how do I restart OpenVPN via commandline?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
mrjayviper
DD-WRT Novice


Joined: 13 Nov 2012
Posts: 32

PostPosted: Sun Sep 13, 2015 23:59    Post subject: how do I restart OpenVPN via commandline? Reply with quote
so I telnet into my router and change some OpenVPN settings. How do I manually restart OpenVPN including clearing the IP routes first?

I tried these commands and it seems the IP routes weren't cleared. It did work when I restarted OpenVPN via the web admin.

# /tmp/openvpncl/route-down.sh
# /usr/bin/killall openvpn
# sleep (60) (just to make sure any of the ports being hold unto by OpenVPN has been released)
# /usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --daemon

Thanks! Smile
Sponsor
mrjayviper
DD-WRT Novice


Joined: 13 Nov 2012
Posts: 32

PostPosted: Mon Sep 14, 2015 7:48    Post subject: Reply with quote
thank you! Smile
T-bone
DD-WRT Novice


Joined: 15 Mar 2010
Posts: 23

PostPosted: Fri Nov 27, 2015 17:44    Post subject: Reply with quote
eibgrad wrote:
You shouldn't need to call route-down.sh explicitly. When you killall openvpn, it sends a signal (SIGTERM) to the service to terminate normally and cleanly, which should result in OpenVPN calling its scripts, including route-down.sh.

And frankly, if you check out those scripts, you’ll find they probably don’t contain any routes anyway. More likely only firewall changes. Most of the routing changes occur dynamically, by OpenVPN, in response to information received from the OpenVPN server (e.g., pushed routes). And as long as OpenVPN server is terminated normally (and that includes killall), it should remove those same routes.

Here's what I use:

Code:
# kill active openvpn client
if killall -q openvpn; then
    # restart dns server (if running)
    if pidof dnsmasq > /dev/null 2>&1; then
        sleep 2; stopservice  dnsmasq
        sleep 2; startservice dnsmasq
    fi
    sleep 10
fi

openvpn --config /tmp/openvpncl/openvpn.conf \
    --route-up /tmp/openvpncl/route-up.sh \
    --route-pre-down /tmp/openvpncl/route-up.sh --daemon


The reason I also restart dnsmasq is that OpenVPN may have altered the DNS path, but doesn't normally reset it when it shuts down (at least that's been my experience). But if I restart dnsmasq, it seems to set things back properly.


hi eibgrad,

we meet again ..Im still trying to find a way to keep my tunnel up after our last conversation (thread). I think this script is my solution when the tunnel goes down. Can you please verify that the route-down.sh is the place to save the above script? Should I delete the existing firewall rules first?

Thank you!

EDIT: just learned that I need jjfs which I do not have to this 1043ND router so I will use USB instead and let you know the outcome.

EDIT2: I think I need pass your script inside route.down.sh using the Administration->Commands, start-up box with "echo" something?? so much to learn so little time..
My router although has ext2.ko present cannot automount a usb flash to make a permanent partition for scripts...

EDIT3: FINALY, crude solution but works nicely. I managed to mount USB flash ext2 with new dd-wrt version, previous one had mount bug. Now when for any reason my VPN tunnel goes down the "down" script is executed with the following:

#!/bin/sh
NOW=$(date +"%Y%m%d-%H%M%S")
echo "Reboot, timestamp: "$NOW >> /tmp/mnt/sda1/logs/restart.log
sleep 5
reboot

this reboots the router since restarting openvpn service (killall etc) gave me fatal errors in the log about management IP and port still in use and then it just quit. It was not a DNS resolve issue it seems. After quit there is no reconnection.

a timestamp entry is written to restart.log so I can check how many times a day this is happening.

the reboot takes less than 60 seconds. everything is up and running afterwards.

using the USB flash drive I can save my scripts and logs without loosing them upon reboot. This 1043ND router has not JFFS since it is using VPN and those two seem to have trouble working together, thus JFFS was removed by developers (thats what I read at least). Thus a flash disk is required.

INTERESTING READ: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=987537#987537
Skwerl23
DD-WRT Novice


Joined: 29 Sep 2014
Posts: 6

PostPosted: Fri Feb 02, 2018 4:34    Post subject: Reply with quote
Just set a cron job as follows--

0 */1 * * * ping -I tun1 -c 1 8.8.8.8 &> /dev/null && : || (stopservice openvpn && sleep 5 && startservice openvpn)

This will ping google from the tunnel (may be tun1 or tun0). and if it fails it will restart the service.
if it works, it will do nothing.

to check if you're using tun1 or tun0 go to "status" then "bandwidth" and you'll see all your connections and their nicknames. such as eth0 and tun1

You can set the begining to perform more than hourly checks.
the first digit is minutes. a solid number means that minute exactly so the 0 above implies on the hour.
the */1 means every hour. if you do 1 it will only do it at 1 am. a */2 will imply every 2 hours. some examples

*/10 * * * * will perform it every ten minutes.
* */2 * * * will perform it every minute of every even hour of the day

a 0 * * * * is just as good as 0 */1 * * * but i like to know what i'm setting. */1 is equal to *.
crontab.guru has tons of examples if you want more knowledge.
Fedex03
DD-WRT User


Joined: 18 Nov 2010
Posts: 89
Location: Italy

PostPosted: Mon Apr 20, 2020 10:28    Post subject: Reply with quote
eibgrad wrote:
You shouldn't need to call route-down.sh explicitly. When you killall openvpn, it sends a signal (SIGTERM) to the service to terminate normally and cleanly, which should result in OpenVPN calling its scripts, including route-down.sh.

And frankly, if you check out those scripts, you’ll find they probably don’t contain any routes anyway. More likely only firewall changes. Most of the routing changes occur dynamically, by OpenVPN, in response to information received from the OpenVPN server (e.g., pushed routes). And as long as OpenVPN server is terminated normally (and that includes killall), it should remove those same routes.

Here's what I use:

Code:
# kill active openvpn client
if killall -q openvpn; then
    # restart dns server (if running)
    if pidof dnsmasq > /dev/null 2>&1; then
        sleep 2; stopservice  dnsmasq
        sleep 2; startservice dnsmasq
    fi
    sleep 10
fi

openvpn --config /tmp/openvpncl/openvpn.conf \
    --route-up /tmp/openvpncl/route-up.sh \
    --route-pre-down /tmp/openvpncl/route-up.sh --daemon


The reason I also restart dnsmasq is that OpenVPN may have altered the DNS path, but doesn't normally reset it when it shuts down (at least that's been my experience). But if I restart dnsmasq, it seems to set things back properly.


Hi eibgrad,

I'm tring to restart my OpenVPN client when the tunnel goes down.

I'm really new to scripting in DD-WRT.
I read that there are several folder where a script can be place.
Where I should place my script to restart the OpenVPN client?

Thanks in advance for the help.

Best regards,
Federico
jjwatmyself
DD-WRT User


Joined: 19 Mar 2016
Posts: 55

PostPosted: Wed Jan 19, 2022 21:11    Post subject: Reply with quote
Jan 19 2022: v1 posted, original single mode script for OpenVPN monitor

Jan 19 2022: Edited to reflect V2 of the script. This enables you to embed multiple script modes. In essence, you can put multiple scripts in this and call the mode you need. Solves the problem of "what if I need more than one script..." Currently only one mode supported: openvpnmonitor. Might add an internet connection test with reboot in V3 as not happy with the script that is native to dd-wrt. BTW, this script was inspired by that native internet test and reboot under Administration > Keel Alive > WDS/Connection Watchdog (/etc/config/wdswatchdog.sh).

Jan 20 2022: It took all of 20 minutes this morning to build test and deploy v3. This adds mode internetmonitor, which tests ping to google and then reboots after 30 minutes. The difference between this and the similar feature, found under Administration > Keep Alive > WDS/Connection Watchdog, is the built in Keep Alive feature will test ping the target every X specified seconds, e.g. 30 minutes, and then if it fails, retest every 10 seconds, three times, followed by a reboot. But the thing I don't like about this, is I think it's better for a script to test every minute and then if it is down for 30 minutes perform the reboot. With the built in feature, the connection test is not beginning the 30 minute timer after the ping target goes down.

Original message follows with the edits to reflect V3

Here is my contribution on this topic. This will test every 60 seconds and if the far end of the tunnel is down, it will test every 5 minutes for a total of 10 minutes and if it is still down it will bring things back. This is also helpful in the event that the openvpn PID exits, therefore automates the healing process.

Edit the WDS_WATCHDOG_IPS2 value to reflect the IP address of something on the other end of the tunnel. e.g. far end router IP address.

