Anyone have DD-WRT, PIA openvpn, and port forwarding working

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Thu Jul 04, 2019 21:31    Post subject: Reply with quote
eibgrad wrote:
Changes are now active on PasteBin.com.

Except for a few trivial changes, I hadn't updated the script since creating it. So I decided to use the opportunity to make several beyond those previously discussed.

1. Added two new options, --proto (tcp|udp|both) and --source (e.g., 199.199.0.0/16). The default for --proto is tcp, and source 0.0.0.0/0.

2. Given the increased ability to configure the script, I added some very rudimentary validation routines. They're not going to catch every error, just the most obvious ones.

3. Because the script could be rerun upon a change in the OpenVPN client connection, it now rolls back any previous changes to the firewall.

4. If you want the external PIA port used as the internal port, you can specify a hyphen ("-", quotes not necessary), or use an empty string, either single quotes ('') or double quotes ("").

5. If the script finds a file of the same basename w/ the extension .callback (i.e., ddwrt-pia-port-forward.callback), then once the external port is established and the firewall rules are applied, the callback script is called w/ two arguments. The first is the VPN public IP (note, if it can't determine it for some reason, it will be 0.0.0.0), and the second the external port (e.g., 12345).

The ddwrt-installer will automatically download and install a sample callback script. It will *never* overwrite this script, even if you reinstall the primary script(s). For safety reasons, if you want to pickup any future enhancements to the callback script, you'll have to first manually delete the existing callback script.

I just didn't have the time to add any real features, so it's very basic. All it does it echo the VPN public IP and external port to the syslog. In the future, I might add some functions that will hopefully prove reusable (e.g., send email). If you guys have any good ideas, or write something useful to others, let me know and perhaps we can incorporate them.

If you decide to roll-your-own, be sure to a) include the shebang (#!/bin/sh) at the top of the script and b) mark it executable (chmod +x </path/filename>). Also, remember that Linux can NOT read files saved in Windows/DOS format, only Linux formatted. Can't tell you how many times ppl make this last mistake, so don't let the next victim be YOU! Smile

6. Publishing the port forward to the router's webserver is now optional w/ the --nopublish option. I figure if you're going to use the callback capabilities, there's a good chance you don't even need it, and if you don't, will probably find it more advantageous to publish it yourself to your preferred internet-accessible website.

7. I no longer specify the protocol w/ curl or wget. I just let the utilities sort it out. It *might* eliminate some failed updates where my assumptions about support for http/https might be incorrect.

8. Although mostly of interest to me (if you like delving into the details, you might find it interesting), the script is now fully reentrant. Although I generally discourage running the script from the cli/console, this was needed both to prevent multiple instances from clobbering each other when it comes to managing any firewall changes. That's why I added the (hidden, but now exposed) --exec option; to minimize the chance of someone accidentally running the script as they attempted to configure it w/ the -h|--help option.

I also updated the ddwrt-installer. It will now warn you "by name" of any intended file overwrites/deletions due to pre-existing files. It will also NOT overwrite/delete any *.callback files (something the previous version would have done).

Finally, realize that since I don't have a PIA account, I had to make and test these changes by jury-rigging the script. Anything that directly interfaces w/ PIA could not be tested. So I can't guarantee anything until someone tries it and reports back.

Thanks for the update!
So if I call
Code:
/jffs/etc/config/ddwrt-pia-port-forward.sh --ip 10.0.0.100 --port - --proto both --debug

I create a forward for ip 10.0.0.100 on both protocol, with same port internal and external. Am I right?
I don't know if I really need both protocol but I think is ok.

Only one request, is possible to add an extra argument, like force_callback, in order to force only the execute only the call back script? The only question is, if I run the script the callback script after some time how can I pass the right $vpn_public_ip $ext_port ? Maybe have to be in the nvram?

What do you think?
Sponsor
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Fri Jul 05, 2019 4:47    Post subject: Reply with quote
Ok, so if I use udp inside the openvpn gui, when I configure pia, I'll use udp with your script, and the same for TCP, right?

Yep you right, I don't even though that was simple, write down informations then retrieve it!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5924
Location: Netherlands

PostPosted: Fri Jul 05, 2019 6:25    Post subject: Reply with quote
Just started working on it, very, very nice!

The validation and locking, impressive.

