OpenVPN client config (.ovpn) launched with a startup script

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Mbot
DD-WRT Novice


Joined: 21 Dec 2017
Posts: 1

PostPosted: Thu Dec 21, 2017 22:06    Post subject: OpenVPN client config (.ovpn) launched with a startup script Reply with quote
Hi community,

After several tests on the GUI, I could not integrate my OpenVPN client configuration file (on DDWRT) to be compatible with my OpenVPN server installed on a VPS OVH.
Each time, the connection with the VPN server succeeded but no data was exchanged (routes were not imported, etc.).

So I finally chose another way, the creation of client configuration file (*.ovpn) at router startup by a script with a CRON task that checks every 5 minutes that the OpenVPN service works.

This method has the advantage of being fully customizable. And that allowed me to use exactly the client file generated by the OpenVPN server. And now everything works perfectly.

Here is the tutorial:
(P.S .: please excuse my English, I'm not English-speaking)

1- First, disable the openvpn client service in the GUI.
,

2- Then go to the menu Administration > commands >>
and copy the following script (which you will then save at startup - "/tmp/.rc_startup"):

Code:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/tun0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/br0/forwarding

# OpenVPN client configuration file
# Put here between the "" the contents of your * .ovpn file with the contents of the keys and certifications.

touch /tmp/myopenvpn.conf
echo "# IP and proto
client
dev tun
proto udp
remote x.x.x.x 1194 # IP of your OpenVPN server

# Real MTU
tun-mtu 1400
tun-mtu-extra 32
mssfix 1336
sndbuf 393216
rcvbuf 393216

# DNS and resolv
resolv-retry infinite
nobind

# Allow scripts
script-security 2

# Keep alive
persist-key
persist-tun
reneg-sec 0

# Keys and certs
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

# Verbose
mute-replay-warnings
verb 3
mute 5

# CA cert
<ca>
-----BEGIN CERTIFICATE-----
CA cert
-----END CERTIFICATE-----
</ca>

# Client cert
<cert>
-----BEGIN CERTIFICATE-----
Client cert here
-----END CERTIFICATE-----
</cert>

# Client key
<key>
-----BEGIN PRIVATE KEY-----
Client DDWRT key here
-----END PRIVATE KEY-----
</key>

# TA key
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
TA key here
-----END OpenVPN Static key V1-----
</tls-auth>" > /tmp/myopenvpn.conf

# Crontab add rules to check (and load if necessary) the OpenVPN service (every 5 minutes)
sleep 1
echo -e "*/5 * * * * root /jffs/etc/config/check_openvpn.sh" > /tmp/crontab
sleep 1
stopservice cron && startservice cron
sleep 1


3- If you have not enabled the additional JFFS2 storage space, then you will not be able to call the openvpn service check and launch script at "/jffs/etc/config/". If so, also create the following script "check_openvpn.sh" at startup with the echo command "..." > /tmp/check_openvpn.sh;
chmod + x check_openvpn.sh

Here is the content of the script "check_openvpn.sh" whose function is to check if the process "openvpn" is launched then, if necessary, to synchronize the system clock on a time server (necessary for the handshake TLS) and to start the openvpn service :

Code:

#!/bin/sh

# Check the openvpn service
/bin/pidof openvpn > /dev/null

if [ $? -ne 0 ]; then
  # Check 5 times the time synchronisation
  for i in 1 2 3 4 5; do
    /usr/sbin/ntpclient 0.xx.pool.ntp.org 2> /dev/null # Put the adresse of your nearest time server

    # Successful synchronization
    if [ $? -eq 0 ]; then
       # Process monitor restart
      sleep 1
      stopservice process_monitor
      startservice process_monitor
      sleep 2

      # OpenVPN launch
      /usr/sbin/openvpn --config /tmp/myopenvpn.conf --daemon
      if [ $? -eq 0 ]; then
        sleep 1
        logger -t $0 "OpenVPN launched !"
        exit 0
      else
        logger -t $0 "error launching OpenVPN." -p 4
        exit 1
      fi
   fi
  done

  logger -t $0 "Error with time synchronization !" -p 4
  exit 1
fi

logger -t $0 "OpenVPN simple checking..."
exit 0


4- After, do not forget to load the following additional rules for your firewall (file "/tmp/.rc_firewall") and to save them:

Code:

# OpenVPN iptables
iptables -I FORWARD -i br0 -o tun0 -j logaccept
iptables -I FORWARD -i tun0 -o br0 -j logaccept
# iptables -I FORWARD -i br0 -o vlan2 -j logreject # Uncomment if you want to prevent from openvpn leaks
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

# Open SSH connexion from outside OpenVPN network
ip route flush cache
ip route add default via $(nvram get wan_gateway) dev vlan2 table 200
ip rule add fwmark 22 table 200
iptables -t mangle -I OUTPUT -p tcp --sport 22 ! -d x.x.x.x/24 -j MARK --set-mark 22 # Put the IPs of your openVPN client network



5- Finally reboot your server and look at the "syslog" to control your OpenVPN connection.
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum