more than 64 vpn IPs in additional config, openvpn client?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
weech
DD-WRT Novice


Joined: 11 May 2017
Posts: 20

PostPosted: Tue Mar 23, 2021 15:34    Post subject: more than 64 vpn IPs in additional config, openvpn client? Reply with quote
hi,
i have a linksys 3200acm on build 44048. i haven't upgraded to latest since reports are this is a good, stable version.

background: i use protonvpn. they have tier 1 and 2 servers, where the tier 2 servers are faster and more likely not to be detected as vpn. the list of US tier 2 IPs is over 200, which i've obtained.

protonvpn, to my knowledge, doesn't have a catchall address that redirects specifically to tier 2 address (i've written them and requested this ability).
as a working solution, in the openvpn client setup, i put one IP in the Server IP/Name, and 63 in the Additional Config (there is a 64 IP limit), in the format
remote xxx.xxx.xxx.xxx 1194
i also have remote-random, to randomize which is selected.

is there a scripted way to circumvent the 64 limit and randomly pull an IP from the larger list? something about this strikes a memory on the forum, but i've searched and can't locate it with the terms i've tried, if it even exists.

thanks!
Sponsor
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Tue Mar 23, 2021 16:14    Post subject: Reply with quote
If you want to write one to put in Startup, you could have a big list in a "here doc", randomly put an entry from it in a variable, say server, kill the openvpn process, do nvram set openvpncl_remoteip=$server (or use its IP), then restart openvpn.

I forget whether one can do "stopservice openvpncl" and "startservice openvpncl" or some such for the stop and start, but apparently at one time I thought not, as my own Startup uses (for other reasons)

if ovpn=$(pidof openvpn); then kill $ovpn; fi

to kill it (if you use an openvpn server in dd-wrt as well as a client, you'll need to replace the pidof thing with a grep of the ps output to look for the correct process, as there'll be two) and

openvpn --daemon --config /tmp/openvpncl/openvpn.conf

to start it. This start line works in 44048, but if you go to much older builds, it's different. In that case, with the openvpn client, grep for openvpn in the output of ps in a wide window and see what the call looked like.

Re random numbers, there are things online you can peruse/try. Here's one from a quick search just now: https://stackoverflow.com/questions/7642743/how-to-generate-random-numbers-in-the-busybox-shell.

Happy hacking...

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Mar 23, 2021 16:48    Post subject: Reply with quote
I'm unaware of any 64 remote limit in OpenVPN itself, if that's what you mean. And I don't see mention of such a limit in the OpenVPN documentation (doesn't mean there isn't one). But there may be a limit to how much data you can stuff in the Additional Config field and/or the underlying nvram variable where it's stored.

I just want to be sure where the limit(s) actually resides before making any recommendations. I've never pushed it to those limits.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
weech
DD-WRT Novice


Joined: 11 May 2017
Posts: 20

PostPosted: Tue Mar 23, 2021 17:14    Post subject: Reply with quote
i'll take a look at the script suggestion. thanks.

i came across the 64 limit (reiterating, one in Server/IP field and 63 in the Additional Config), last year.
when i tried to load the entire list. vpn status never showed any connection attempts or information.
i think that i did a search, at that time, and read about the 64 limit.
i do remember putting 64 in the Additional Config and it still failing, then realizing that it had to be 63 because of the Server/IP field. That got it working.

but yours was a good question, so i tried it again before replying. i put the whole list of 200+ and it again showed no connection attempts or information. i took it down to 64 and it did the same. 63 got it working, again.

i apologize for the incomplete recollections. ideally, i'd like protonvpn to isolate the tier 2 and provide a catchall address that redirects to just those. the us.protonvpn.com selects one from all their servers, tier 1 and 2.
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Tue Mar 23, 2021 17:21    Post subject: Reply with quote
Push it to the limit.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Mar 23, 2021 17:32    Post subject: Reply with quote
Quite honestly, I don't know why 64 remotes isn't sufficient. That's a LOT of servers to pick from. Just seems to me that at some point, the number of servers becomes irrelevant giving the "winner" is chosen at random, and unimaginable you can't get connected to at least *one* them. Those domain names may even resolve to *multiple* IP addresses, further extending your server options.

IOW, is there a real benefit to be realized here? Enough to merit the effort to get around the limit? Esp. if it requires some convoluted scripting?

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Tue Mar 23, 2021 18:07    Post subject: Reply with quote
I doubt anyone will go my DIY way, but just just in case, another thought. dd-wrt reads the relevant nvram vars and rebuilds the /tmp/openvpncl/openvpn.conf file on boot and on Apply in the GUI, but I don't believe it actually rereads it if you kill and restart the process. If that's the case, instead of setting the nvram variable, you can use sed to edit the "remote" line in the conf file. Experiment.

That said, I agree with @eibgrad's sentiment: When is 64 not enough? If the tiny extra bit of anonymity you get by going beyond that is important to you, you likely have security/privacy exposure beyond what can be mitigated with a vpn.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Mar 23, 2021 18:12    Post subject: Reply with quote
Perhaps the following might prove useful in your quest.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326230

IOW, establish different profiles to the same OpenVPN provider, each w/ its own set of 64 remotes. Then rotate among them using the scheduler.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
weech
DD-WRT Novice


Joined: 11 May 2017
Posts: 20

PostPosted: Tue Mar 23, 2021 18:17    Post subject: Reply with quote
eibgrad wrote:
Quite honestly, I don't know why 64 remotes isn't sufficient. That's a LOT of servers to pick from. Just seems to me that at some point, the number of servers becomes irrelevant giving the "winner" is chosen at random, and unimaginable you can't get connected to at least *one* them. Those domain names may even resolve to *multiple* IP addresses, further extending your server options.

IOW, is there a real benefit to be realized here? Enough to merit the effort to get around the limit? Esp. if it requires some convoluted scripting?


fair enough. probably not, if it doesn't already exist. a lot of times i see questions answered with an already existing solution. i thought maybe it had been addressed and i couldn't locate it with searching.
it's not a big deal.
weech
DD-WRT Novice


Joined: 11 May 2017
Posts: 20

PostPosted: Tue Mar 23, 2021 18:20    Post subject: Reply with quote
eibgrad wrote:
Perhaps the following might prove useful in your quest.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326230

IOW, establish different profiles to the same OpenVPN provider, each w/ its own set of 64 remotes. Then rotate among them using the scheduler.


thanks, i will look into it.

supriseditworks, thanks also, and i'll look into that, too.
weech
DD-WRT Novice


Joined: 11 May 2017
Posts: 20

PostPosted: Tue Mar 23, 2021 18:33    Post subject: Reply with quote
SurprisedItWorks wrote:
I doubt anyone will go my DIY way, but just just in case, another thought. dd-wrt reads the relevant nvram vars and rebuilds the /tmp/openvpncl/openvpn.conf file on boot and on Apply in the GUI, but I don't believe it actually rereads it if you kill and restart the process. If that's the case, instead of setting the nvram variable, you can use sed to edit the "remote" line in the conf file. Experiment.

That said, I agree with @eibgrad's sentiment: When is 64 not enough? If the tiny extra bit of anonymity you get by going beyond that is important to you, you likely have security/privacy exposure beyond what can be mitigated with a vpn.


it's really nothing to do with extra anonymity. what i meant by vpn addresses being known is more to do with access being blocked, not with identity being discovered. that's not really addressed by having more than 64, though.

anyway, no big deal.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Mar 23, 2021 19:05    Post subject: Reply with quote
Just out curiosity, I ran a small script (on my Ubuntu desktop) to dump all the public IPs associated w/ my list of remotes (20 in all) over at ExpressVPN. That resulted in a potential of 67 servers!

Code:
HOSTS='
us-new-york-2-ca-version-2.expressnetw.com
usa-atlanta-ca-version-2.expressnetw.com
usa-chicago-ca-version-2.expressnetw.com
usa-dallas-2-ca-version-2.expressnetw.com
usa-dallas-ca-version-2.expressnetw.com
usa-denver-ca-version-2.expressnetw.com
usa-losangeles-1-ca-version-2.expressnetw.com
usa-losangeles-3-ca-version-2.expressnetw.com
usa-losangeles-ca-version-2.expressnetw.com
usa-losangeles5-ca-version-2.expressnetw.com
usa-miami-2-ca-version-2.expressnetw.com
usa-miami-ca-version-2.expressnetw.com
usa-newjersey-1-ca-version-2.expressnetw.com
usa-newjersey-3-ca-version-2.expressnetw.com
usa-newyork-ca-version-2.expressnetw.com
usa-saltlakecity-ca-version-2.expressnetw.com
usa-sanfrancisco-ca-version-2.expressnetw.com
usa-seattle-ca-version-2.expressnetw.com
usa-tampa-1-ca-version-2.expressnetw.com
usa-washingtondc-ca-version-2.expressnetw.com
'

for host in $HOSTS; do host $host; done | wc -l

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum