Help needed to make a router on LAN accessible remotely

[andres99]

This script did not work. After rebooting, the DNS still fails, time was not synced and I see no reference to "nameserver" in the system log (and /tmp/resolv.conf is 0 bytes). When I try to enter those commands manually in SSH, I get "ntpclient: not found".

 

[ColinTaylor]

Try inserting "logger -t TESTING XXXXX" as the second line of that script. And then look in the syslog after bootup for that message. Just to confirm that the script ran.

The lack of ntpclient is a problem for me. I know the ntp client was changed but I don't know what it was changed to. I have no way of finding that out as I don't run the same firmware as you and it's not obvious to me from the source code.

 

[dave14305]

Try inserting "logger -t TESTING XXXXX" as the second line of that script. And then look in the syslog after bootup for that message. Just to confirm that the script ran.

The lack of ntpclient is a problem for me. I know the ntp client was changed but I don't know what it was changed to. I have no way of finding that out as I don't run the same firmware as you and it's not obvious to me from the source code.

# ntp -help
ntp: invalid option -- h
BusyBox v1.25.1 (2019-07-31 13:27:26 EDT) multi-call binary.

Usage: ntp [-dnqNwtl -I IFACE] [-S PROG] [-p PEER]...

NTP client/server

        -d      Verbose
        -n      Do not daemonize
        -q      Quit after clock is set
        -N      Run at high priority
        -w      Do not set time (only query peers), implies -n
        -t      Trust network and server, no RFC-4330 cross-checks
        -S PROG Run PROG after stepping time, stratum change, and every 11 mins
        -p PEER Obtain time from PEER (may be repeated)
                If -p is not given, 'server HOST' lines
                from /etc/ntp.conf are used
        -l      Also run as server on port 123
        -I IFACE Bind server to IFACE, implies -l

31085 admin  1432 S    /usr/sbin/ntp -t -S /sbin/ntpd_synced -p us.pool.ntp.org -p time.nist.gov

 

[andres99]

I added "logger -t TESTING XXXXX" as the second line. However, I cannot see any reflection of this in the system log.

I also tried adding the nameserver line into the openvpn-event script but it did not work from there either. After a reboot, the resolv.conf file was still empty.

However, the command

echo "nameserver 192.168.10.1" > /tmp/resolv.conf

now worked when I inserted it manually in SSH. The new line appeared in /tmp/resolv.conf. After that, DNS started to work for the session.

Apparently that command does not run from services-start or openvpn-event, and will, as I suppose, not run from nat-start or firewall-start (as shown by previous experience).

 

[ColinTaylor]

I'm at a bit of a loss. Can you check a couple of the basics:

dos2unix /jffs/scripts/services-start
chmod 777 /jffs/scripts/services-start

ps w | grep ntp

Let us know whether the grep returns anything, if not we can use the code that Dave provided.

Then reboot and see if the logger output turns up this time.

 

[andres99]

Done. Grep returned (before reboot):

  869 admin     1432 S    /usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.org -p 192.98.49.11
 2596 admin     1412 S    grep ntp

I also removed the ntpclient line from the script because apparently it would not work if it did not work manually.

After reboot, resolv.conf was empty and I saw no XXX in the system log. After reboot, grep returned:

  773 admin     1412 S    grep ntp

 

[ColinTaylor]

OK thanks for that.

I'm assuming that the ntp process was originally there because you manually started it through the GUI? And then after the reboot it wasn't.

I'm still perplexed as to why the script isn't running. As it's meant to run at the end of the boot process I can only assume that because there is no WAN that the boot sequence is waiting and never completing.

 

[andres99]

I'm assuming that the ntp process was originally there because you manually started it through the GUI? And then after the reboot it wasn't.

I thought the same.

I'm still perplexed as to why the script isn't running. As it's meant to run at the end of the boot process I can only assume that because there is no WAN that the boot sequence is waiting and never completing.

I agree, that seems plausible. At the end of the system log, I can see:

May  5 08:05:12 WAN_Connection: WAN was exceptionally disconnected.

It is difficult to understand though why the router assumes that it has to have some kind of WAN connection even when I have disabled WAN from the GUI.

 

[ColinTaylor]

It is difficult to understand though why the router assumes that it has to have some kind of WAN connection even when I have disabled WAN from the GUI.

It's just fundamental to the way the firmware was designed. You've configured it in "router mode" so it expects to be able to route. If it can't bring up a WAN interface (which could be a USB modem) it will wait until it can, meanwhile assuming there is no connection to the internet.

I can only suggest you create the following script as /jffs/scripts/service-event

#!/bin/sh
logger -t DEBUG $1 $2

In theory this should print an entry in the syslog every time one of the user scripts gets called. Hopefully we can use this to determine the best script to use.

 

[andres99]

The debug log showed a simple reason: custom scripts were disabled in System -> Administration. What I cannot understand is how the openvpn-event script could still run. But it did.

As for NTP, I discovered that the correct command should be:

ntpd -p pool.ntp.org

After enabling custom scripts, the services-start script

#!/bin/sh
echo "nameserver 192.168.10.1" > /tmp/resolv.conf
ntpd -p pool.ntp.org -p 212.7.1.131
service restart_vpnserver1

actually runs.

I am now in a situation in which DNS is working and the System Log shows correct time. However, there seems to be one last minor problem. Under Administration -> System, the NTP section still shows that time is not synchronised and strangely enough, the OpenVPN will not connect before I go to Administration -> System and just press Apply.

In the System log, I can see, as one of the last lines, after reboot:

 crond[219]: time disparity of 829018 minutes detected

Thus, I am almost there but it seems that ntpd -p pool.ntp.org -p 212.7.1.131 in that script is not enough for OpenVPN.

 

[Martineau]

The debug log showed a simple reason: custom scripts were disabled in System -> Administration. What I cannot understand is how the openvpn-event script could still run. But it did.

Known 'feature'

i.e. the very existence of a file called 'openvpn-event' will cause it to be executed even if the execution bit is OFF.

I include the following in the script to ensure that it conforms to expected behaviour of the other scripts.

    # Martineau Hack - don't allow scripts if ALL JFFS CUSTOM Scripts execution is DISABLED in the GUI
    if [ "$(nvram get jffs2_scripts)" == "0" ];then
        echo "User openvpn-event execution DISABLED because 'Enable JFFS custom scripts and configs=NO' in Adminstration->System GUI" | logger -t $scr_name
        exit 1
    fi

 

[ColinTaylor]

Thus, I am almost there but it seems that ntpd -p pool.ntp.org -p 212.7.1.131 in that script is not enough for OpenVPN.

Try putting a "sleep 10" just after the ntp command and before the vpn restart.

EDIT: After you see the system time changing to the correct time in the syslog, do you also see the vpn server restarting?

 

[andres99]

sleep 10 did not help. In the system log, for some reason, I cannot see the exact operation of changing to the correct time, it just happens, like this:

 May  5 08:05:09 kernel: hub 3-0:1.0: USB hub found
May  5 08:05:09 kernel: hub 3-0:1.0: 2 ports detected
Dec  2 04:27:11 kernel: SCSI subsystem initialized
Dec  2 04:27:11 kernel: csw_retry 100

After some time, OpenVPN starts (already when the times in the log are correct) but at the end of the log I see the message about a big time disparity.

Dec  2 04:28:01 crond[219]: time disparity of 829282 minutes detected

 

[ColinTaylor]

The crond message is normal. crond only wakes up once every minute. The first time it wakes after you correct the time it notices the disparity and tells you about it.

I don't know what other changes need to be made to openvpn to work. You said it works when you hit apply on the System page. Unfortunately that doesn't narrow it down much as that restarts almost everything. Can you make that change (so openvpn is working) and then upload the complete syslog to pastebin so I can look at it?

EDIT: Could you try this script:

#!/bin/sh
echo "nameserver 192.168.10.1" > /tmp/resolv.conf
service restart_time
service restart_httpd
service restart_vpnserver1

 

[andres99]

The script did not change the NTP situation (still had to press apply).

I have now uploaded a system log to https://pastebin.com/x5nwpHT2
https://pastebin.com/x5nwpHT2
There I left your latest script running from services-start. After reboot, OpenVPN connected but was not pingable. I waited for a few minutes and then clicked Apply at Administration -> System exactly at 20:13:00, after which the OpenVPN connection became functional (192.168.0.0 became pingable). Since I had a remote client connecting to the OpenVPN server automatically, I edited its IP address (replaced with "x.x.x.x[RemoteClient]") and remote user (replaced with "RemoteUser").

 

[ColinTaylor]

Thanks for the info. I suggest we start by trying to exactly mimic what you just did. So the script becomes:

#!/bin/sh

echo "nameserver 192.168.10.1" > /tmp/resolv.conf
service restart_time
service restart_httpd
service restart_vpnserver1

service restart_time
service restart_leds
service restart_usb_idle
service restart_firewall
service restart_bhblock

 

[andres99]

Strangely enough, it worked!! An enormous thank you so much once more! The OpenVPN is now finally functional.

Should I leave everything like that or are there any adjustments to finalise this solution?

 

[ColinTaylor]

Personally I would want to eliminate any unnecessary commands. My suspicion is that the only extra thing that we really needed was the firewall restart. Play around with removing some of the commands for yourself, but my first guess would be this:

#!/bin/sh

echo "nameserver 192.168.10.1" > /tmp/resolv.conf
service restart_time
service restart_httpd
service restart_vpnserver1
service restart_firewall

If that works try removing "service restart_httpd" also.

 

[andres99]

Here is a summary of the above process for those who may have trouble making a secondary router (Asuswrt-Merlin) on a LAN function as an OpenVPN server for remote clients to access that LAN

Credits for making all this work go to ColinTaylor.

My configuration:

192.168.8.0 - OpenVPN network
192.168.10.0 - local LAN
192.168.10.1 - the primary router (Linksys LRT214), connected to WAN
192.168.10.7 - the secondary router for serving OpenVPN (Asus RT-AC68U, firmware 384.13)

One of the LAN ports of the Asus RT-AC68U is connected to a LAN port of the primary router. The WAN port of the secondary router is empty. The Asus router is configured as follows:

In Administration -> Operation Mode: Wireless router mode (since the AP Mode does not have a section for VPN)

In LAN: the DHCP server is disabled; "Advertise router's IP in addition to user-specified DNS" is disabled

In WAN: "Enable WAN" = No; "Enable NAT" = No; "Enable UPnP" = No; "Connect to DNS Server automatically" = No; "Forward local domain queries to upstream DNS" = Yes; "Enable DNS Rebind protection" = No; "Enable DNSSEC support" = No

In VPN: an OpenVPN server (Server 1) has been added and switched on.

Configuration of the primary router: the OpenVPN port (UDP) is forwarded to 192.168.10.7. No specific static routes are set for the OpenVPN.

Since this configuration was not working, the following 3 steps were needed. Those worked in my case but any of this may be optional (or not) in other cases.

(1) Fix DNS and time synchronisation, needed for the OpenVPN to work

I did this step because my DNS was not working and time synchronisation had problems that prevented the OpenVPN to function normally.

In the secondary router’s GUI, I went to Administration -> System and set "Enable JFFS custom scripts and configs" to "Yes". I also enabled SSH (LAN only) and allowed password login.

Using WinSCP I logged in to the secondary router (192.168.10.7) and went to /jffs/scripts. There I created a new file (services-start) by Shift+F4. Into that file, I pasted the following script:

#!/bin/sh

echo "nameserver 192.168.10.1" > /tmp/resolv.conf
service restart_time
service restart_firewall

where the line beginning with "echo" should fix the DNS (I used the IP address of my primary router) and the following lines should fix the time synchronisation.

Right-clicked the file, clicked Properties and checked all the X-boxes under Permissions.

After that, DNS and NTP functioned properly.

(2) Make OpenVPN clients connect: add a default route to the Asus router

I did this step because there was no default route (to the primary router) in the secondary router (can be checked under System Log -> Routing Table). The default route has "default" as destination.

In the secondary router’s GUI, I went to LAN -> Route and enabled static routes and added the following route:

Network/Host IP = 0.0.0.0
Netmask = 0.0.0.0
Gateway = 192.168.10.1 (the address of my primary router)
Interface = LAN

Now remote OpenVPN clients were able to connect but not ping most devices in the LAN.

(3) Make devices on the local LAN pingable from the OpenVPN network

I did this step because devices in my OpenVPN network could connect to the OpenVPN server but not ping or browse most other devices in the LAN.

Using WinSCP I logged in to the secondary router (192.168.10.7) and went to /jffs/scripts. There I created a new file (openvpn-event) by Shift+F4. LATER EDIT: Into that file, I pasted the following script (elegantly coded by ColinTaylor):

#!/bin/sh

if [ "$dev" = "tun21" ]; then         # tun21 is OpenVPN server #1
    if [ "$script_type" = "down" ]; then
        iptables -t nat -D POSTROUTING -s ${ifconfig_local}/${ifconfig_netmask} -o br0 -j MASQUERADE
    elif [ "$script_type" = "up" ]; then
        iptables -t nat -A POSTROUTING -s ${ifconfig_local}/${ifconfig_netmask} -o br0 -j MASQUERADE
    fi
fi

Right-clicked the file, clicked Properties and checked all the X-boxes under Permissions.

After a reboot all devices on the local LAN are pingable and browseable from client devices in the OpenVPN network.

(4) My proposal to the developer

Perhaps it would have been easier if the Access Point mode had a section for configuring VPN. The idea of launching a dedicated OpenVPN server (+ maybe a WiFi AP) on a secondary router that sits within a LAN behind the primary router seems reasonable to me.

 

[ColinTaylor]

Great work @andres99

Can I suggest this code as an optional replacement for the openvpn-event script. It avoids certain problems that can occur if you update any of the VPN settings in the GUI and removes the need for hard-coded IP addresses.

#!/bin/sh

if [ "$dev" = "tun21" ]; then         # tun21 is OpenVPN server #1
    if [ "$script_type" = "down" ]; then
        iptables -t nat -D POSTROUTING -s ${ifconfig_local}/${ifconfig_netmask} -o br0 -j MASQUERADE
    elif [ "$script_type" = "up" ]; then
        iptables -t nat -A POSTROUTING -s ${ifconfig_local}/${ifconfig_netmask} -o br0 -j MASQUERADE
    fi
fi

Glad to see that the services-start script ended up being relatively simple.