Posted: Mon Apr 09, 2018 12:39 Post subject: OpenVPN - quickly switch between VPN servers without reboot
Hi guys,
this is my first post. Apologies for any noob mitakes.
Also I'm not very familiar with networks in general. Dumbed down and explicit explanations would be very much appreciated.
I have got a Netgear R7000 router and installed dd-wrt:
Firmware: DD-WRT v3.0-r32170M kongac (06/11/17)
This router is my VPN router and I have configured it with NordVPN via OpenVPN.
I have put in one fixed server address plus the TLS key and the certificate (all provided by NordVPN).
These are the instructions I followed:
https://nordvpn.com/tutorials/dd-wrt/openvpn-gui/
All is working very well for several months.
But sometimes the server seems to be too busy and I can't access the internet. What I do then is putting in a different NordVPN server address plus certificate and TLS key. This works but unfortunately this takes a while (5 to 10 mins).
Is there a way of doing this automatically?
What I mean is:
- If the connection to the VPN server cannot be established (say within a minute) then the router should do the following automatically:
- Choose a different server (plus its certificate and key) and try those settings (could be stored in a file)
Unfortunately the last sentence in your post is:
"What this can't do is handle servers that have completely different configurations, such as certs, keys, username/password, etc."
That is unfortunately what I need to do - insert different certs and keys.
Any further ideas?
Joined: 17 Jan 2018 Posts: 64 Location: Georgia, USA
Posted: Tue Apr 10, 2018 23:53 Post subject:
eibgrad wrote:
This is one of the problems w/ using an OpenVPN provider who uses too much variation in their configuration files. It's one of the things you need to consider when choosing a VPN provider that most ppl overlook.
I use PrivateInternetAccess and they give you one overall configuration and then all you have to do is change the address of the regional gateway to change servers.
Example:
United States (US VPN) (they have others around the world)
us-california.privateinternetaccess.com
us-east.privateinternetaccess.com
us-midwest.privateinternetaccess.com
us-chicago.privateinternetaccess.com
us-texas.privateinternetaccess.com
us-florida.privateinternetaccess.com
us-seattle.privateinternetaccess.com
us-west.privateinternetaccess.com
us-siliconvalley.privateinternetaccess.com
us-newyorkcity.privateinternetaccess.com
us-atlanta.privateinternetaccess.com
us-lasvegas.privateinternetaccess.com
To change servers you just paste the address of the server into your VPN Client configuration without making any other changes. You Apply Settings and you are done.
I have been happy with their service and have changed servers a couple of times. _________________ R7800 r53339 std (08/01/23)
Private network on bridge br0 = eth1 (vlan 1) + wlan0 + wlan1.
Guest network on bridge br1 = eth1.4 (vlan 4) + VAPs (wlan0.1 + wlan1.1) for IOT devices
(Roku's, Amazon Echos, smart switches, etc.) and guest.
Noob still finding my way.
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 6"
swconfig dev switch0 vlan 4 set ports "3 4 6t"
swconfig dev switch0 set apply
vconfig add eth1 4
brctl addif br1 eth1.4
ifconfig eth1.4 up
It looks like a good solution to switch quickly between VPN servers, fro the router but also from an Android app!
Also you can pick which device/app should go through the VPN, etc.
Looks promising, I am looking forward to testing it.
First of all, there is no android app, it is just a PHP page but still, it looks good and you can switch from a server to another very easily from your phone.
Since everything is automated (via install script), it changes all dd-wrt scripts (in Commands) so if you have, like me, specific iptables rules, or boot-up script, it needs to be tailored.
For a fresh dd-wrt install, this is great.
The installed scripts and the php page are stored in volatile memory (not persistent). This has good and bad sides.
The good side is that it updates the list of vpn servers at boot-up but I am not a big fan of scripts downloaded on my router automatically, I can't blindly trust it... If someday it got compromised for some reasons, it will affects all the routers downloading this script...
That being said, it is an interesting script and a good basis for a tailored experience.
I am also searching for an easy way to quickly switch servers (or openvpn configuration for that matter) from my smartphone, in my case I use another vpn service so the mentioned solution will not work.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Jan 11, 2021 23:18 Post subject:
routvol wrote:
I am also searching for an easy way to quickly switch servers (or openvpn configuration for that matter) from my smartphone, in my case I use another vpn service so the mentioned solution will not work.
If someone has another idea let me know.
If your vpn service uses the same keys and certificates for all servers (works for AirVPN anyway, and also for NordVPN the last time I checked, a bit over a year ago), so that you only need to change the name or IP of the server in the config, on a linux box you can have something like this in your .bashrc file:
and then do server newone from the command line to have the router change to a server called newone (for example). You can use an IP instead of a server name. It just splices it into the "remote" line of the existing config file. My use of "pid" here assumes the router is running an openvpn client but no openvpn server. If both are running, you need to be a bit more clever.