Will report later this weekend and will make a callback script for publishing ip and port number to DDNS

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5924
Location: Netherlands

PostPosted: Fri Jul 05, 2019 7:44    Post subject: Reply with quote
I have made a callback script which updates my DDNS hostnames on NOIP.COM, one hostname with the external IP address and one hostname with the external port address (disguised as IP otherwise I can not upload it)

Tested if I could reach my VPN server from my phone with the retrieved IP and portnumber and BINGO success and working.

Have to polish the callback script and will make it available later.

One addition to the script:
in the usage maybe add the - option for internal = external port:

echo " --port PORT internal port of port forward (default=80), if internal port should be the same as external port use - "

@eibgrad your work is as always much valued and appreciated , thanks!

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5924
Location: Netherlands

PostPosted: Fri Jul 05, 2019 17:37    Post subject: Reply with quote
Yes I have seen the script running, I will do the test and can always kill with the PID.

I have had the client run for several hours and it did not restart and everything keeps working, but I will test with killing the process maybe tomorow.

Sleep 20 is perhaps a little bit on the fast side I have made it sleep 40.

Furthermore, now I am nitpicking, your installation instructions, in the first step, are to enable JFFS2. I am personally not a big fan of using jffs2, once bricked a router when updating and jffs2 enabled, and although the script is not writing much to the flash ram, I am not comfortable with it so I use a USB stick with automount jffs.
Granted if you can not do that jffs2 is invaluable, but my first choice would be to use a USB stick, consider adding something like that in the installation instructions?

Will report back, so far, so good Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Fri Jul 05, 2019 22:26    Post subject: Reply with quote
Here my transmission.callback

This callback script is intended to use with transmission installed on a device inside the intranet. Use an HTTP connection, so make sure that your router have access to the remote transmission-daemon

This callback do:
-> Save the port to a /tmp so can be taken from the remote machine
-> Try to set the pia port to the remote transmission

What you have to do?
You've to configure the remote url the username and the password.

The script:
Code:

#!/bin/sh
#DEBUG=; set -x # comment/uncomment to disable/enable debug mode

#   name: ddwrt-pia-port-forward.callback
#   version: 1.2.0, 05-jul-2019, by chryses
#   purpose: change the transmission port in order to open it
#
#   argument $1 : vpn public ip (0.0.0.0 if unknown)
#   argument $2 : pia assigned external port
{

############ CONFIGURATION ############
TRANSMISSION_REMOTE_HOST="10.0.0.100" # Where's transmission?
TRANSMISSION_USERNAME="admin" # Username for transmission remote
TRANSMISSION_PASSWORD="admin" # Password for transmission remote
TRANSMISSION_PORT="9091" # Port for transmission remote
############ CONFIGURATION ############

# verify pia port
if [ $2 -le 0 ] || [ -z $2 ]; then
   echo "No valid port forwarded, maybe your're connected to one server that not offer port-forward or some goes wrong, please check!"
   rm -rf /tmp/pia-port-forward
   exit
fi

# Take the pia port
PIA_PORT="$2"

# Save the opened port to a file, this's needed to another script that have to be called on remote machine when transmission start in order to set the open port
echo "$PIA_PORT" > /tmp/pia-port-forward

# Change transmission port on the fly
CURLOUT=$(curl -u $TRANSMISSION_USERNAME:$TRANSMISSION_PASSWORD http://${TRANSMISSION_REMOTE_HOST}:$TRANSMISSION_PORT/transmission/rpc 2>/dev/null)
TRANSMISSION_SESSION_ID=$(echo $CURLOUT | sed -n "s/^.*X-Transmission-Session-Id\:\s*\(\w*\).*$/\1/p")

if [ -z $TRANSMISSION_SESSION_ID ]; then
   echo "No transmission session id found, exiting"
   exit 1
else
   DATA='{"method": "session-set", "arguments": { "peer-port" :'$PIA_PORT' } }'
   curl -u $TRANSMISSION_USERNAME:$TRANSMISSION_PASSWORD http://${TRANSMISSION_REMOTE_HOST}:$TRANSMISSION_PORT/transmission/rpc -d "$DATA" -H "X-Transmission-Session-Id: $TRANSMISSION_SESSION_ID"
fi


} 2>&1 | logger $([ ${DEBUG+x} ] && echo "-p user.debug") \
    -t $(echo $(basename $0) | grep -Eo '^.{0,23}')[$$]


This's the script that have to be used on remote machine and use ssh access to router with username and password

