Failover OpenVPN - if first provider is offline, use second.

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
swealpha
DD-WRT Novice


Joined: 09 Mar 2019
Posts: 18

PostPosted: Tue Mar 12, 2019 10:06    Post subject: Failover OpenVPN - if first provider is offline, use second. Reply with quote
Hello!
First of all you guys are great, thank you!

Do you know if it is possible to have a second OpenVPN provider as backup.

I mean for example:

#1 nordvpn.com openVPN
if nordvpn goes offline use #2.

#2 expressVPN
if expressVPN and NordVPN goes down shut down internet connection until #1 or #2 is online again.

Thank you!
Sorry for my bad English.


Last edited by swealpha on Tue Mar 12, 2019 10:21; edited 1 time in total
Sponsor
swealpha
DD-WRT Novice


Joined: 09 Mar 2019
Posts: 18

PostPosted: Tue Mar 12, 2019 10:20    Post subject: Reply with quote
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3642
Location: Netherlands

PostPosted: Tue Mar 12, 2019 12:06    Post subject: Reply with quote
Possible yes, easy no.

Why do you want this?

If you want to prevent traffic going out unsecured over the WAN then implement a kill switch (easy)

VPN connections sometimes disconnect but usually reconnect again. If this is not the case there is a script to restart the VPN connection automatically on disconnect, I have a script from @Sploit somewhere which does this automatically (fairly easy).

You can setup a second VPN client but you have to do it by hand, but you need a script to start this second client when the first is down and pherhaps if this second goes down start the first client again. This script should be developed as it does not exist to my knowledge (difficult).

I think Tomato firmware has the ability to specirfy two OVPN clients in the GUI but I do not know if it has a fail over setting.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614


Last edited by egc on Tue Mar 12, 2019 16:29; edited 1 time in total
swealpha
DD-WRT Novice


Joined: 09 Mar 2019
Posts: 18

PostPosted: Tue Mar 12, 2019 15:51    Post subject: Reply with quote
Hello!

I want to do this because i am renting out a house and if the #1 OpenVPN provider goes offline when i am not available, it would be great to have a "backup" #2 OpenVPN provider.

or else i need to be available all the time if something brokes.

I hope you understand me.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3642
Location: Netherlands

PostPosted: Tue Mar 12, 2019 16:38    Post subject: Reply with quote
Well I outlined the possibilities I can think off in my previous post.

I would not be affraid of a VPN provider going out of service, but the router not reconnecting after a disconnect is happening now and then.
But with the restart script from @Sploit that should be solved.

But the router istself can also brake down or your ISP can go out of service, but does that mean that you need a second ISP through a different network with a different VPN provider and setup on a second router, with failover?

My former employer (a large hospital) had that kind of infrastructure LOL

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 298
Location: California

PostPosted: Thu Mar 28, 2019 23:59    Post subject: Coding... Reply with quote
I am in the process of developing an advanced version of my openvpn keepalive.

I currently (as of last night) worked the majority of the bugs out of the process.

There are limitations working with the BusyBox shell vs Full Linux, so I have had some issues with various things.

My primary focus on the project is making sure with Stupid VPN Providers like Nordvpn, that my keepalive script will automatically jump to the next server in the database, and remove a bad server from the list and add it to a "failed server" database.

I am using JFFS for the storage, and everything is up and working.

Upon server failure (my scripts check for various problems before deaming the server bad) it connects to the next server in the list.

NordVPN's server structure is terrible, but they are starting to make their server CERTS identical across their newer servers.


The feature I am coding tonight (if the variable is turned on) will pick a random server from the database.

This will be usefull for vpn services like PIA or Ipvanish that IF the server address fails, it will hop to a random server in the database.

For example:

DATABASE EXAMPLE:

us-siliconvalley.privateinternetaccess.com
us-west.privateinternetaccess.com
us-texas.privateinternetaccess.com
us-midwest.privateinternetaccess.com

The script will pick one of those at random and try it.

The ability to NOT remove the servers from the database can be turned off or on as well (good for PIA or Ipvanish) because the server may come back online shortly.

Option to reboot once the new server is added is available
Option to reboot once openvpn tunnel wifi is available

Any feature requests that you guys can think of I will take into consideration and code.





I will be working on implementing the complex tunnel switching from Static IP to Shared IP.

This isnt too complex now that I have the core built, because we can just tell the script to launch a script on a specific problem (or variable) and that script changes the nvram variables to update with the StatIc settings or Dynamic settings, and reset after X minutes, etc.

Also the random server feature will have the option to just pick a random server and connect every time the script is ran (From a CRON timer for example)

This is cool if you want your IP to change all the time


@ egc Very Happy Hello

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3642
Location: Netherlands

PostPosted: Fri Mar 29, 2019 11:52    Post subject: Reply with quote
@Sploit looking forward to your script, your contributions are very much appreciated !
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 298
Location: California

PostPosted: Sun Mar 31, 2019 8:30    Post subject: Almost Ready Reply with quote
So far so good.

I am really hammering the features and bug testing it right now.

So far here are the TESTED Features

1) Reboot Router on New Server Install
2) Delete Bad Servers from Database (Option Flag)
3) Append Bad Servers to a "Failed" Database (Option Flag)
4) Randomize Server Selection (Will Attempt to connect to a random server in the database)
5) Always Randomize on Script Execution (Used with a longer CRON delay to Change the Server simply because you want a Random Server Every so often)
6) Top to Bottom server switching (On failed Server, simply tries the next server in this listz starting from the TOP of the database and going to the BOTTOM. Makes sense huh?
7) Email via GMAIL on Server Failure (with server address that failed)
Cool Email via GMAIL on server reconnect (With New Server Address)
9) Option to execute a custom script for each specific server in the database
-- This is useful for sooooo many reasons, including failover OR Switching to a whole other VPN Provider.
10) Separate Variables File for easy tweaking
11) Cleaned up Scripting and Heavily Commented for people familiar with bash scripting to understand why I did what I did



### Failsafes and Error Checking

I have had to incorporate numerous error logic checks to make sure Endless Broken Loops dont happen.
The failsafes include preventing un needed script execution, if it detects things are running correctly it quits.

#### Still being debugged or developed...

1) Automated Removal Script (Including NVRAM Variables I set)
2) Option to Trim the Failed Server database to any specific KB size or set amount of lines (Easy... Just gotta do it)
3) Anything else anyone might need that can be done or suggestions.

I am very near release of the beta


I am Looking for beta testers.

Intermediate to Advanced ddwrt users only please.
Will require use of WinSCP to install.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3642
Location: Netherlands

PostPosted: Mon Apr 01, 2019 10:15    Post subject: Reply with quote
@Sploit, I would love to test it, but I am going on vacation for the forthcoming two weeks, but will want to test it when I come back.

I can test it with PIA on an R6400v2 with Kong 38580 build.

I use PBR (using my own implementation: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662), I use the patched SFE module which works with PBR and the PBR kill switch script from @Eibgrad.

Furthermore the router also hosts an OVPN server to complicate matters.

So not your average setup Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 286
Location: Appalachian mountains, USA

PostPosted: Mon Apr 01, 2019 16:34    Post subject: Reply with quote
In a nordvpn setup you can add a remote-random line and some modest number of lines (I have no idea what the practical limt is) like remote us2586.nordvpn.com 1194 to the Additional Config. Port 1194 is fixed and should not be changed, but you specify a different server on each such line. This server set you are creating includes the server you name in the Server IP/Name window as well, so don't leave that blank. The key is that you must select servers that use the came CA Cert and TLS Auth Key. (If you are using linux, compare file lengths and then diff them if lengths match.)

I've been using such a setup with a dozen or so servers for some months, and it works great. I get a randomly chosen server at boot and on Apply (in Services>VPN), and if the server tried is is down or is not responding when the connection is attempted, it just picks another at random and tries again.

_________________
Six of the Linksys WRT1900ACSv2 on r38159 and r40009.
On various: VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, OpenVPN client/PBR (random NordVPN server).

VLANs on the WRT1900ACSv2 and other two-CPU Linksys/Marvell routers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317199

DNSCrypt for Quad9 DNS and/or multiple servers and/or missing DNSCrypt enable button: Sun Jan 06, 2019 post at
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318094

Restarting OpenVPN from the CLI or script or SES button:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1172761
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 749

PostPosted: Tue Apr 02, 2019 5:31    Post subject: Reply with quote
Rather than using separate providers with different sets of certs, or a single provider that still uses separate certs for each of their end points, use a provider like PIA that uses the same certs across all their VPN servers. Then you can simply add something like the following to your openvpn config

remote us-east.privateinternetaccess.com 1197
remote us-florida.privateinternetaccess.com 1197
remote us-texas.privateinternetaccess.com 1197
remote us-midwest.privateinternetaccess.com 1197

Since on PIA all the certs and other config stays the same between their endpoints, the OpenVPN client will simply round robin though the list of REMOTE servers until it finds one that responds.

Put them in order of server preference since AFAIK it just starts at the top of the list and works its way down till it connects each time the client is launched.

Put a killswitch in place, use the router's built in watchdog functionality. If your internet drops or vpn drops the killswitch will keep unencrypted traffic from routing though your router, and the watchdog will simply reboot the router to attempt to reestablish connectivity and the vpn client will start anew each reboot.

I have the watchdog set with a 5min timeout. I've never had connectivity issues related to the router in the many years i have had the watchdog configured. losses in connectivity have been due to power outages that last longer than my UPS can keep the network gear up, or total loss of connectivity from the ISP.

If your ISP looses connectivity the watchdog will just keep boot looping the router every 5 minutes till it pulls a DHCP lease and regains connectivity.
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 59
Location: DE

PostPosted: Sun May 05, 2019 17:27    Post subject: Re: Coding... Reply with quote
sploit wrote:
I am in the process of developing an advanced version of my openvpn keepalive.
...
Also the random server feature will have the option to just pick a random server and connect every time the script is ran (From a CRON timer for example)

This is cool if you want your IP to change all the time


@ egc Very Happy Hello


You might be interested if you haven't seen this:

https://github.com/TobseTobse/DD-WRT_NordVPN

is doing most of your featureset. Working stable since end of last year here. Limited to NordVPN though. It is not changing NVRAM settings of OpenVPN.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum