Question on where to put VPN routing rules

[stoli412]

I have the OpenVPN client running with policy rules set to direct all traffic via the VPN for one of the computers on my network and to block all traffic if the tunnel goes down. I also have some port forwards set up with my VPN provider so this computer is still reachable from the internet. My forwarding rules are currently in the openvpn-event script, example below:

iptables -I FORWARD -i tun13 -p tcp -d 192.168.1.73 --dport 8081 -j ACCEPT
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 8081 -j DNAT --to-destination 192.168.1.73

However, if the VPN loses connection and auto-restarts, the rules get re-added, causing lots of duplicates. It doesn't appear to cause any issues, but it looks messy (and it just bothers me, haha).

I'm wondering if I should move the rules to the nat-start script instead. That way they get added just once when the router starts and remain regardless of whether the VPN tunnel goes down and restarts. Would it complain if the tun interface doesn't exist yet (assuming nat-start runs before the VPN tunnel is up)? I thought I'd ask on here first before I tried it.

Does anyone see any other issues with this setup? Or any suggestions for other/better ways to do this?

 

[john9527]

You need to have openvpn-event check why it was called, then adjust what it does. If you add rules when the tunnel comes up, it's also your responsibility to remove them when the tunnel goes down.

See this post for one method to do this.
http://www.snbforums.com/threads/fo...lts-releases-v22e4.18914/page-240#post-294825

 

[stoli412]

Thanks for the pointer to your script! So if I'm understanding correctly, what I would do is replace my openvpn-event script with your template as-is. Then I would create 2 new scripts to be called, based on the VPN state:

vpnclient3-route-up to add my forwarding rules:

iptables -I FORWARD -i tun13 -p tcp -d 192.168.1.73 --dport 8081 -j ACCEPT
iptables -t nat -I PREROUTING -i tun13 -p tcp --dport 8081 -j DNAT --to-destination 192.168.1.73

And vpnclient3-route-down to remove my forwarding rules:

iptables -D FORWARD -i tun13 -p tcp -d 192.168.1.73 --dport 8081 -j ACCEPT
iptables -t nat -D PREROUTING -i tun13 -p tcp --dport 8081 -j DNAT --to-destination 192.168.1.73

And doing it this way will clear the forwarding rules if the VPN tunnel disconnects, then re-add them when it auto-reconnects?

 

[john9527]

You got the idea perfectly. The only change is that there is not a route-down call....it's just down. So name the second script vpnclient3-down

Also, just as a reminder....don't forget to include the shebang in each of the scripts and to set them both to be executable.

 

[stoli412]

I gave it a try, but it doesn't seem to be working. I'm wondering if the openvpn-event script isn't picking up vpnclient3 specifically, because in the log I'm seeing:

openvpn-event[1787]: Script not defined for event: vpn-route-up

Just so you know, I have VPN server 1 configured, and VPN client 3 is configured to start with WAN.

Here's what I've done.

In /jffs/scripts/, I created:
openvpn-event (kept exactly as in your template)
vpnclient3-route-up (added port forward rules from my original openvpn-event script)
vpnclient3-down (commands to remove port forward rules)

Ran chmod a+rx /jffs/scripts/*

Then rebooted the router. In the System Log / Port Forwards tab, my forwarded ports do not appear, and the computer is not accessible from outside my network.

The log is attached. Any thoughts on why it's not working as expected?

 

[octopus]

Do you have shebag on top of you script?

#!/bin/sh

 

[stoli412]

Yep on top of all 3 scripts

 

[octopus]

Do you have this in openvpn-event script?
http://www.snbforums.com/threads/fo...lts-releases-v22e4.18914/page-240#post-294825
I remember i have to change $1 to $dev in that script.

 

[Martineau]

I gave it a try, but it doesn't seem to be working. I'm wondering if the openvpn-event script isn't picking up vpnclient3 specifically, because in the log I'm seeing:

openvpn-event[1787]: Script not defined for event: vpn-route-up

Just so you know, I have VPN server 1 configured, and VPN client 3 is configured to start with WAN.

Here's what I've done.

In /jffs/scripts/, I created:
openvpn-event (kept exactly as in your template)
vpnclient3-route-up (added port forward rules from my original openvpn-event script)
vpnclient3-down (commands to remove port forward rules)

Ran chmod a+rx /jffs/scripts/*

Then rebooted the router. In the System Log / Port Forwards tab, my forwarded ports do not appear, and the computer is not accessible from outside my network.

The log is attached. Any thoughts on why it's not working as expected?

Use of openvpn-event on later firmware releases is temperamental to say the least i.e. buggy

@john9527's openvpn-event script will expect the first arg passed to to it to be of the form 'tun1x' and as can be seen from the log in some cases it isn't 5 characters long!

Jan 18 22:22:07 custom script: Running /jffs/scripts/openvpn-event (args: tun131500155810.4.23.158255.255.0.0init)
Jan 18 22:22:08 openvpn-event[1612]: Script not defined for event: vpn-up

yet strangely further down in the syslog the first arg appears to be in the correct format i.e. a 5 char string but again the 'case' statement in the openvpn-event code never matches??

Jan 18 22:22:14 custom script: Running /jffs/scripts/openvpn-event (args: tun13 1500 1558 10.4.23.158 )
Jan 18 22:22:14 openvpn-event[1787]: Script not defined for event: vpn-route-up

 

[john9527]

When you copied in openvpn-event, are you sure it got copied with linux line endings, and not DOS/WIN?

 

[john9527]

Use of openvpn-event on later firmware releases is temperamental to say the least i.e. buggy

@john9527's openvpn-event script will expect the first arg passed to to it to be of the form 'tun1x' and as can be seen from the log in some cases it isn't 5 characters long!

Jan 18 22:22:07 custom script: Running /jffs/scripts/openvpn-event (args: tun131500155810.4.23.158255.255.0.0init)
Jan 18 22:22:08 openvpn-event[1612]: Script not defined for event: vpn-up

yet strangely further down in the syslog the first arg appears to be in the correct format i.e. a 5 char string but again the 'case' statement in the openvpn-event code never matches??

Jan 18 22:22:14 custom script: Running /jffs/scripts/openvpn-event (args: tun13 1500 1558 10.4.23.158 )
Jan 18 22:22:14 openvpn-event[1787]: Script not defined for event: vpn-route-up

I saw that as well.....never saw that before (the args compressed without spaces).

I can't figure out why some people have problems.....that is the exact openvpn-event script I use and it works without a problem.

 

[john9527]

I can't figure out why some people have problems

I think I found the problem when running Merlin (vs my fork). I'll send him a note.

EDIT: In the meantime, using $dev instead of $1 in the case statement should be a good workaround.

 

[stoli412]

I changed $1 to $dev, and that seemed to do the trick: vpnclient3-route-up runs and correctly adds the port forwards. However, I'm not sure if vpnclient3-down is being run. If I manually stop the VPN client, should that script run? When I stop it, my port forwards still remain and all I see in the log is:

Jan 19 09:10:03 rc_service: httpd 463:notify_rc stop_vpnclient3
Jan 19 09:10:04 openvpn[1178]: event_wait : Interrupted system call (code=4)
Jan 19 09:10:04 openvpn[1178]: SIGTERM received, sending exit notification to peer
Jan 19 09:10:06 kernel: Interface tap13 doesn't exist
Jan 19 09:10:06 kernel: Interface tun13 doesn't exist

Just so I can track if the scripts are being run or not, I added a logger line with "vpnclient3-xxxx has completed" to both scripts. It shows up in the log for vpnclient-route-up, but not for vpnclient3-down.

 

[octopus]

Try to use " route-pre-down " instead. vpnclient3-route-pre-down
Are you using client3 ?

 

[Martineau]

However, I'm not sure if vpnclient3-down is being run. If I manually stop the VPN client, should that script run? .

Yes....well for my VPN Client 1

Spoiler: Syslog

Jan 19 11:07:19 RT-AC68U kern.notice rc_service: httpd 4686:notify_rc stop_vpnclient1
Jan 19 11:07:20 RT-AC68U daemon.err openvpn[4834]: event_wait : Interrupted system call (code=4)
Jan 19 11:07:20 RT-AC68U daemon.notice openvpn[4834]: vpnrouting.sh tun11 1500 1559 10.200.194.3 255.255.255.0 init
Jan 19 11:07:20 RT-AC68U user.warn openvpn-routing: Configuring policy rules for client 1
Jan 19 11:07:20 RT-AC68U user.warn openvpn-routing: Removing rule 10001 from routing policy
Jan 19 11:07:20 RT-AC68U user.warn openvpn-routing: Removing rule 10002 from routing policy
Jan 19 11:07:20 RT-AC68U user.warn openvpn-routing: Tunnel down - VPN client access blocked
Jan 19 11:07:20 RT-AC68U user.warn openvpn-routing: Adding route for 10.88.8.90 to 0.0.0.0 through VPN client 1
Jan 19 11:07:20 RT-AC68U user.warn openvpn-routing: Adding route for 172.16.1.1 to 0.0.0.0 through VPN client 1
Jan 19 11:07:20 RT-AC68U user.warn openvpn-routing: Adding route for 0.0.0.0 to 52.31.49.122/32 through WAN
Jan 19 11:07:20 RT-AC68U user.warn openvpn-routing: Adding route for 0.0.0.0 to 52.210.48.64/32 through WAN
Jan 19 11:07:20 RT-AC68U user.warn openvpn-routing: Completed routing policy configuration for client 1
Jan 19 11:07:20 RT-AC68U user.warn custom script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1559 10.200.194.3 255.255.255.0 init)
Jan 19 11:07:20 RT-AC68U user.warn openvpn-event[5485]: User openvpn-event running
Jan 19 11:07:20 RT-AC68U user.warn openvpn-event[5485]: Script not defined for event: vpnclient1-route-pre-down
Jan 19 11:07:20 RT-AC68U daemon.notice openvpn[4834]: /usr/sbin/ip route del 208.167.255.131/32
Jan 19 11:07:20 RT-AC68U daemon.notice openvpn[4834]: /usr/sbin/ip route del 0.0.0.0/1
Jan 19 11:07:20 RT-AC68U daemon.warn openvpn[4834]: ERROR: Linux route delete command failed: external program exited with error status: 2
Jan 19 11:07:20 RT-AC68U daemon.notice openvpn[4834]: /usr/sbin/ip route del 128.0.0.0/1
Jan 19 11:07:20 RT-AC68U daemon.warn openvpn[4834]: ERROR: Linux route delete command failed: external program exited with error status: 2
Jan 19 11:07:20 RT-AC68U daemon.notice openvpn[4834]: Closing TUN/TAP interface
Jan 19 11:07:20 RT-AC68U daemon.notice openvpn[4834]: /usr/sbin/ip addr del dev tun11 10.200.194.3/24
Jan 19 11:07:20 RT-AC68U daemon.notice openvpn[4834]: updown.sh tun11 1500 1559 10.200.194.3 255.255.255.0 init
Jan 19 11:07:21 RT-AC68U kern.notice rc_service: service 5524:notify_rc updateresolv
Jan 19 11:07:21 RT-AC68U kern.notice rc_service: waitting "stop_vpnclient1" via httpd ...
Jan 19 11:07:33 RT-AC68U user.warn custom script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1559 10.200.194.3 255.255.255.0 init)
Jan 19 11:07:33 RT-AC68U user.warn openvpn-event[5555]: User openvpn-event running
Jan 19 11:07:33 RT-AC68U user.warn (vpnclient1-down): 5563 User Processing 'down' (tun11) via 10.200.194.3 args = [tun11 1500 1559 10.200.194.3 255.255.255.0 init]
Jan 19 11:07:33 RT-AC68U user.warn (vpnclient1-down): 5563 Deleted cru GetWANIP_VPN1
Jan 19 11:07:33 RT-AC68U user.warn (vpnclient1-down): 5563 User Processing Complete.

vpnclient1-down

#!/bin/sh

logger -st "($(basename $0))" $$ "User Processing '"$script_type"' ("$dev") via" $ifconfig_local "args = ["$@"]"

#VPN_ID=${dev:4:1}
VPN_ID=1

cru d "GetWANIP_VPN"$VPN_ID
logger -st "($(basename $0))" $$ "Deleted cru GetWANIP_VPN"$VPN_ID


logger -st "($(basename $0))" $$ "User Processing Complete."

exit 0

 

[octopus]

Is it same if you use Service State ON/OFF (on/off client slide)

 

[stoli412]

Definitely using VPN client 3. I renamed the script to vpnclient3-route-pre-down but it had no effect...the ports still stay in the forwarding table when switching off the VPN client side (the on/off toggle on the OpenVPN Clients tab) and I don't see it in the syslog.

Ideally, I'd like a script that removes the forwarded ports if I switch off the VPN using the on/off, or if it disconnects on its own for whatever reason (lost connection, etc).

This is my entire script for vpnclient3-down / vpnclient3-route-pre-down. It works fine if I run it manually, so I assume the script itself isn't named properly and isn't being run when the VPN shuts down?

#!/bin/sh

iptables -D FORWARD -i tun13 -p tcp -d 192.168.1.73 --dport 8085 -j ACCEPT
iptables -t nat -D PREROUTING -i tun13 -p tcp --dport 8085 -j DNAT --to-destination 192.168.1.73

iptables -D FORWARD -i tun13 -p tcp -d 192.168.1.73 --dport 9091 -j ACCEPT
iptables -t nat -D PREROUTING -i tun13 -p tcp --dport 9091 -j DNAT --to-destination 192.168.1.73

# Logger test
logger "vpnclient3-route-pre-down has completed"

 

[octopus]

Make sure your script is executable: chmod a+rx /jffs/scripts/*
Make your script in ex Notepad++ and convert to Unix Format. (Remove CR at row end)
Or use: "dos2unix /jffs/scripts/vpnclient3-route-pre-down" same to all other scripts

 

[stoli412]

Definitely making sure scripts are executable. They're being created in Xcode, so there shouldn't be any issues with carriage returns at row ends, but I ran dos2unix just in case. No change...script doesn't run when VPN is switched off. All I see in syslog is what I posted before:

Jan 19 09:10:03 rc_service: httpd 463:notify_rc stop_vpnclient3
Jan 19 09:10:04 openvpn[1178]: event_wait : Interrupted system call (code=4)
Jan 19 09:10:04 openvpn[1178]: SIGTERM received, sending exit notification to peer
Jan 19 09:10:06 kernel: Interface tap13 doesn't exist
Jan 19 09:10:06 kernel: Interface tun13 doesn't exist

 

[octopus]

What does this gives out? nvram get vpn_script_state
That is what get called from openvpn-event script.