Requisite:
-> jq (apt install jq)
-> sshpass (apt install sshpass)

What you have to do?
You've to configure the remote url the username and the password, then you've to set the right position for the local settings.json of transmission

The script:
Code:

#!/bin/bash

############ CONFIGURATION ############
UNAME="root" # username to access to dd-wrt router
PWORD="admin" # password to access to dd-wrt router
IP_Addr="192.168.2.1" # dd-wrt router address

TRANSMISSION_SETTINGS="/home/muletto/.config/transmission-daemon/settings.json" # local transmission settings.json

LOG_ENABLE=1 # enable log?
LOG_PATH="/sharedfolders/Nas/Download" # log path?
############ CONFIGURATION ############

if [[ "$LOG_ENABLE" == "1" ]]; then
   if [[ ! -w "$LOG_PATH/${0##*/}.log" ]]; then
      touch "$LOG_PATH/${0##*/}.log"
   fi
fi

export SSHPASS=$PWORD

REMOTE_PIA_PORT=$(sshpass -e ssh -o 'StrictHostKeyChecking no' $UNAME@$IP_Addr 'cat /tmp/pia-port-forward')

[[ "$LOG_ENABLE" == "1" ]] && echo "########## $(date) ##########" >> "$LOG_PATH/${0##*/}.log"

if [[ ! -z $REMOTE_PIA_PORT ]]; then # I get the pia port
   ACTUAL_TRANSMISSION_PORT=$(cat $TRANSMISSION_SETTINGS | jq '."peer-port"') # get the actual transmission port

   if [[ $ACTUAL_TRANSMISSION_PORT == $REMOTE_PIA_PORT ]]; then # pia port is the same that that the transmission port
      [[ "$LOG_ENABLE" == "1" ]] && echo "Transmission port is already the good one, nothing to do, see you later!" >> "$LOG_PATH/${0##*/}.log"
   else # transmission use a different port
      [[ "$LOG_ENABLE" == "1" ]] && echo "Transmission port is not the right one, I'll change it" >> "$LOG_PATH/${0##*/}.log"
      sleep 1
      jq --argjson NEW_PORT $REMOTE_PIA_PORT '."peer-port" = $NEW_PORT' "$TRANSMISSION_SETTINGS" > /tmp/tmp.$$.json && mv /tmp/tmp.$$.json "$TRANSMISSION_SETTINGS" # change the port inside the settings.json file
      sleep 1
   fi
else # I can't find the pia port
   [[ "$LOG_ENABLE" == "1" ]] && echo "I can't find the PIA port from $PIA_EXT_PORT make sure that exist and is reachable" >> "$LOG_PATH/${0##*/}.log"
fi


J


Last edited by Chryses on Fri Jul 12, 2019 18:38; edited 6 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5924
Location: Netherlands

PostPosted: Sat Jul 06, 2019 9:37    Post subject: Reply with quote
First draft of a working updater for NOIP.com
Will polish and check if update succeed, also have a retrieval script ready will publish later.
Updated with check for valid entriies

#!/bin/sh
#
# name: ddwrt-pia-port-forward.callback
# This must be used together with the PIA port forward scripts from @eibgrad:
# https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313661&postdays=0&postorder=asc&start=30
# https://pastebin.com/P9nmpyxh
# version: 1.0.3, 10-jul-2019, by egc
# purpose: update hostnames of DDNS service from noip.com with external vpn ip address and opened up port number
#
# argument $1 : vpn public ip (0.0.0.0 if unknown)
# argument $2 : pia assigned external port (always 5 digit port number, 0 if unknown)
#
# place file in same directory as ddwrt-pia-port-forward.sh and make executable with:
# chmod +x /jffs/etc/config/ddwrt-pia-port-forward.callback
# modify the settings in the SETTINGS section, make sure not to use Windows style line endings

{
DEBUG= # uncomment/comment to enable/disable

logger "$(basename $0) executed, vpn_public_ip = $1"
logger "$(basename $0) executed, ext_port = $2"

[ ${DEBUG+x} ] && set -x

# ------------------------------- BEGIN SETTINGS -------------------------------- #
DDNS_USER="put in your user name"
DDNS_PASS="put in your password"
DDNS_HOST_IP="put in hostname of host for vpn public ip address"
DDNS_HOST_PN="put in hostname of host for vpn port number"
# ------------------------------- END SETTINGS -------------------------------- #

DDNS_USER_C="${DDNS_USER/@/%40}" # Replace @ with URL encoding %40 otherwise parse error with curl
vpn_public_ip=$1
ext_port=$2

#Disguise external port as IP number
EXT_PORT_IP="${ext_port:0:2}.${ext_port:2:1}.${ext_port:3:1}.${ext_port:4:1}"

# try curl, fallback to wget
which curl > /dev/null 2>&1 && GET_URL="curl -sLk https://" || GET_URL="wget -qO - http://"

[ $vpn_public_ip != "0.0.0.0" ] && \
$GET_URL"$DDNS_USER_C:$DDNS_PASS@dynupdate.no-ip.com/nic/update?hostname=$DDNS_HOST_IP&myip=${vpn_public_ip}" || \
logger "$(basename $0) No valid external IP, No update done"

[ $ext_port -ne 0 ] && \
$GET_URL"$DDNS_USER_C:$DDNS_PASS@dynupdate.no-ip.com/nic/update?hostname=$DDNS_HOST_PN&myip=${EXT_PORT_IP}" || \
logger "$(basename $0) No valid port address, No update done"

} 2>&1 | logger -t $(basename $0)[$$]

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Wed Jul 10, 2019 10:52; edited 4 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5924
Location: Netherlands

PostPosted: Tue Jul 09, 2019 19:17    Post subject: Reply with quote
Thanks will take a look tomorrow.

I have a new version of my call back script which is checking a valid IP address (0.0.0.0) and handle that.

But it is a clumsy if statement and I was looking for a more concise test option. I am slowly learning (ba)sh and admiring the [] && ||, the possibilities of the parameter expansion and the intricacies of regex Smile

Long story short, I favor that the callback script will be passed two variables, the first the IP address, 0.0.0.0 when not valid and the second the 5 digit port address, 00000 when no port address can be obtained.

On a side note I have been trying to test:
kill -SIGUSR1 <process-id>
My VPN client is going down but does not reconnect at all I am stuck at TCP reconnecting.
Not sure what is going wrong, I am behind a residential gateway.
Will test it when I am home again but that is the end of July.

Have been using this setup for about 2 days, I have a watchdog because internet is crappy, in those two days the watch dog kicked in twice and your script and my callback script worked great got different port numbers on one occasion but that was updated correctly to my noip.com hostname.

So at the moment everything is working great

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Tue Jul 09, 2019 20:00    Post subject: Reply with quote
Thanks for the update.
On my side I don't have any real check, the only check I can do is:
If the port is not a valid one (what I've to check? I know that have to be 5 digits long. What if a user chose a server that don't have a port-forwarding service? What number is returned? 0 or nothing?) I can skip the script execution and remove the pia file, then on remote device I can simply skip the port set-up inside transmission.

What do you think?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5924
Location: Netherlands

PostPosted: Wed Jul 10, 2019 9:17    Post subject: Reply with quote
I have updated my script with checks for 0.0.0.0 and 00000, could also perhaps send just 0 as invalid port number?

Edit:
Just checked your new script and you are returning a 0 if port can not be obtained. Excellent

Also did a quick test run with your new script and my own callback script updating my 2 hosts with noip.com with IP address and port number and that worked perfectly

Great job

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5924
Location: Netherlands

PostPosted: Wed Jul 10, 2019 11:41    Post subject: Reply with quote
One thing I noticed, if I disable the OVPN client the script keeps running, not sure about the implications.

Problem is that DDWRT does not remove the openvpncl.pid when the OVPN client is disabled.

Alternatively maybe this works?:
Code:
VPNCL_PID="$(ps | grep openvpncl | head -n-1 | awk '{print $1}')"

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5924
Location: Netherlands

PostPosted: Thu Jul 11, 2019 8:34    Post subject: Reply with quote
Thanks for the explanation, makes sense Smile
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Fri Jul 12, 2019 6:05    Post subject: Reply with quote
I also update both script, the local and remote one, in order to not set the port if some go wrong.

Btw, I just found a "problem". Like @eibgrad said, if a soft-reset or some happen, the port is "lose" because is not used and/or requested within 2 minutes. So, is some that is just happen to me, maybe not the same situation but ... see here, from html page from script:
Quote:
Tue Jul 9 19:41:38 CEST 2019: PIA external port forward: 185.220.70.132 : 43876

But, on remote machine:
Quote:
# root @ Qnap in ~ [7:50:12]
$ curl ipinfo.io/ip
185.220.70.138

# root @ Qnap in ~ [7:54:44]
$ transmission-remote -pt
Port is open: No

So in meantime, the ip is changed (without a real re-connection?) so the port was not requested and then the port is closed.
Am I correct?

What about add a control like that?:
if pid is the same ok, but is the ip is different, request again the port, all executed every 20 sec like always. I don't think a curl to ipinfo.io is necessary, I hope/think the ip is stored to some log file

What do you think?

J
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Fri Jul 12, 2019 8:12    Post subject: Reply with quote
I'll try and let you know!

But what about a log? Is not possible to log the openvpn process with some code to add to Additional Config field and extract the ip from it? Like grep with regex and take only the last found, if different from the one that I used to know my vpn ip, request the port-forward

Code:
Clientlog:
20190712 07:52:58 MANAGEMENT: Client disconnected
20190712 07:52:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 07:52:58 D MANAGEMENT: CMD 'state'
20190712 07:52:58 MANAGEMENT: Client disconnected
20190712 07:52:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 07:52:58 D MANAGEMENT: CMD 'status 2'
20190712 07:52:58 MANAGEMENT: Client disconnected
20190712 07:52:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 07:52:58 D MANAGEMENT: CMD 'log 500'
20190712 07:52:58 MANAGEMENT: Client disconnected
20190712 08:01:46 I [71ee5bec21c0b7819644079ff6c1acd9] Inactivity timeout (--ping-restart) restarting
20190712 08:01:46 I SIGUSR1[soft ping-restart] received process restarting
20190712 08:01:46 Restart pause 5 second(s)
20190712 08:01:51 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190712 08:01:51 I TCP/UDP: Preserving recently used remote address: [AF_INET]185.220.70.138:1198
20190712 08:01:51 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190712 08:01:51 I UDPv4 link local: (not bound)
20190712 08:01:51 I UDPv4 link remote: [AF_INET]185.220.70.138:1198
20190712 08:01:51 TLS: Initial packet from [AF_INET]185.220.70.138:1198 sid=4479f27a 9394c979
20190712 08:01:51 VERIFY OK: depth=1 C=US ST=CA L=LosAngeles O=Private Internet Access OU=Private Internet Access CN=Private Internet Access name=Private Internet Access emailAddress=secure@privateinternetaccess.com
20190712 08:01:51 VERIFY KU OK
20190712 08:01:51 NOTE: --mute triggered...
20190712 08:01:51 4 variation(s) on previous 3 message(s) suppressed by --mute
20190712 08:01:51 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1558' remote='link-mtu 1542'
20190712 08:01:51 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher BF-CBC'
20190712 08:01:51 Control Channel: TLSv1.2 cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384 2048 bit RSA
20190712 08:01:51 I [71ee5bec21c0b7819644079ff6c1acd9] Peer Connection Initiated with [AF_INET]185.220.70.138:1198
20190712 08:01:52 SENT CONTROL [71ee5bec21c0b7819644079ff6c1acd9]: 'PUSH_REQUEST' (status=1)
20190712 08:01:57 SENT CONTROL [71ee5bec21c0b7819644079ff6c1acd9]: 'PUSH_REQUEST' (status=1)
20190712 08:01:57 AUTH: Received control message: AUTH_FAILED
20190712 08:01:57 I SIGUSR1[soft auth-failure (auth-token)] received process restarting
20190712 08:01:57 Restart pause 5 second(s)
20190712 08:02:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190712 08:02:02 I TCP/UDP: Preserving recently used remote address: [AF_INET]185.220.70.138:1198
20190712 08:02:02 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190712 08:02:02 I UDPv4 link local: (not bound)
20190712 08:02:02 I UDPv4 link remote: [AF_INET]185.220.70.138:1198
20190712 08:02:02 TLS: Initial packet from [AF_INET]185.220.70.138:1198 sid=eb8a65f7 f7e7c0fa
20190712 08:02:02 VERIFY OK: depth=1 C=US ST=CA L=LosAngeles O=Private Internet Access OU=Private Internet Access CN=Private Internet Access name=Private Internet Access emailAddress=secure@privateinternetaccess.com
20190712 08:02:02 VERIFY KU OK
20190712 08:02:02 NOTE: --mute triggered...
20190712 08:02:02 4 variation(s) on previous 3 message(s) suppressed by --mute
20190712 08:02:02 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1558' remote='link-mtu 1542'
20190712 08:02:02 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher BF-CBC'
20190712 08:02:02 Control Channel: TLSv1.2 cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384 2048 bit RSA
