Prevent VPN Server from using openvpn-event

[soniccool]

Hey there,

I have a openvpn-event file below as follows when i start my VPN Client.


But due to this it wont let me start a VPN Server because I believe it loads this openvpn-event file. Basically if my VPNServer just loads forever when starting it.

Is there a way i can make VPNServer not load this file? Or a way i can make VPNClient still load this script but not as a openvpn-event?

#!/bin/bash
# This code goes in the WAN UP section.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally, OpenVPN will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
 iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# All traffic from a particular computer on the LAN will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.224 -j MARK --set-mark 0
 iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.4 -j MARK --set-mark 0
# All traffic to a specific Internet IP address will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
# All UDP and ICMP traffic will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
# All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -s 74.125.229.0/24 -j MARK --set-mark 0
# All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0

#new
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 32400,32443 -j MARK --set-mark 2
#iptables -t mangle -A OUTPUT -p udp -m multiport --dport 17827,32400,32443,32410,32412,32413,32414,32469 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -d plex.tv -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 32400,32443 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p udp -m multiport --sport 1194 -j MARK --set-mark 1




#old
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 8888 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 8888 -j MARK --set-mark 1


# Bypass Plex IP Ranges https://forums.aws.amazon.com/ann.jspa?annID=1701
# FROM/SOURCE
#iptables -t mangle -A PREROUTING -i br0 -s 184.169.128.0/17 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 50.18.0.0/16 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 54.241.0.0/16 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 184.72.0.0/18 -j MARK --set-mark 1

#new
#iptables -t mangle -A PREROUTING -i br0 -s 54.176.0.0/16 -j MARK --set-mark 1




# TO/DESTINATION
#iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1

#new
#iptables -t mangle -A PREROUTING -i br0 -d 54.176.0.0/16 -j MARK --set-mark 1




#Bypass IPChicken
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 209.68.27.16 -j MARK --set-mark 1

 

[soniccool]

bump

 

[Martineau]

Hey there,

I have a openvpn-event file below as follows when i start my VPN Client.


But due to this it wont let me start a VPN Server because I believe it loads this openvpn-event file. Basically if my VPNServer just loads forever when starting it.

Is there a way i can make VPNServer not load this file? Or a way i can make VPNClient still load this script but not as a openvpn-event?

#!/bin/bash
# This code goes in the WAN UP section.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally, OpenVPN will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
 iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# All traffic from a particular computer on the LAN will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.224 -j MARK --set-mark 0
 iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.4 -j MARK --set-mark 0
# All traffic to a specific Internet IP address will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
# All UDP and ICMP traffic will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
# All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -s 74.125.229.0/24 -j MARK --set-mark 0
# All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0

#new
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 32400,32443 -j MARK --set-mark 2
#iptables -t mangle -A OUTPUT -p udp -m multiport --dport 17827,32400,32443,32410,32412,32413,32414,32469 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -d plex.tv -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 32400,32443 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p udp -m multiport --sport 1194 -j MARK --set-mark 1




#old
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 8888 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 8888 -j MARK --set-mark 1


# Bypass Plex IP Ranges https://forums.aws.amazon.com/ann.jspa?annID=1701
# FROM/SOURCE
#iptables -t mangle -A PREROUTING -i br0 -s 184.169.128.0/17 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 50.18.0.0/16 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 54.241.0.0/16 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 184.72.0.0/18 -j MARK --set-mark 1

#new
#iptables -t mangle -A PREROUTING -i br0 -s 54.176.0.0/16 -j MARK --set-mark 1




# TO/DESTINATION
#iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1

#new
#iptables -t mangle -A PREROUTING -i br0 -d 54.176.0.0/16 -j MARK --set-mark 1




#Bypass IPChicken
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 209.68.27.16 -j MARK --set-mark 1

Use @john9527's openvpn-event script template and you can choose which openvpn-event custom script is used by the individual VPN Server/Client.

NOTE: I have stated many times that custom scripts based on this are inherently flawed for many technical reasons but will definitely fail especially in configurations where multiple concurrent VPN connections are required.

For simple source IP/destination IP Selective routing then this is easily configured via the GUI, but for your Selective Port routing requirements, I suggest you Use fwmark 0x7000 for WAN Selective Port routing to have your custom script only issue the appropriate iptables fwmark tagging rather than physically cloning route tables and using reserved fwmarks etc.

 

[soniccool]

Got it! Awesome, I took a look. Here is what i found.

#!/bin/sh

scr_name="$(basename $0)[$$]"

case "$1" in
    "tun11")
        vpn_name="client1"
        ;;
    "tun12")
        vpn_name="client2"
        ;;
    "tun13")
        vpn_name="client3"
        ;;
    "tun14")
        vpn_name="client4"
        ;;
    "tun15")
        vpn_name="client5"
        ;;
    "tun21")
        vpn_name="server1"
        ;;
    "tun22")
        vpn_name="server2"
        ;;
    *)
        vpn_name=""
        ;;
esac

# Call appropriate script based on script_type
vpn_script_name="vpn$vpn_name-$script_type"

# Check script state/use nvram to save last script run
vpn_script_state=$(nvram get vpn_script_state)
nvram set vpn_script_state="$vpn_script_name"
if [ "$vpn_script_name" = "$vpn_script_state" ]; then
    echo "VPN script" $vpn_script_name "already run" | logger -t "$scr_name"
    exit 0
fi

if [[ -f "/jffs/scripts/$vpn_script_name" ]] ; then
    sh /jffs/scripts/$vpn_script_name $*
else
    echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
    exit 0
fi

exit 0

But im not sure what to name the filenames? Basically i just want tun11 to run this script in my first post, and server doesnt need to run anything.

What do i name the filenames in conjunction with this openvpn-event file?

 

[soniccool]

Also im gonna try out your fwmark suggestion as mentioned later today.

 

[Martineau]

Got it! Awesome, I took a look. Here is what i found.
But im not sure what to name the filenames? Basically i just want tun11 to run this script in my first post, and server doesnt need to run anything.

What do i name the filenames in conjunction with this openvpn-event file?

For VPN Clients, the openvpn-event script will execute scripts in the form

vpnclientX-zzzzz where X is the VPN Client instance, and zzzzz is the trigger event.

As per the OpenVPN man page, there are several trigger points e.g. UP, DOWN etc. so using the openvpn-event script makes it easier to manage the custom scripts for each 'tun1x/tun2x' device.

e.g. for VPN Client 1 (tun11)

vpnclient1-up
vpnclient1-route-up
vpnclient1-down

so if script openvpn-event finds an appropriate file it will execute it.

As you're adding tun11 VPN routing rules, I would create/use the vpnclient1-route-up script

 

[soniccool]

So i went ahead and did as so, and it works for my client1. But i cant start vpnserver. Its just stuck on loading

"Initialinzing the settings of OpenVPN server now, please wait a few minutes to let the server to setup completed before VPN clients establish the connection. "

Am i supposed to have any files for vpnserver? Or can i leave that blank?

 

[Martineau]

So i went ahead and did as so, and it works for my client1. But i cant start vpnserver. Its just stuck on loading

"Initialinzing the settings of OpenVPN server now, please wait a few minutes to let the server to setup completed before VPN clients establish the connection. "

If you temporarily rename openvpn-event, does the VPN Server still fail? - if so then you will need to provide the portion of Syslog containing the openvpn server messages when the VPN Server startup fails.

Am i supposed to have any files for vpnserver?

Unless you need to customise either of the VPN Servers then no.

 

[soniccool]

Yes if i rename it, it does not fail.

Here is the syslog with the openvpn-event you suggested and my script up above as client1 route up. This issue has been plaguing me for a year lol.

First i start the client1 Vpn then i start the VpnServer1.\

Client1 works, but vpnserver1 fails.

It wont let me post the syslog here, so here is a pastebin of the syslog.

https://pastebin.com/RUxSvKZG

 

[Martineau]

Yes if i rename it, it does not fail.

Here is the syslog with the openvpn-event you suggested and my script up above as client1 route up. This issue has been plaguing me for a year lol.

First i start the client1 Vpn then i start the VpnServer1.\

Client1 works, but vpnserver1 fails.

It wont let me post the syslog here, so here is a pastebin of the syslog.

https://pastebin.com/RUxSvKZG

Presumably you have a cron job to ensure VPN Client 1 is always running?

Apr 18 17:57:00 crond[791]: USER admin pid 7127 cmd service start_vpnclient1
Apr 18 17:57:00 init: VPN_LOG_NOTE: 90: VPN Client 1 already running...

Anyway the openvpn-event script appears to be executed correctly as expected for tun11

Apr 18 17:57:01 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1587 10.7.7.166 255.255.255.0 init)
Apr 18 17:57:01 openvpn-event[7189]: Script not defined for event: vpnclient1-up

yet strangely for tun21 ....

Apr 18 17:57:17 kernel: device tun21 entered promiscuous mode
Apr 18 17:57:17 ovpn-server1[7449]: Options error: --up script fails with 'updown.sh': Permission denied (errno=13)
Apr 18 17:57:17 ovpn-server1[7449]: Options error: Please correct this error.
Apr 18 17:57:17 ovpn-server1[7449]: Use --help for more information.
Apr 18 17:57:17 init: VPN_LOG_ERROR: 1387: Starting VPN instance failed...

Can you post the output

   ls    -lah    /etc/openvpn/server1

   cd   /jffs/scripts
   ./openvpn-event   tun21

 

[soniccool]

Yes i will setup the following cronjob once its all good.

As for your question here is the output:

admin@RT-AC86U-8230unknown)# ls -lah /etc/openvpn/server1
ls: /etc/openvpn/server1: No such file or directory


admin@RT-AC86U-8230:/jffs/scripts# ./openvpn-event tun21
-sh: ./openvpn-event: Permission denied

Doesnt seem like anything is being generated, and also gives me permission denied when checking tun21

 

[Martineau]

As for your question here is the output:
admin@RT-AC86U-8230unknown)# ls -lah /etc/openvpn/server1
ls: /etc/openvpn/server1: No such file or directory

admin@RT-AC86U-8230:/jffs/scripts# ./openvpn-event tun21
-sh: ./openvpn-event: Permission denied

OK on mine

          ls    -lah    /etc/openvpn/server1

drwx------    2 admin    root         220 Apr 19 18:52 .
drwx------    8 admin    root         240 Apr 19 18:53 ..
-rw-------    1 admin    root        1.2K Apr 19 18:52 ca.crt
-rw-------    1 admin    root         916 Apr 19 18:52 ca.key
-rw-rw-rw-    1 admin    root        6.0K Apr 19 18:52 client.ovpn
-rw-------    1 admin    root         983 Apr 19 18:52 config.ovpn
-rw-------    1 admin    root         432 Apr 19 18:52 dh.pem
-rw-------    1 admin    root        1.3K Apr 19 18:52 server.crt
-rw-------    1 admin    root         932 Apr 19 18:52 server.key
-rw-------    1 admin    root         472 Apr 20 07:44 status
lrwxrwxrwx    1 admin    root          27 Apr 19 18:52 updown.sh -> /jffs/scripts/openvpn-event

admin@RT-AC68U:/jffs/scripts# ./openvpn-event tun21
admin@RT-AC68U:/jffs/scripts#

but in Syslog

RT-AC68U user.warn openvpn-event[5767]: User openvpn-event running
RT-AC68U user.warn openvpn-event[5767]:      Script not defined for event: vpnserver1-

Hmm, I thought this little bug had been squashed

So, as per the RMerlin wiki User Scripts guide, at the bottom of the page it tells you that you must make ALL custom scripts executable.
i.e. issue the following to fix it:

chmod a+rx /jffs/scripts/openvpn-event

or follow the wiki instructions to make ALL files in /jffs/scripts executable (not always appropriate in my environment)

NOTE: Confusingly, for VPN Clients, the firmware explicitly forces the 'text file' openvpn-event to always execute as a valid script (see '/usr/sbin/vpnrouting.sh'), but for the VPN Servers it doesn't, causing you frustration for the past year!