Rocktek
DD-WRT Novice
Joined: 29 Jun 2017
Posts: 12
|
 Posted: Tue Jul 18, 2017 0:50 Post subject: Startup Script Help for OpenVPN refresh, NTP Sync |
 |
Hello all, I'll start of by stating I'm running DD-WRT Build 30880 on an Archer C9.
I've been having problems with the VPN connection going down, a lot of the time it says connected success in the status page even when no devices are able to receive any data. I also noticed that when I did get an error message it was usually a TLS handshake error which is down to the certificate not being valid because of time sync issue. So I've configured the ntp client(which allows me to connect manually after applying) and I still get the connection going dead problem. It's usually showing connected success or a blank status page, I haven't seen the error but I suspect it could still by time sync problem as when I go to basic setup and click apply the connection goes back up(unless that page also restarts the openvpn client?).
Currently I have all my wifi traffic running through openvpn(Nord) and my wired PC bypassing it via a firewall script I found on here:
| Code: | echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t mangle -I PREROUTING -i br0 -s 192.168.x.xxx -j MARK --set-mark 1 |
I wasn't even aware of what most of it meant as I'm a novice at this sort of thing, is this what they call policy based routing or something else? Anyway this works exactly as I wanted it to, except if I remember right the recommended kill switch script by Nord was killing the connection to my wired PC and I wanted to find a way to keep it separate(any suggestions welcome) and forgot all about it.
| Code: | WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset |
Aside from a kill switch that plays nice with my wired PC. What I really want(unless the ntp client is already doing so) is a startup script that will sync the time with an ntp server every hour or so and a script that restarts the openvpn client automatically when the connection stalls. I should also add the I have the WDS/Connection Watchdog setup with a nordvpn dns already and I'm still seeing the problems noted at the start of this post and my additional config as per their recommendations seem to have options that should keep the connection live in it already:
| Code: | remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
|
I did have additional settings that seemed to give me better speeds but was told by a nordvpn guru to remove them because they have a lot of their own settings server side(including keep alive) that are set when you connect, so you will probably only run into more problems trying to add your own than solve anything.
Yesterday I added something on the bottom of this list(does it matter which order btw?) because I thought the blank screen could be a result from when the openvpn client had tried to restart but couldn't(read a vague explanation about routes disappearing after restarting somewhere that sort of made sense).
This means it waits 10 seconds(20 was suggested but that seems too long) after it's restarted to add/rebuild the routing table. If that's the problem then maybe an ntp client refresh script is all I need but it would still be nice to have an answer in case I need it.
I did try and find solutions for restarting the openvpn client automatically but couldn't get them to work:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=303924&sid=baf245c3e61158dace4ac84da1838a4e
| Quote: | You have to add the following lines into the Additional Config of openvpn:
| Code: |
script-security 2
down /tmp/openvpn/fw-down.sh |
Further you have to add your script to the start-up script on the WebGUI that the file is generated by boot.
| Code: |
stopservice openvpn
echo "#!/bin/sh
stopservice openvpn
startservice openvpn
" > /tmp/openvpn/fw-down.sh
chmod u+x /tmp/openvpn/fw-down.sh
chmod go-rwx /tmp/openvpn/fw-down.sh
startservice openvpn |
|
For the NTP sync script I read some solutions which involved installing dnscrypt but I'd rather have something simpler if possible, it doesn't seem that complicated of a task to get the ntp client to refresh.
Any input from any experts on these things would be appreciated, thanks in advance. |
|
