[SOLVED]Restart OpenVPN client when disconnected on WAP

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Sun Sep 18, 2022 2:50    Post subject: [SOLVED]Restart OpenVPN client when disconnected on WAP Reply with quote
Hello,

Next to my topic Not all traffic goes through VPN Client on DD-WRT AP, I solved my problem and now everything goes through the VPN (provided I choose an IP manually and define router C as a gateway on the clients of course), I now have another problem that I would like to solve.

When I previously used my router as a gateway with an OpenVPN client, I had few disconnects, and when that happened, the connection would automatically hang before the router restarted until the server responded again.

To do this, I had this line in the Firewall commands iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -m state --state NEW -j REJECT, and I had activated the Watchdog with a 360 second interval by pointing to my VPN's first DNS server in the Keep Alive tab of the Administration menu.

I would like to get the same result.

According to the DDWRT OpenVPN Client Setup guide by egc, I have this line in the Firewall commands iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr).

I have the Killswitch box checked in the OpenVPN client, as well as the Watchdog activated with the IP of the first DNS server of my VPN and a Ping Timeout of 30.

But the expected result is not there, when the VPN connection is lost, the clients no longer have access to the Internet, but when the VPN connection comes back (which does not always seem to be the case), the clients do not find their internet access without ordering the router to restart.

Thanks in advance

Kind regards
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Sun Sep 18, 2022 12:16    Post subject: Reply with quote
We need to see the hole picture.

Is the VPN router connected LAN-LAN with your main router?

The kill switch will only work with a WAN.
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Sun Sep 18, 2022 14:02    Post subject: Reply with quote
The router is connected LAN-LAN to the main router, and it is set according to the chapter OpenVPN Client on a Wireless Access Point (WAP) page 12 of the DDWRT OpenVPN Client Setup guide by egc either :
Quote:

OpenVPN Client on a Wireless Access Point (WAP)
Set up as a WAP to recap (do no more and no less!) on Setup page:
• Disable WAN
• Set Local IP Address inside scope of primary router e.g. if primary router is 192.168.1.1 set WAP as 192.168.1.2 / 24
• Set Gateway and Local DNS to the primary router
• DHCP off
• Leave DNSMasq on
• Leave the router in Gateway mode do not use Router mode!
• Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre )
Make sure to add the following rule to Administration/Commands and Save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


But the kill switch works, my NAS sends me a notification when the VPN connection does not work anymore, the problem is that it does not find the connection when the VPN works again without me restarting the router.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Mon Sep 19, 2022 9:18    Post subject: Reply with quote
First about the VPN settings, most providers have not optimal settings for DDWRT and sometimes they are even outright wrong.

You do normally not need anything in the Additional config as outlined in the Client setup guide.
However I do not think that this is your problem as the VPN seems to operate.

When a VPN server is busy, VPN provider have a habit to kick users off, when the watchdog tries to reconnect to the server, it can still be busy (or down for maintenance) so to make sure you can connect to your VPN provider you have to add more addresses of VPN servers so that your VPN client can/will try different VPN servers. The GUI has settings for this

Normally the killswitch does not work on a WAP (as PYB already noted), you have to add that manually as outlined in the guide.

The fact that you do not have internet access when the VPN is not working might indicate problems in your setup (and I mean the setup of your LAN clients).

You first have to research if the problem is the VPN client which does not reconnect or your clients which do not reconnect to your router or if they reconnect it might be a DNS problem of your clients.

So trigger the VPN watchdog, I use 8.8.8.8 as watchdog IP:
iptables -I OUTPUT -d 8.8.8.8 -j DROP

This rule will block 8.8.8.8 so the watchdog should be triggered.

You can see if the rule is hit with:
iptables -vnL OUTPUT
You see the packet counter increased

After the VPN has has been restarted again (you can view the process with: grep -i openvpn /var/log/messages)
Remove the block rule:
iptables -D OUTPUT -d 8.8.8.8 -j DROP

Now check if the VPN is up and connected from Status/OpenVPN

You can check if the router itself uses the VPN with:
traceroute 8.8.8.8

You should see the VPN being used

If this works the problem is your client.
From the client (if it is Windows) you can also do from a command prompt:
tracert 8.8.8.8

If this works but you do not have internet your DNS settings are the problem.