20190712 08:02:02 I [71ee5bec21c0b7819644079ff6c1acd9] Peer Connection Initiated with [AF_INET]185.220.70.138:1198
20190712 08:02:03 SENT CONTROL [71ee5bec21c0b7819644079ff6c1acd9]: 'PUSH_REQUEST' (status=1)
20190712 08:02:08 SENT CONTROL [71ee5bec21c0b7819644079ff6c1acd9]: 'PUSH_REQUEST' (status=1)
20190712 08:02:08 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 209.222.18.222 dhcp-option DNS 209.222.18.218 ping 10 comp-lzo no route 10.57.10.1 topology net30 ifconfig 10.57.10.6 10.57.10.5 auth-token'
20190712 08:02:08 NOTE: --mute triggered...
20190712 08:02:08 7 variation(s) on previous 3 message(s) suppressed by --mute
20190712 08:02:08 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 08:02:08 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
20190712 08:02:08 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 08:02:08 NOTE: --mute triggered...
20190712 08:02:08 1 variation(s) on previous 3 message(s) suppressed by --mute
20190712 08:02:08 I Preserving previous TUN/TAP instance: tun1
20190712 08:02:08 I NOTE: Pulled options changed on restart will need to close and reopen TUN/TAP device.
20190712 08:02:08 I /tmp/openvpncl/route-down.sh tun1 1500 1558 10.25.10.6 10.25.10.5 init
20190712 08:02:08 /sbin/route del -net 10.25.10.1 netmask 255.255.255.255
20190712 08:02:08 Closing TUN/TAP interface
20190712 08:02:08 I /sbin/ifconfig tun1 0.0.0.0
20190712 08:02:09 I TUN/TAP device tun1 opened
20190712 08:02:09 TUN/TAP TX queue length set to 100
20190712 08:02:09 I /sbin/ifconfig tun1 10.57.10.6 pointopoint 10.57.10.5 mtu 1500
20190712 08:02:09 /sbin/route add -net 10.57.10.1 netmask 255.255.255.255 gw 10.57.10.5
20190712 08:02:09 I Initialization Sequence Completed
20190712 09:02:02 TLS: soft reset sec=0 bytes=17496705/-1 pkts=36445/0
20190712 09:02:02 VERIFY OK: depth=1 C=US ST=CA L=LosAngeles O=Private Internet Access OU=Private Internet Access CN=Private Internet Access name=Private Internet Access emailAddress=secure@privateinternetaccess.com
20190712 09:02:02 VERIFY KU OK
20190712 09:02:02 NOTE: --mute triggered...
20190712 09:02:02 4 variation(s) on previous 3 message(s) suppressed by --mute
20190712 09:02:02 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1558' remote='link-mtu 1542'
20190712 09:02:02 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher BF-CBC'
20190712 09:02:02 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 09:02:02 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
20190712 09:02:02 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 09:02:02 NOTE: --mute triggered...
20190712 10:02:03 9 variation(s) on previous 3 message(s) suppressed by --mute
20190712 10:02:03 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1558' remote='link-mtu 1542'
20190712 10:02:03 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher BF-CBC'
20190712 10:02:03 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 10:02:03 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
20190712 10:02:03 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 10:02:03 NOTE: --mute triggered...
20190712 10:14:15 2 variation(s) on previous 3 message(s) suppressed by --mute
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'state'
20190712 10:14:15 MANAGEMENT: Client disconnected
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'state'
20190712 10:14:15 MANAGEMENT: Client disconnected
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'state'
20190712 10:14:15 MANAGEMENT: Client disconnected
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'status 2'
20190712 10:14:15 MANAGEMENT: Client disconnected
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00


I added
Code:
log /tmp/openvpncl/openvpncl.log
verb 3


So with
Code:
cat /tmp/openvpncl/openvpncl.log | grep -Eo '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}:[0-9]{4}' | tail -n1 | grep -Eo '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}'

I can take the latest ip from log

I know that is not so elegant, maybe there's a much better way to do it ...

Do you think is a bad idea?


Last edited by Chryses on Fri Jul 12, 2019 12:26; edited 1 time in total
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Sat Jul 13, 2019 10:46    Post subject: Reply with quote
I don't know if is correlated to the recent modification that I made:
Code:
persist-local-ip
persist-remote-ip

But just happen this:
Code:
Jul 13 12:05:10 DD-WRT authpriv.info dropbear[20928]: Exit (root): Exited normally
Jul 13 12:05:21 DD-WRT daemon.notice openvpn[2243]: 136 variation(s) on previous 3 message(s) suppressed by --mute
Jul 13 12:05:21 DD-WRT daemon.notice openvpn[2243]: [e222d41d0a6861e20661a4843a1dc5e1] Inactivity timeout (--ping-restart), restarting
Jul 13 12:05:21 DD-WRT daemon.notice openvpn[2243]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 13 12:05:21 DD-WRT daemon.notice openvpn[2243]: Restart pause, 5 second(s)
Jul 13 12:05:26 DD-WRT daemon.warn openvpn[2243]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.220.70.169:1198
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.220.70.169:1198
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: UDPv4 link local: (not bound)
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: UDPv4 link remote: [AF_INET]185.220.70.169:1198
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: TLS: Initial packet from [AF_INET]185.220.70.169:1198, sid=92fd3b7d 0d427c8a
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: VERIFY KU OK
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: NOTE: --mute triggered...
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: 4 variation(s) on previous 3 message(s) suppressed by --mute
Jul 13 12:05:26 DD-WRT daemon.warn openvpn[2243]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Jul 13 12:05:26 DD-WRT daemon.warn openvpn[2243]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jul 13 12:05:26 DD-WRT daemon.notice openvpn[2243]: [e222d41d0a6861e20661a4843a1dc5e1] Peer Connection Initiated with [AF_INET]185.220.70.169:1198
Jul 13 12:05:27 DD-WRT daemon.notice openvpn[2243]: SENT CONTROL [e222d41d0a6861e20661a4843a1dc5e1]: 'PUSH_REQUEST' (status=1)
Jul 13 12:05:32 DD-WRT daemon.notice openvpn[2243]: SENT CONTROL [e222d41d0a6861e20661a4843a1dc5e1]: 'PUSH_REQUEST' (status=1)
Jul 13 12:05:32 DD-WRT daemon.notice openvpn[2243]: AUTH: Received control message: AUTH_FAILED
Jul 13 12:05:32 DD-WRT daemon.notice openvpn[2243]: /tmp/openvpncl/route-down.sh tun1 1500 1622 10.1.10.6 10.1.10.5 init
Jul 13 12:05:32 DD-WRT daemon.notice openvpn[2243]: /sbin/route del -net 10.1.10.1 netmask 255.255.255.255
Jul 13 12:05:32 DD-WRT daemon.notice openvpn[2243]: Closing TUN/TAP interface
Jul 13 12:05:32 DD-WRT daemon.notice openvpn[2243]: /sbin/ifconfig tun1 0.0.0.0
Jul 13 12:05:32 DD-WRT daemon.notice openvpn[2243]: SIGTERM[soft,auth-failure] received, process exiting
Jul 13 12:05:42 DD-WRT user.notice root: pbr no change detected yet, old: 10.1.10.5 , new: 10.1.10.5
Jul 13 12:05:42 DD-WRT user.notice simple-pbr.sh[1629]: ifconfig: tun1: error fetching interface information: Device not found
Jul 13 12:05:42 DD-WRT user.notice root: pbr change detected old: 10.1.10.5 , new:
Jul 13 12:05:42 DD-WRT user.notice root:  simple-pbr.sh No TUN1 Interface detected
Jul 13 12:06:42 DD-WRT user.notice root: pbr no change detected yet, old:  , new:
Jul 13 12:06:42 DD-WRT user.notice simple-pbr.sh[1629]: ifconfig: tun1: error fetching interface information: Device not found
Jul 13 12:07:42 DD-WRT user.notice root: pbr no change detected yet, old:  , new:
Jul 13 12:07:42 DD-WRT user.notice simple-pbr.sh[1629]: ifconfig: tun1: error fetching interface information: Device not found
Jul 13 12:08:42 DD-WRT user.notice root: pbr no change detected yet, old:  , new:
Jul 13 12:08:42 DD-WRT user.notice simple-pbr.sh[1629]: ifconfig: tun1: error fetching interface information: Device not found


So for now I added a watchdog for tun1 and I left the persist rule. Let's see what happen
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 5 of 6
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum