down.sh --daemon & > /tmp/null 2>&1
MESSAGE="exiting evaluation logic and returning to normal monitoring"; outputlog
fi
else
MESSAGE="ping $ip ok, exiting evaluation logic and returning to normal monitoring"; outputlog
fi
fi
done
done 2>&1
;;
internetmonitor)
WDS_WATCHDOG_INTERVAL=60
WDS_WATCHDOG_INTERVAL2=900
WDS_WATCHDOG_IPS2=8.8.8.8
MODE="Internet Monitor"
MESSAGE="Starting monitor of $WDS_WATCHDOG_IPS2 every $WDS_WATCHDOG_INTERVAL seconds - If it goes down, there will be with two evaluation intervals at $WDS_WATCHDOG_INTERVAL2 seconds each, before REBOOT will be triggered"; outputlog
while sleep $WDS_WATCHDOG_INTERVAL
do
for ip in $WDS_WATCHDOG_IPS2
do
if ! ping -c 1 $ip > /tmp/null
then
MESSAGE="ping $ip dropped one, evaluating restart for 1 of 2 intervals of $WDS_WATCHDOG_INTERVAL2 seconds"; outputlog
sleep $WDS_WATCHDOG_INTERVAL2
if ! ping -c 1 $ip > /tmp/null
then
MESSAGE="ping $ip dropped two, evaluating restart for 2 of 2 intervals of $WDS_WATCHDOG_INTERVAL2 seconds"; outputlog
sleep $WDS_WATCHDOG_INTERVAL2
if ! ping -c 1 $ip > /tmp/null
then
MESSAGE="ping $ip dropped three, evaluation concluded, reboot needed"; outputlog
/usr/sbin/nvram commit
MESSAGE="Committing unsaved settings to NVRAM"; outputlog
/usr/sbin/nvram commit > /tmp/null 2>&1
MESSAGE="Rebootng router in 10 seconds, hope to see you on the other side of this"; outputlog
sleep 10
fi
else
MESSAGE="ping $ip ok, exiting evaluation logic and returning to normal monitoring"; outputlog
fi
fi
done
done 2>&1
;;
*)
MODE="INVALID MODE or mode not specified"
MESSAGE="Invalid command line param: $1"; outputlog
MESSAGE="Supported modes are as follows:"; outputlog
MESSAGE="openvpnmonitor"; outputlog
MESSAGE="internetnmonitor"; outputlog
;;
esac
On the web UI, navigate to:
Administration > Commands
Paste the code to the Commands Shell, Commands dialog. Then scroll down and click Save Custom Script.
Scroll down again and confirm you see the custom script from above saved.
Paste the following code to the Commands Shell, Commands dialog. Then scroll down and click Save Startup.
Scroll down again and confirm you see the Startup saved.
SSH or telnet to the router and test the script
Older versions of DD-WRT
Code:
/tmp/custom.sh openvpnmonitor
Newer versions of DD-WRT
Code:
/tmp/.rc_custom openvpnmonitor
Code:
Jan 19 15:10:50 hamster-net-2 OpenVPN Monitor script: Starting monitor of 192.168.1.254 every 60 seconds with two evaluation intervals at 300 seconds each before VPN restart will be triggered
Bring up another SSH or telnet to the router and verify it works
Verify VPN restarts after 10 minutes. You'll see the window where the script is running display log messages.
Code:
Jan 19 15:10:50 hamster-net-2 OpenVPN Monitor script: Starting monitor of 192.168.1.254 every 60 seconds with two evaluation intervals at 300 seconds each before VPN restart will be triggered
Jan 19 15:17:00 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped one, evaluating restart for 1 of 2 intervals of 300 seconds
Jan 19 15:22:10 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped two, evaluating restart for 2 of 2 intervals of 300 seconds
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped three, evaluation concluded, restart needed
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: Killing VPN PID
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: Restarting DNSMASQ
Jan 19 15:27:24 hamster-net-2 OpenVPN Monitor script: Starting VPN
Jan 19 15:27:24 hamster-net-2 OpenVPN Monitor script: exiting evaluation logic and returning to normal monitoring
Jan 19 15:10:50 hamster-net-2 OpenVPN Monitor script: Starting monitor of 192.168.1.254 every 60 seconds with two evaluation intervals at 300 seconds each before VPN restart will be triggered
Jan 19 15:17:00 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped one, evaluating restart for 1 of 2 intervals of 300 seconds
Jan 19 15:22:10 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped two, evaluating restart for 2 of 2 intervals of 300 seconds
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped three, evaluation concluded, restart needed
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: Killing VPN PID
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: Restarting DNSMASQ
Jan 19 15:27:24 hamster-net-2 OpenVPN Monitor script: Starting VPN
Jan 19 15:27:24 hamster-net-2 OpenVPN Monitor script: exiting evaluation logic and returning to normal monitoring
If you've enabled SYSLOG, you can see these messages on the web UI under Status > Syslog. You don't need to have a remote syslog server. It's cool to enable (Google how to as is off topic) so you can look at messages for all sorts of things.
Hope this helps some folks. _________________ --------------------------------------------------
VLANs, port trunking, virtual SSID (Guest)
DNSmasq, NTP, syslog, nflow
Hub and spoke, multi-site, routed VPN (OpenVPN client), split tunnel
1 DNS zone per site, forward, reverse look-up across all sites
Asus RT-AC68U rev A2 DD-WRT v3.0-r48138 std (01/17/22)
Asus RT-AC68U rev C1 DD-WRT v3.0-r48138 std (01/17/22)
Asus RT-AC1900P DD-WRT v3.0-r48138 std (01/17/22)
Asus RT-AC1900P DD-WRT v3.0-r48138 std (01/17/22)
Netgear R7000 DD-WRT v3.0-r48138 std (01/17/22)
Linksys E2000 DD-WRT v3.0-r33492 mega (10/10/17)