Posted: Sun Jul 16, 2017 14:48 Post subject: I need a custom script that checks OpenVPN connection
Hello,
I need a custom script for checking my OpenVPN connection for every 30 min or 1 hour. My OpenVPN interface is tun1. If connection drops it should be restart OpenVPN service or reboot. Can someone help me? Thanks. _________________ Kaan's World | @mkaand | PLEX Archive | Trakt.tv
Alternatively, you may also want to look into the "WDS/Connection Watchdog" feature within DD-WRT and ping an endpoint only accessible over the VPN tunnel, if this drops, the router would reboot. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Thank you very much for your fast response. I cannot have access to change server parameters. I use VPNBook.com Open VPN Service. So my router is client. Can I do your solution If I am client?
The parameters listed in the OpenVPN man section are able to be applied to the client configuration as far as I'm aware, without any server config required.
Something like:
Code:
reneg-sec 300
ping 10
ping-restart 60
Should work on the client side. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Thank you very much. I will test it. I dont know why sometimes connection drops and not reconnect. I use OVPN as TUN with vpnbook.com free service. I added these lines for pandora.com and wikipedia.org:
ip route add 208.85.40.0/24 dev tun1
ip route add 198.35.26.0/23 dev tun1
So what my router makes: It connects to free vpn server, and creates above routes. If I visit pandora.com or wikipedia.org it automatically redirects to VPN. But sometimes connection drops. I have no idea why. If I cannot access pandora or wikipedi. I just reboot the router. But I dont like to reboot my router. _________________ Kaan's World | @mkaand | PLEX Archive | Trakt.tv
By the way I creates these routes via startup script. If you can tell me better way to create these rules, I will be appreciated. _________________ Kaan's World | @mkaand | PLEX Archive | Trakt.tv
Sounds like your potentially just masking over the true cause of the problem. Those commands should basically attempt to keep the VPN alive and restart the OpenVPN process if the link dies, but maybe you should provide your specific router model and firmware version and see if you can debug the cause further.
Routing rules are best created at startup, there really isn't any other way to do that, but maybe you should consider using policy based routing rather than forcing specific websites over the tunnel. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
By the way I creates these routes via startup script. If you can tell me better way to create these rules, I will be appreciated.
Did you see my other post above? For your information My router is WRT1900AC v1. DD-WRT v3.0-r31100M kongmv (01/08/17) Kong's build. I didn't check the logs when connection drops. Because I do not visit always pandora or wikipedia. If I need to visit these websites and connection down, then I understand something is wrong. Just reboot the router and voila. But I do not want to reboot everytime. I will add your code to Additional Config section. Then observe the connection. Thank you very much for help. I hope we can fix it. Just I do not make sure about restoring IP Routes. _________________ Kaan's World | @mkaand | PLEX Archive | Trakt.tv
I added your suggestions to Additional Config section of OpenVPN. The I apply. Looks like after stop-start openvpn service my added ip routes gone. I am not make sure your suggestion can fix my problem but I will try. I adds these routes during startup. Maybe I should find a way to add these routes after vpn link is up.
Here is the tracerts. First one is correct. Second one is wrong. Now I have to reboot my router or manually add these routes via command line:
Code:
D:\Users\Kaan Dogan>tracert pandora.com
Tracing route to pandora.com [208.85.40.20]
over a maximum of 30 hops:
1 15 ms 11 ms 1 ms WRT1900AC [192.168.20.1]
2 162 ms 152 ms 143 ms 10.10.0.1
3 181 ms 189 ms 193 ms v620.ce02.wdc-01.us.leaseweb.net [198.7.62.253]
4 201 ms 229 ms 197 ms ae-4.br01.wdc-01.us.leaseweb.net [108.59.15.122]
5 183 ms 194 ms * ash-b1-link.telia.net [62.115.35.33]
6 162 ms 181 ms 155 ms ash-bb3-link.telia.net [80.91.248.156]
7 * 305 ms 297 ms sjo-b21-link.telia.net [62.115.138.15]
8 234 ms 220 ms 230 ms pandora-ic-318321-sjo-b21.c.telia.net [213.248.85.255]
9 237 ms 251 ms 243 ms www.pandora.com [208.85.40.20]
Trace complete.
D:\Users\Kaan Dogan>tracert pandora.com
Tracing route to pandora.com [208.85.40.20]
over a maximum of 30 hops:
1 3 ms 4 ms 1 ms WRT1900AC [192.168.20.1]
2 10 ms 21 ms 22 ms 10.63.0.1
3 * * * Request timed out.
4 26 ms 44 ms 24 ms host-195-33-217-249.reverse.superonline.net [195.33.217.249]
5 20 ms 14 ms 26 ms 10.40.129.165
6 17 ms 44 ms 48 ms 10.38.209.142
7 18 ms 12 ms 20 ms 10.36.6.37
8 18 ms 15 ms 18 ms 10.38.211.214
9 46 ms 40 ms 25 ms 10.38.211.217
10 68 ms 28 ms 12 ms 10.36.6.26
11 16 ms 17 ms 23 ms ix-ae-10-0.tcore1.IT5-Istanbul.as6453.net [5.23.0.37]
12 148 ms 136 ms 140 ms if-ae-8-2.tcore1.FNM-Frankfurt.as6453.net [195.219.156.21]
13 156 ms 143 ms 131 ms if-ae-6-2.tcore1.AV2-Amsterdam.as6453.net [195.219.156.62]
14 138 ms 137 ms 137 ms if-ae-2-2.tcore2.AV2-Amsterdam.as6453.net [195.219.194.6]
15 150 ms 143 ms 140 ms if-ae-14-2.tcore2.L78-London.as6453.net [80.231.131.160]
16 134 ms 145 ms 145 ms if-ae-2-2.tcore1.L78-London.as6453.net [80.231.131.2]
17 149 ms 149 ms 134 ms if-ae-18-2.thar1.NJY-Newark.as6453.net [209.58.124.20]
18 140 ms 143 ms 144 ms if-ae-1-3.thar2.NJY-Newark.as6453.net [216.6.57.2]
19 138 ms 130 ms 146 ms if-ae-18-2.tcore2.NTO-New-York.as6453.net [66.198.111.7]
20 139 ms 140 ms 133 ms if-ae-12-2.tcore1.N75-New-York.as6453.net [66.110.96.5]
21 158 ms 162 ms 162 ms 66.110.96.138
22 143 ms 144 ms 147 ms hu-1-3-0-2-cr02.newyork.ny.ibone.comcast.net [68.86.83.97]
23 166 ms 159 ms 168 ms be-10305-cr02.350ecermak.il.ibone.comcast.net [68.86.85.202]
24 216 ms 201 ms 249 ms be-10517-cr02.denver.co.ibone.comcast.net [68.86.85.170]
25 192 ms 186 ms 192 ms be-11721-cr02.1601milehigh.co.ibone.comcast.net [68.86.86.78]
26 202 ms 217 ms 218 ms be-11021-cr02.sunnyvale.ca.ibone.comcast.net [68.86.86.65]
27 212 ms 213 ms 206 ms be-11083-pe02.529bryant.ca.ibone.comcast.net [68.86.84.14]
28 214 ms 217 ms 215 ms as40428-1-c.529bryant.ca.ibone.comcast.net [75.149.229.170]
29 244 ms 240 ms 234 ms www.pandora.com [208.85.40.20]
James looks like it didn't work. I tried to visit pandora.com and it didn't open. I checked the logs:
20170716 21:28:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170716 21:28:32 D MANAGEMENT: CMD 'log 500'
20170716 21:28:32 MANAGEMENT: Client disconnected
20170716 21:30:24 TLS: soft reset sec=0 bytes=25302/-1 pkts=277/0
20170716 21:30:25 VERIFY OK: depth=1 C=CH ST=Zurich L=Zurich O=vpnbook.com OU=IT CN=vpnbook.com name=vpnbook.com emailAddress=admin@vpnbook.com
20170716 21:30:25 VERIFY OK: nsCertType=SERVER
20170716 21:30:25 NOTE: --mute triggered...
20170716 21:58:05 51 variation(s) on previous 3 message(s) suppressed by --mute
20170716 21:58:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170716 21:58:05 D MANAGEMENT: CMD 'state'
20170716 21:58:05 MANAGEMENT: Client disconnected
20170716 21:58:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170716 21:58:05 D MANAGEMENT: CMD 'state'
20170716 21:58:05 MANAGEMENT: Client disconnected
20170716 21:58:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170716 21:58:05 D MANAGEMENT: CMD 'state'
20170716 21:58:05 MANAGEMENT: Client disconnected
20170716 21:58:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170716 21:58:06 D MANAGEMENT: CMD 'status 2'
20170716 21:58:06 MANAGEMENT: Client disconnected
20170716 21:58:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170716 21:58:06 D MANAGEMENT: CMD 'log 500'
20170716 21:58:06 MANAGEMENT: Client disconnected
20170716 22:00:54 TLS: soft reset sec=0 bytes=176708/-1 pkts=406/0
20170716 22:00:55 VERIFY OK: depth=1 C=CH ST=Zurich L=Zurich O=vpnbook.com OU=IT CN=vpnbook.com name=vpnbook.com emailAddress=admin@vpnbook.com
20170716 22:00:55 VERIFY OK: nsCertType=SERVER
20170716 22:00:55 NOTE: --mute triggered...
20170716 22:49:55 87 variation(s) on previous 3 message(s) suppressed by --mute
20170716 22:49:55 I [vpnbook.com] Inactivity timeout (--ping-restart) restarting
20170716 22:49:55 I SIGUSR1[soft ping-restart] received process restarting
20170716 22:49:55 Restart pause 5 second(s)
20170716 22:50:00 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170716 22:50:00 I TCP/UDP: Preserving recently used remote address: [AF_INET]198.7.62.204:25000
20170716 22:50:00 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170716 22:50:00 I UDPv4 link local: (not bound)
20170716 22:50:00 I UDPv4 link remote: [AF_INET]198.7.62.204:25000
20170716 22:50:00 TLS: Initial packet from [AF_INET]198.7.62.204:25000 sid=30c91a33 43f03cb8
20170716 22:50:01 VERIFY OK: depth=1 C=CH ST=Zurich L=Zurich O=vpnbook.com OU=IT CN=vpnbook.com name=vpnbook.com emailAddress=admin@vpnbook.com
20170716 22:50:01 VERIFY OK: nsCertType=SERVER
20170716 22:50:01 NOTE: --mute triggered...
20170716 22:50:01 2 variation(s) on previous 3 message(s) suppressed by --mute
20170716 22:50:01 I [vpnbook.com] Peer Connection Initiated with [AF_INET]198.7.62.204:25000
20170716 22:50:03 SENT CONTROL [vpnbook.com]: 'PUSH_REQUEST' (status=1)
20170716 22:50:08 SENT CONTROL [vpnbook.com]: 'PUSH_REQUEST' (status=1)
20170716 22:50:08 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 8.8.8.8 dhcp-option DNS 91.239.100.100 route 10.10.0.1 topology net30 ping 5 ping-restart 30 ifconfig 10.10.0.142 10.10.0.141'
20170716 22:50:08 N Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
20170716 22:50:08 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20170716 22:50:08 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20170716 22:50:08 NOTE: --mute triggered...
20170716 22:50:08 1 variation(s) on previous 3 message(s) suppressed by --mute
20170716 22:50:08 OPTIONS IMPORT: timers and/or timeouts modified
20170716 22:50:08 OPTIONS IMPORT: --ifconfig/up options modified
DDWRT Status pages says OpenVPN Client Connected. I checked the routes are still there (ip route) command. But tracert no access. I believe the best way to fix my problem:
I need custom script. It will triger every 30 min. If VPN interface down or VPN IP change just make reboot. I don't know what is the problem. Maybe logs can tell you something. _________________ Kaan's World | @mkaand | PLEX Archive | Trakt.tv
Your setup seems a little complex with all the commands and stuff, but if you only want to route specific sites through the VPN, you may want to look into OpenVPN's route command, rather than doing it via DD-WRT and the routing table. This way, you ensure the config is always applied if OpenVPN restarts. Seem's your already using the route-nopull directive, you can do the either of the following
The problem is with this approach, load balanced sites that rotate IP addresses will not be captured by this and hence not go via the VPN until a request is made to each IP.
Alternatively, you can route the IP ranges your already using:
Q1: Should I add these to Aditional Config field?
Q2: vpn_gateway means tun1 ? or real ip? in my case default gateway always 10.10.0.1 for vpnbook.com.
Q3: After make this changes I can delete my ip route option in startup script right?
First I want to try your first alternative if it doesn't work I will try second option.