Code:

#!/bin/sh
outputlog () {
    echo `date +%b" "%d" "%T`" "`hostname`" Custom Script $MODE[$$]: $MESSAGE"
}

MODE="GENERAL INFO"
MESSAGE="JJWatMYSELF's v3(20220120) script, discussion found at https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1256142#1256142"; outputlog
MESSAGE="Inspired by DD-WRT Administration > Keep Alive > WDS/Connection Watchdog (/etc/config/wdswatchdog.sh), solves some short-comings and extends functions"; outputlog
      
case $1 in
   openvpnmonitor)
      WDS_WATCHDOG_INTERVAL=60
      WDS_WATCHDOG_INTERVAL2=300
      WDS_WATCHDOG_IPS2=192.168.1.254
      MODE="OpenVPN Monitor"
      MESSAGE="Starting monitor of $WDS_WATCHDOG_IPS2 every $WDS_WATCHDOG_INTERVAL seconds - If it goes down, there will be with two evaluation intervals at $WDS_WATCHDOG_INTERVAL2 seconds each, before VPN restart will be triggered"; outputlog
      while sleep $WDS_WATCHDOG_INTERVAL
      do
        for ip in $WDS_WATCHDOG_IPS2
        do
          if ! ping -c 1 $ip > /tmp/null
          then
            MESSAGE="ping $ip dropped one, evaluating restart for 1 of 2 intervals of $WDS_WATCHDOG_INTERVAL2 seconds"; outputlog
            sleep $WDS_WATCHDOG_INTERVAL2
            if ! ping -c 1 $ip > /tmp/null
            then
         MESSAGE="ping $ip dropped two, evaluating restart for 2 of 2 intervals of $WDS_WATCHDOG_INTERVAL2 seconds"; outputlog
         sleep $WDS_WATCHDOG_INTERVAL2
         if ! ping -c 1 $ip > /tmp/null
         then
             MESSAGE="ping $ip dropped three, evaluation concluded, restart needed"; outputlog
             /usr/sbin/nvram commit
             MESSAGE="Killing VPN"; outputlog
             killall openvpn > /tmp/null 2>&1
             MESSAGE="Restarting DNSMASQ"; outputlog
             stopservice  dnsmasq  > /tmp/null 2>&1
             sleep 2
             startservice dnsmasq > /tmp/null 2>&1
             sleep 2
             MESSAGE="Starting VPN"; outputlog
             openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --route-pre-down /tmp/openvpncl/route-down.sh --daemon  &  > /tmp/null 2>&1
             MESSAGE="exiting evaluation logic and returning to normal monitoring"; outputlog
         fi
            else
         MESSAGE="ping $ip ok, exiting evaluation logic and returning to normal monitoring"; outputlog
            fi
          fi
        done
      done 2>&1
      ;;
   internetmonitor)
      WDS_WATCHDOG_INTERVAL=60
      WDS_WATCHDOG_INTERVAL2=900
      WDS_WATCHDOG_IPS2=8.8.8.8
      MODE="Internet Monitor"
      MESSAGE="Starting monitor of $WDS_WATCHDOG_IPS2 every $WDS_WATCHDOG_INTERVAL seconds - If it goes down, there will be with two evaluation intervals at $WDS_WATCHDOG_INTERVAL2 seconds each, before REBOOT will be triggered"; outputlog
      while sleep $WDS_WATCHDOG_INTERVAL
      do
        for ip in $WDS_WATCHDOG_IPS2
        do
          if ! ping -c 1 $ip > /tmp/null
          then
            MESSAGE="ping $ip dropped one, evaluating restart for 1 of 2 intervals of $WDS_WATCHDOG_INTERVAL2 seconds"; outputlog
            sleep $WDS_WATCHDOG_INTERVAL2
            if ! ping -c 1 $ip > /tmp/null
            then
         MESSAGE="ping $ip dropped two, evaluating restart for 2 of 2 intervals of $WDS_WATCHDOG_INTERVAL2 seconds"; outputlog
         sleep $WDS_WATCHDOG_INTERVAL2
         if ! ping -c 1 $ip > /tmp/null
         then
             MESSAGE="ping $ip dropped three, evaluation concluded, reboot needed"; outputlog
             /usr/sbin/nvram commit
             MESSAGE="Committing unsaved settings to NVRAM"; outputlog
             /usr/sbin/nvram commit > /tmp/null 2>&1
             MESSAGE="Rebootng router in 10 seconds, hope to see you on the other side of this"; outputlog
             sleep 10
         fi
            else
         MESSAGE="ping $ip ok, exiting evaluation logic and returning to normal monitoring"; outputlog
            fi
          fi
        done
      done 2>&1
      ;;
   *)
      MODE="INVALID MODE or mode not specified"
      MESSAGE="Invalid command line param: $1"; outputlog
      MESSAGE="Supported modes are as follows:"; outputlog
      MESSAGE="openvpnmonitor"; outputlog
      MESSAGE="internetnmonitor"; outputlog
      ;;
esac



On the web UI, navigate to:

Administration > Commands

Paste the code to the Commands Shell, Commands dialog. Then scroll down and click Save Custom Script.

Scroll down again and confirm you see the custom script from above saved.

Paste the following code to the Commands Shell, Commands dialog. Then scroll down and click Save Startup.

Older versions of DD-WRT (pre 43374)
Code:

/bin/sleep 60
/bin/sh /tmp/custom.sh openvpnmonitor >> /var/log/messages 2>&1 &
/bin/sleep 10
/bin/sh /tmp/custom.sh internetmonitor >> /var/log/messages 2>&1 &


Newer versions of DD-WRT (43374 and newer)
Code:

/bin/sleep 60
/bin/sh /tmp/.rc_custom openvpnmonitor >> /var/log/messages 2>&1 &
/bin/sleep 10
/bin/sh /tmp/.rc_custom internetmonitor >> /var/log/messages 2>&1 &


Scroll down again and confirm you see the Startup saved.

SSH or telnet to the router and test the script

Older versions of DD-WRT
Code:
/tmp/custom.sh openvpnmonitor


Newer versions of DD-WRT
Code:
/tmp/.rc_custom openvpnmonitor



Code:
Jan 19 15:10:50 hamster-net-2 OpenVPN Monitor script: Starting monitor of 192.168.1.254 every 60 seconds with two evaluation intervals at 300 seconds each before VPN restart will be triggered

Bring up another SSH or telnet to the router and verify it works

Look for the VPN process as follows:
Code:
ps -l | grep openvpn


Code:
S     0  2343     1  3164  2312 0:0   15:27 00:00:03 openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpnc
S     0  3474  1878  1156   700 pts0  15:58 00:00:00 grep openvpn


Kill the VPN as follows:
Code:
killall openvpn


Verify VPN restarts after 10 minutes. You'll see the window where the script is running display log messages.

Code:
Jan 19 15:10:50 hamster-net-2 OpenVPN Monitor script: Starting monitor of 192.168.1.254 every 60 seconds with two evaluation intervals at 300 seconds each before VPN restart will be triggered
Jan 19 15:17:00 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped one, evaluating restart for 1 of 2 intervals of 300 seconds
Jan 19 15:22:10 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped two, evaluating restart for 2 of 2 intervals of 300 seconds
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped three, evaluation concluded, restart needed
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: Killing VPN PID
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: Restarting DNSMASQ
Jan 19 15:27:24 hamster-net-2 OpenVPN Monitor script: Starting VPN
Jan 19 15:27:24 hamster-net-2 OpenVPN Monitor script: exiting evaluation logic and returning to normal monitoring


Reboot your router to verify the script runs.

Code:
ps -l | grep custom


Code:
S     0  1667     1  1160   900 0:0   15:10 00:00:00 /bin/sh /tmp/custom.sh
S     0  3444  1878  1156   700 pts0  15:57 00:00:00 grep custom


Repeat the same test to verify it's all working.

You can watch the log on the CLI as follows:

Code:
tail -f /var/log/messages

(ctrl C to exit tail)

Or grep for some messages

Code:
grep "OpenVPN Monitor" /var/log/messages


Code:
Jan 19 15:10:50 hamster-net-2 OpenVPN Monitor script: Starting monitor of 192.168.1.254 every 60 seconds with two evaluation intervals at 300 seconds each before VPN restart will be triggered
Jan 19 15:17:00 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped one, evaluating restart for 1 of 2 intervals of 300 seconds
Jan 19 15:22:10 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped two, evaluating restart for 2 of 2 intervals of 300 seconds
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: ping 192.168.1.254 dropped three, evaluation concluded, restart needed
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: Killing VPN PID
Jan 19 15:27:20 hamster-net-2 OpenVPN Monitor script: Restarting DNSMASQ
Jan 19 15:27:24 hamster-net-2 OpenVPN Monitor script: Starting VPN
Jan 19 15:27:24 hamster-net-2 OpenVPN Monitor script: exiting evaluation logic and returning to normal monitoring


If you've enabled SYSLOG, you can see these messages on the web UI under Status > Syslog. You don't need to have a remote syslog server. It's cool to enable (Google how to as is off topic) so you can look at messages for all sorts of things.

Hope this helps some folks.

_________________
--------------------------------------------------
VLANs, port trunking, virtual SSID (Guest)
DNSmasq, NTP, syslog, nflow
Hub and spoke, multi-site, routed VPN (OpenVPN client), split tunnel
1 DNS zone per site, forward, reverse look-up across all sites

Asus RT-AC68U rev A2 DD-WRT v3.0-r48138 std (01/17/22)
Asus RT-AC68U rev C1 DD-WRT v3.0-r48138 std (01/17/22)
Asus RT-AC1900P DD-WRT v3.0-r48138 std (01/17/22)
Asus RT-AC1900P DD-WRT v3.0-r48138 std (01/17/22)
Netgear R7000 DD-WRT v3.0-r48138 std (01/17/22)
Linksys E2000 DD-WRT v3.0-r33492 mega (10/10/17)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum