Posted: Tue Mar 23, 2021 15:34 Post subject: more than 64 vpn IPs in additional config, openvpn client?
hi,
i have a linksys 3200acm on build 44048. i haven't upgraded to latest since reports are this is a good, stable version.
background: i use protonvpn. they have tier 1 and 2 servers, where the tier 2 servers are faster and more likely not to be detected as vpn. the list of US tier 2 IPs is over 200, which i've obtained.
protonvpn, to my knowledge, doesn't have a catchall address that redirects specifically to tier 2 address (i've written them and requested this ability).
as a working solution, in the openvpn client setup, i put one IP in the Server IP/Name, and 63 in the Additional Config (there is a 64 IP limit), in the format
remote xxx.xxx.xxx.xxx 1194
i also have remote-random, to randomize which is selected.
is there a scripted way to circumvent the 64 limit and randomly pull an IP from the larger list? something about this strikes a memory on the forum, but i've searched and can't locate it with the terms i've tried, if it even exists.
Joined: 04 Aug 2018 Posts: 1446 Location: Appalachian mountains, USA
Posted: Tue Mar 23, 2021 16:14 Post subject:
If you want to write one to put in Startup, you could have a big list in a "here doc", randomly put an entry from it in a variable, say server, kill the openvpn process, do nvram set openvpncl_remoteip=$server (or use its IP), then restart openvpn.
I forget whether one can do "stopservice openvpncl" and "startservice openvpncl" or some such for the stop and start, but apparently at one time I thought not, as my own Startup uses (for other reasons)
if ovpn=$(pidof openvpn); then kill $ovpn; fi
to kill it (if you use an openvpn server in dd-wrt as well as a client, you'll need to replace the pidof thing with a grep of the ps output to look for the correct process, as there'll be two) and
to start it. This start line works in 44048, but if you go to much older builds, it's different. In that case, with the openvpn client, grep for openvpn in the output of ps in a wide window and see what the call looked like.
Happy hacking... _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
I'm unaware of any 64 remote limit in OpenVPN itself, if that's what you mean. And I don't see mention of such a limit in the OpenVPN documentation (doesn't mean there isn't one). But there may be a limit to how much data you can stuff in the Additional Config field and/or the underlying nvram variable where it's stored.
i'll take a look at the script suggestion. thanks.
i came across the 64 limit (reiterating, one in Server/IP field and 63 in the Additional Config), last year.
when i tried to load the entire list. vpn status never showed any connection attempts or information.
i think that i did a search, at that time, and read about the 64 limit.
i do remember putting 64 in the Additional Config and it still failing, then realizing that it had to be 63 because of the Server/IP field. That got it working.
but yours was a good question, so i tried it again before replying. i put the whole list of 200+ and it again showed no connection attempts or information. i took it down to 64 and it did the same. 63 got it working, again.
i apologize for the incomplete recollections. ideally, i'd like protonvpn to isolate the tier 2 and provide a catchall address that redirects to just those. the us.protonvpn.com selects one from all their servers, tier 1 and 2.
Quite honestly, I don't know why 64 remotes isn't sufficient. That's a LOT of servers to pick from. Just seems to me that at some point, the number of servers becomes irrelevant giving the "winner" is chosen at random, and unimaginable you can't get connected to at least *one* them. Those domain names may even resolve to *multiple* IP addresses, further extending your server options.
Joined: 04 Aug 2018 Posts: 1446 Location: Appalachian mountains, USA
Posted: Tue Mar 23, 2021 18:07 Post subject:
I doubt anyone will go my DIY way, but just just in case, another thought. dd-wrt reads the relevant nvram vars and rebuilds the /tmp/openvpncl/openvpn.conf file on boot and on Apply in the GUI, but I don't believe it actually rereads it if you kill and restart the process. If that's the case, instead of setting the nvram variable, you can use sed to edit the "remote" line in the conf file. Experiment.
That said, I agree with @eibgrad's sentiment: When is 64 not enough? If the tiny extra bit of anonymity you get by going beyond that is important to you, you likely have security/privacy exposure beyond what can be mitigated with a vpn. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Quite honestly, I don't know why 64 remotes isn't sufficient. That's a LOT of servers to pick from. Just seems to me that at some point, the number of servers becomes irrelevant giving the "winner" is chosen at random, and unimaginable you can't get connected to at least *one* them. Those domain names may even resolve to *multiple* IP addresses, further extending your server options.
IOW, is there a real benefit to be realized here? Enough to merit the effort to get around the limit? Esp. if it requires some convoluted scripting?
fair enough. probably not, if it doesn't already exist. a lot of times i see questions answered with an already existing solution. i thought maybe it had been addressed and i couldn't locate it with searching.
it's not a big deal.
I doubt anyone will go my DIY way, but just just in case, another thought. dd-wrt reads the relevant nvram vars and rebuilds the /tmp/openvpncl/openvpn.conf file on boot and on Apply in the GUI, but I don't believe it actually rereads it if you kill and restart the process. If that's the case, instead of setting the nvram variable, you can use sed to edit the "remote" line in the conf file. Experiment.
That said, I agree with @eibgrad's sentiment: When is 64 not enough? If the tiny extra bit of anonymity you get by going beyond that is important to you, you likely have security/privacy exposure beyond what can be mitigated with a vpn.
it's really nothing to do with extra anonymity. what i meant by vpn addresses being known is more to do with access being blocked, not with identity being discovered. that's not really addressed by having more than 64, though.
Just out curiosity, I ran a small script (on my Ubuntu desktop) to dump all the public IPs associated w/ my list of remotes (20 in all) over at ExpressVPN. That resulted in a potential of 67 servers!