I am traveling and have a travel router with me which I use with VPN (mostly WireGuard but it also has OpenVPN) to connect to my home, I set it up as a WAP with OpenVPN just as you did and after a simulated restart of the VPN client my LAN client had no problem reconnecting

If you cannot find the problem there is also the possibility that the watchdog restarts the whole router instead of only restarting the VPN Client, also described in the Client setup guide, but normally that is not necessary and not desirable as it will stop all traffic during the boot process

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Mon Sep 19, 2022 21:26    Post subject: Reply with quote
I performed your test, according to your indications the problem would be the DNS settings. I do not understand why.

On my main router I have the following DNS 91.239.100.100 and 89.233.43.71 from UncensoredDNS.

My WAP router (with OpenVPN) has the main router address as the gateway, the same for the Local DNS.

On my various clients, the IP address is set manually in accordance with that reserved via MAC address on the main router, I define the WAP router as gateway, and I set the DNS servers indicated by my VPN here either 10.0.254.2 and 198.245.51.147 in my case.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Tue Sep 20, 2022 8:49    Post subject: Reply with quote
The instructions like almost all instructions are not "optimal"

The only items you can use in the additional config are:
resolv-retry infinite
keepalive 10 60

The others are redundant


Their DNS instructions are outright wrong.

But you have used your own DNS servers for the main router and set the WAP to the Main router so that is OK.

For your clients which you point to the WAP you also have to point the DNS to the WAP.
If the VPN is not working then the WAP points to the main router so without WAP you effectively use the Main router ( and now we have the explanation why you do not have internet access without VPN even if the killswitch is not working, it is the DNS)

But when the VPN is working the VPN provider usually pushes the VPN DNS server to the WAP and the WAP will start using the VPN DNS server and thus your connected clients will use the VPN DNS server.
So basically the whole process is designed to automatically switch to the VPN DNS server when the VPN is activated.

In the OpenVPN Status you should be able to see if the VPN DNS server is pushed and with ipleak.net you can check it on your clients.

This is from my own VPN client:
Quote:
0220920 10:51:40 PUSH: Received control message: 'PUSH_REPLY route 192.168.1.0 255.255.255.0 vpn_gateway dhcp-option DNS 8.8.4.4 route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.8.0.2 255.255.255.0
DNS server 8.8.4.4 is pushed and then used by my clients


If the VPN provider does not push a DNS server you can add one manually in the OpenVPN additional config.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Tue Sep 20, 2022 22:13    Post subject: Reply with quote
egc wrote:
The instructions like almost all instructions are not "optimal"

The only items you can use in the additional config are:
resolv-retry infinite
keepalive 10 60

The others are redundant


I have defined the additional config as you recommend.

egc wrote:
Their DNS instructions are outright wrong.

But you have used your own DNS servers for the main router and set the WAP to the Main router so that is OK.

For your clients which you point to the WAP you also have to point the DNS to the WAP.
If the VPN is not working then the WAP points to the main router so without WAP you effectively use the Main router ( and now we have the explanation why you do not have internet access without VPN even if the killswitch is not working, it is the DNS)

But when the VPN is working the VPN provider usually pushes the VPN DNS server to the WAP and the WAP will start using the VPN DNS server and thus your connected clients will use the VPN DNS server.
So basically the whole process is designed to automatically switch to the VPN DNS server when the VPN is activated.


There must be a misunderstanding from one of us:

When the VPN is unavailable or the OpenVPN client is not started, I'm happy not to have internet, and I don't want traffic to go through the main router instead.

In this case, the setting of my clients as specified is not correct?

My problem is that once the VPN is reconnected, I don't have internet (through VPN) on my clients until I restart the WAP router.

egc wrote:
In the OpenVPN Status you should be able to see if the VPN DNS server is pushed and with ipleak.net you can check it on your clients.

This is from my own VPN client:
Quote:
0220920 10:51:40 PUSH: Received control message: 'PUSH_REPLY route 192.168.1.0 255.255.255.0 vpn_gateway dhcp-option DNS 8.8.4.4 route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig 10.8.0.2 255.255.255.0
DNS server 8.8.4.4 is pushed and then used by my clients


If the VPN provider does not push a DNS server you can add one manually in the OpenVPN additional config.


I checked and my VPN client is pushing a DNS server.

On the other hand, I hadn't thought of doing a test with ipleak.net before, and I found that I don't have any leaks with certain devices (iPad for example), but that I have some with others (Android Smartphone).

I read your DDWRT VPN and DNS guide, and I tried the first two points of the chapter "Stopping roque clients", it doesn't solve the problem.

Can we force the VPN tunnel to exclusively use the DNS pushed by the VPN and/or those added by ourselves in the additional config.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Wed Sep 21, 2022 10:57    Post subject: Reply with quote
DNSmasq should exclusively use the pushed DNS server.

You can check with: cat /tmp/resolv.dnsmasq

After the VPN is up and working it should show the pushed DNS server.

But of course clients (or web browsers!) might use their own DNS servers instead of using DNSMasq or use IPv6 DNS server, that is sometimes difficult to control.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Wed Sep 21, 2022 20:53    Post subject: Reply with quote
After various tests, and despite your statements, it seems that the problem lies with the Killswitch checkbox in the OpenVPN client configuration.

When the checkbox is checked, from the moment there was a disconnection from the VPN, the client no longer has a connection, even if the VPN reconnects. (And I set the DNS on the client to the IP address of the WAP router as you recommend.)

When the checkbox is unchecked, the client remains connected, but the problem that then arises is that if the VPN fails to reconnect, the client is connected to the net without VPN.

egc wrote:
DNSmasq should exclusively use the pushed DNS server.

You can check with: cat /tmp/resolv.dnsmasq

After the VPN is up and working it should show the pushed DNS server.


Yes indeed, thank you.

egc wrote:
But of course clients (or web browsers!) might use their own DNS servers instead of using DNSMasq or use IPv6 DNS server, that is sometimes difficult to control.


Apparently, it is Android which gives priority to Google's DNS, all the servers found have as ISP: Google.
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Wed Sep 21, 2022 21:46    Post subject: Reply with quote
Androids DNS can be set, per default it will do as you say. My android clients use the DNS I determine.
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Wed Sep 21, 2022 22:10    Post subject: Reply with quote
the-joker wrote:
Androids DNS can be set, per default it will do as you say. My android clients use the DNS I determine.


I must have a bug.

Whatever DNS I set on my Wi-Fi connection, queries are made through Google's servers.

The only way I've found to bypass these is to designate a private DNS manually, or connect to my VPN through the Android app.

Edit : I had incorrectly checked the settings of my browser, the private DNS was also active there. I have no more leaks.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Thu Sep 22, 2022 6:15    Post subject: Reply with quote
Great you solved it, about the DNS, that is why I wrote:
Quote:
But of course clients (or web browsers!) might use their own DNS servers


You can redirect regular DNS on Port 53 and block port 853 (DoT) with the settings in the GUI but blocking DoH on port 443 (used by Webbrowsers) is very difficult (it can and is described in the VPN and DNS guide) but you have found that problem and disabled it on the client/webbrowser.

About the Killswitch, no it does not always work on a WAP you really have to set it manually to be sure. If you are interested why read on.

Note I wrote "not always".

It does work when the watchdog restarts the OpenVPN, but not when the router restarts or when you press Apply in the OpenVPN GUI.
To complicate matters further on older builds it worked when the router restarts and also when you pressed Apply in the OpenVPN GUI but it did not work if the firewall restarts after the VPN is up.

This strange behaviour comes from the fact there are actually two killswitches.
One in the OpenVPN code to make sure that when the OpenVPN is started the killswitch is active, this one works.
The same code is in the Firewall so if the firewall restarts (which removes all existing firewall rules) the killswitch is again activated.
But on a WAP where there is no WAN the firewall does not make FORWARD rules at all and thus the killswitch is not reinstated when the firewall is restarted on a WAP.
As on recent builds the firewall is always restarted together with the OpenVPN when you press apply in the OpenVPN GUI the killswitch is briefly made by the OpenVPN code but then disabled by the restarting Firewall.

Of course not the behaviour we want but it is outlined in the Documentation that you manually need to set the killswitch on a WAP.
So patching this erratic behaviour was not high on my priority list but your post moved it up on the list and a patch is underway but still needs testing and as I am traveling it can take some weeks.

For all of you who make their own builds (unfortunately not many) I attached the patch.

So it should work reliably in future builds.

Thanks for reporting your problems.

I will mark this thread as solved

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum