Well, according to the openvpn manual, when using the --route-noexec, the environment variables are available to the route-up script. It does not mention the route-down script.
So, it seems for me to remove the following routes/rules created in route-up:
ip route add $trusted_ip via $route_net_gateway dev vlan2
ip route add $route_network_1 via $route_gateway_1 dev tun0
ip route add default via $route_gateway_1 dev tun0 table 2
(this one goes away when tun0 goes away)
ip rule add from 192.168.3.106 table 2
ip rule add from all to 209.222.18.222 table 2
That I will have to use these variables to set nvram variables that will be accessable to route-down.
I have tried the examples I could find for running the script in the current shell and preserve the variables but it does not work on dd-wrt.
OK, a better method then using nvram variables is to create a script from the route-up.sh. In route-up.sh, right after I create the routes, I use the variables and echo to create the del lines in rd.sh then just call the rd.sh from the route-down.sh script.
It's now a month later ... did you get that how to done?
How is it working for you?
You say 2 tunnels, are you passing data though both?
Did you set only certain clients to use each tunnel? _________________ Routers:
WXR-1900DHP - Active (main) - v3.0-r36070M kongac (05/31/18 )
WZR-N600DHP - Wired AP - v3.0-r33679 BS (11/04/17)
WNDR-3400 - retired to its box for several years
I too attempted to get a second TUN interface going for a second VPN connection.
As openVPN is limited to 1 thread and I have a dual core router I was wanting to get 2 running and have some load balancing and some VPN redundancy. I get that one machine won't be able to take advantage of both links for a single connection, however in some scenarios it could use both pipes and other machines would be able to use the extra bandwidth.
I was able to get multiple TUNs up / active and connected to the VPN provider at the same time but i could never get traffic to route properly. meaning that I could send traffic out both individually but nothing would come back on one of the links.
IMHO it’s better to just use a single tunnel instead of 2. Most home routers are not powerful enough to process OpenVPN traffic. You also need CPU time for routing and firewall policing, so it’s best not to tax the router CPU with OpenVPN processing.
I would hazard a guess that bandwidth may drop with 2 load-balanced tunnel running in the same router.
If you really need redundancy, best to use two routers.
I guess I feel that my home router has plenty of CPU available.
It's "dual core" ARM 1.4Ghz whether this is actually dual core or 1 core with hyperthreading equivalent I'm not sure. There is also 512MB of ram, which I realize won't help but shows it's a very powerful home router.
It's the Buffalo WXR-1900DHP that I've overclocked from 1.0 to 1.4Ghz using the CFE rather than inside dd-wrt. _________________ Routers:
WXR-1900DHP - Active (main) - v3.0-r36070M kongac (05/31/18 )
WZR-N600DHP - Wired AP - v3.0-r33679 BS (11/04/17)
WNDR-3400 - retired to its box for several years
If anyone wants to follow along, this is my setup.
VPN Provider:Private Internet Access
Router:Netgear R8000
Script Storage:USB setup as /jffs with files in /jffs/openvpncl.
Telnet/ssh access
The very first step is to have tun1 up and working through the GUI. This is very important since you will be copying the files from it.
Copy the files from /tmp/openvpncl to /jffs/openvpncl
cp /tmp/openvpncl/* /jffs/openvpncl
(ca.crt, credentials, openvpn.conf, route-down.sh, route-up.sh)
cd to /jffs/openvpncl
edit openvpn.conf and make the following changes/additions:
change "management 127.0.0.1 16" to "management 127.0.0.1 17"
add "log /jffs/openvpncl/vpn.log"
change "writepid /var/run/openvpncl.pid" to "writepid /var/run/openvpncl2.pid"
add "route-noexec"
change "dev tun1" to "device tun0"
change remote to a different server (no need for 2 tunnels to same server).
Add several remote lines with different servers for backup in case a server goes down just don't forget the port at the end.
edit route-up.sh and add the following lines to the beginning (after #!bin/sh):
ip route add $trusted_ip via $route_net_gateway dev vlan2
ip route add $route_network_1 via $route_gateway_1 dev tun0
ip route add default via $route_gateway_1 dev tun0 table 2
ip rule add from 192.168.3.106 table 2
(change above ip to pc you want to use tunnel and add additional lines as needed)
echo "ip route del "$trusted_ip > /jffs/openvpncl/rd2.sh
echo "ip route del "$route_network_1 >> /jffs/openvpncl/rd2.sh
chmod 755 /jffs/openvpncl/rd2.sh
(in iptables lines, change all references of tun1 to tun0)
edit route-down.sh
change any tun1 to tun0
add the following lines to end:
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -j ACCEPT
iptables -D FORWARD -o tun0 -j ACCEPT
ip rule del from 192.168.3.106 table 2 (these are the lines from route-up.sh with your ips)
sh /jffs/openvpncl/rd2.sh
that takes care of configuration, now just need a way to start it.
create/edit start2.sh
add the following lines to it:
#!/bin/sh
#Setup Tunnel 2 tun0
sr='ip route add '$(ip route | grep 0.0.0.0/1) #These 2 lines copy the default routes for tun1
sr2='ip route add '$(ip route | grep 128.0.0.1/1)
ip route del 0.0.0.0/1 #These 2 lines del the default routes for tun1 (you don't want a tunnel in a tunnel)
ip route del 128.0.0.0/1
openvpn --config /jffs/openvpncl/openvpn.conf --route-up /jffs/openvpncl/route-up.sh --route-pre-down /jffs/openvpncl/route-down.sh --daemon
sleep 4
$sr #These 2 lines re-add the default routes for tun1
$sr2
be sure all files edited or created have execution. chmod 755 filename
to start the tunnel use ./start2.sh
to make it permenent, add "sh /jffs/openvpncl/start2.sh" to startup in gui.
If you have any questions, I will try to help. If you have different hardware or a different VPN provider then someone else might have to chip in info.
Brian
p.s. If anyone using PIA needs the port-forwarding setup, I can give details. I use it for utorrent.
Seems the purpose of your scripts was to replace the GUI vpn. My purpose was to add a second tunnel and selectively route through it based on ip. I have 3 devices going through the wan(local), 1 device going through tun0 to Toronto and all other devices go through tun1 (New Jersey) .
I have just added a third tunnel, tun2 but have not made it permanent yet. I want to put my 3rd wifi on a vlan and route it through tun2. I just started doing the research on it.
Brian
Posted: Fri Nov 13, 2020 10:59 Post subject: Re: Update and my setup
Brianwuz wrote:
If anyone wants to follow along, this is my setup.
VPN Provider:Private Internet Access
Router:Netgear R8000
Script Storage:USB setup as /jffs with files in /jffs/openvpncl.
Telnet/ssh access
....
....
Thanks for this. I tried to do the same in my R6400v2. My provider is NordVPN.
Post the initial hiccups and some changes that I had to make to suit my situation, it worked like a charm. I have different country servers in the two separated networks under 2.4 & 5 SSIDs.
I'm feeling too lazy to write things down - but it worked, and that's what matters.
Speed loss was expected - so I left a few IP ranges which are outside VPN.
Using your method, probably one can add a third or a fourth VPN too (though not sure if there is a limit) _________________ PROFESSIONAL STUDENT my.Mistakes ∝ my.Learning ... provided I have the patience & persistence to learn