For an iPhone you can get fancier and set up a shortcut to send the sed and kill commands to the router using the shortcuts action for ssh scripts and with the appropriate shortcut variable replacing the $1. The details are a bit complex to work out (esp getting the public rsa ssh key from your phone onto your router), but it's very do-able, and the shortcut need not be real long. It definitely helps if you have dealt with shortcuts before, and in fact I've been using an iPhone shortcut for changing servers this way for nearly a year. I last used it this morning and certainly don't regret the time investment to figure it out. Unfortunately, there is no way that I know to print a shortcut (and my version has too many bells and whistles for noninsane people anyway), and trying to describe the procedure in detail would eat a lot more time than I have available at the moment, so you are kinda on your own here.
I have no idea whether Android has a way to use ssh to send a small script to the router. Worth investigating though, if that's your phone flavor. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
OK here is what I did.
I created this script and when on the LAN with my smartphone I execute the script with the argument of the server I want to use together with the app ConnectBot.
I have 3 widgets, one for each of the 3 servers I want to use.
e.g. /mnt/sda1/changeserver.sh de1
Code:
#!/bin/sh
path="$( cd "$( dirname "$0" )" && pwd )"
#hostname part for servername
hostname=vpnservice.com
#copy lines of basic configuration, everything from the dd-wrt gui except the servername
while read line; do
echo $line >> $path/openvpn.conf.temp
done < $path/openvpn.conf.base
#copy lines of additional config, everything from the dd-wrt gui field additional config
while read line; do
echo $line >> $path/openvpn.conf.temp
done < $path/additional.conf
if [ ! -z "$1" ]; then
#name part of servername
server=$1
serverconf=openvpn.conf.temp
echo server: $server
killall -SIGINT openvpn
sleep 6
#add server specific lines to temporary openvpn.conf file
addline1="verify-x509-name "$server".hostname name"
addline2="remote "$server".$hostname 443"
echo $addline1 >> $path/openvpn.conf.temp
echo $addline2 >> $path/openvpn.conf.temp
echo invoking openvpn --daemon --config $path/$serverconf
openvpn --daemon --config $path/$serverconf
else
echo "servername has not been passed to script, exiting"
exit
Hey do you mind to share the iOS shortcut over DM or any cloud drive?
Not very techie to begin with but am willing to try since Ive gotten this far 😃
Some links/keywords that I can google for self guide/learn would be appreciated.
SurprisedItWorks wrote:
routvol wrote:
I am also searching for an easy way to quickly switch servers (or openvpn configuration for that matter) from my smartphone, in my case I use another vpn service so the mentioned solution will not work.
If someone has another idea let me know.
If your vpn service uses the same keys and certificates for all servers (works for AirVPN anyway, and also for NordVPN the last time I checked, a bit over a year ago), so that you only need to change the name or IP of the server in the config, on a linux box you can have something like this in your .bashrc file:
and then do server newone from the command line to have the router change to a server called newone (for example). You can use an IP instead of a server name. It just splices it into the "remote" line of the existing config file. My use of "pid" here assumes the router is running an openvpn client but no openvpn server. If both are running, you need to be a bit more clever.
For an iPhone you can get fancier and set up a shortcut to send the sed and kill commands to the router using the shortcuts action for ssh scripts and with the appropriate shortcut variable replacing the $1. The details are a bit complex to work out (esp getting the public rsa ssh key from your phone onto your router), but it's very do-able, and the shortcut need not be real long. It definitely helps if you have dealt with shortcuts before, and in fact I've been using an iPhone shortcut for changing servers this way for nearly a year. I last used it this morning and certainly don't regret the time investment to figure it out. Unfortunately, there is no way that I know to print a shortcut (and my version has too many bells and whistles for noninsane people anyway), and trying to describe the procedure in detail would eat a lot more time than I have available at the moment, so you are kinda on your own here.
I have no idea whether Android has a way to use ssh to send a small script to the router. Worth investigating though, if that's your phone flavor.
replace blabla-bla with your server IP or name format and 443 with your port used.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Fri Jun 17, 2022 9:53 Post subject:
He probably want to just switch , preferably with an app.
For that you need a script as @Surpriseditworks already said.
Alternative could be to use WireGuard with multiple tunnels and make a combination of source and destination routing, e.g. your TV uses one tunnel, your IoT network another and the website of your bank and amazon are always using the WAN.
replace blabla-bla with your server IP or name format and 443 with your port used..
I have tried using new builds but found it screwed my DLNA/NAS streaming speed. So I am stuck with the best build I tested for my use case, and Kong has long gone. I'm using R7800 and the build I have doesn't seem to have advanced VPN config.
Last edited by hommegam on Fri Jun 17, 2022 13:02; edited 1 time in total
Where's this magical advanced VPN config box? I don't think I have that I'm on a build back in 2019...
egc wrote:
He probably want to just switch , preferably with an app.
For that you need a script as @Surpriseditworks already said.
Alternative could be to use WireGuard with multiple tunnels and make a combination of source and destination routing, e.g. your TV uses one tunnel, your IoT network another and the website of your bank and amazon are always using the WAN.
So you have a permanent solution.
Of course it is also possible to have multiple WG tunnels with multiple destinations and simply enable/disable but of course you need a script to do that albeit a simpler script
Last edited by hommegam on Fri Jun 17, 2022 20:29; edited 2 times in total
I'm on a build back in 2019...