[Solved] Dual Wan with 1 OpenVpn Client and ability to choose from which to wan to go out.

[bluechris]

Hi guys

I setup my router with Dual Wan in load balance and i have one openvpn client.
All is working fine with one problem only (if i you can say that) and this is that i cannot control somehow from which wan the opevnvpn will connect and i need the openvpn to be connected with wan1.

I need some help here because i cannot find a way to do this.

thx in advance
chris

EDIT:
1st Solution if you know the wan ip that you want your VPN to go out.

you create a file in /jffs/scripts with name openvpnclient1.postconf

In this file you put this inside

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "nobind" "local xxx.xxx.xxx.xxx" $CONFIG

where xxx.xxx.xxx.xxx is your wan ip.

You Reboot the router and your openvpn client1 connects from the specific wan and you can see that in syslog.

2nd Solution to get the wan ip dynamically from @Martineau
You do the same file as in 1st solution but inside you put this

#!/bin/sh
#
# Version 1.01
#
# This script allows you to specify which WAN interface is to be used for this VPN Client connection...
#
#  e.g. WAN0 may be a Slow/Expensive/Data-capped 3/4G link but WAN1 may be a fast VDSL/Fibre link
#
#        So in the VPN Client Custom Configuration dialog box enter
#
#              local wan1
#              or if you *REALLY* want to force the VPN tnnel via the EXPENSIVE 3/4G WAN...
#              local wan0
#
#  and the current ACTIVE BIND I/P address for the requested virtual WAN interface will be extracted from the DUAL-WAN tables
#
#
# NOTE: If DUAL-WAN is not configured, then if alias 'br0:VPN' exists:
#
#   i.e. 'ifconfig br0:VPN xxx.xxx.xxx.xxx up' was created in '/jffs/scripts/init-start'
#
#               then xxx.xxx.xxx.xxx will be EXPLICITY used - just to prove this script works!! ;-)
#               i.e. it will ignore the actual WANx directive specified
#
#               'local wan1' -> 'local br0:VPN'

CONFIG=$1

source /usr/sbin/helper.sh

logger -st "($(basename $0))" $$ "Started....." [$@]

# Check if DUAL-WAN interfaces exist
if [ "$(nvram get wans_dualwan)" == "wan none" ];then
   VPN_IF="br0:VPN"                   # For SINGLE-WAN default 'WAN0', use the alias 'br0:VPN' if it exists
   BIND_IP=$(ifconfig $VPN_IF | grep 'inet addr'|cut -d':' -f2 | awk '{print $1}') # For testing! ;-)
else                                   # DUAL-WAN assumed
   VPN_IF=$(grep -iE "^local" $CONFIG | cut -d" " -f2)         # Get virtual 'WAN0/1' from custom config GUI
   VLAN_ID=$(ip route show table $VPN_IF | grep "default" | awk '{print $5}')   # Extract the real 'vlanX' interface name referenced by WAN0/1
   BIND_IP=$(ifconfig $VLAN_ID | grep 'inet addr'|cut -d':' -f2 | awk '{print $1}') # Get the I/P assigned to the 'vlanX' interface
fi

# Do we have a valid BIND address?
if [ -z "$BIND_IP" ] && [ "${VPN_IF:0:3}" == "wan" ];then
   logger -st "($(basename $0))" $$ "***ERROR** VPN Client WAN BIND I/P address not found for virtual interface '"$VPN_IF"'"
   echo -e "\a"
   exit 99
fi

# Use the valid BIND address if we have one! -> 'local xxx.xxx.xxx.xxx'
if [ ! -z "$BIND_IP" ];then                  # If 'local' specified then update it
   if [ "${VPN_IF:0:3}" == "wan" ];then     # Still using the virtual interface names?
       VPN_IF=$(ip route show table $VPN_IF | grep "default" | awk '{print $5}')  # Cosmetic..replace virtual 'wan0/1' with say 'vlan2/3'
   fi
   logger -st "($(basename $0))" $$ "VPN Client will BIND to" $BIND_IP "via interface '"$VPN_IF"'"
   #pc_delete "nobind" $CONFIG                  # Delete the conflicting 'nobind' option using the new 'helper' function to see if it works!
   sed -i "s/^nobind.*$//" $CONFIG              # Only Firmware >380.63+ includes 'pc_delete' :-(
   sed -i "s/^local.*$/local $BIND_IP/" $CONFIG # Replace the virtual 'local wanX' to force the VPN Client to BIND to the desired WAN interface
                                                # It would be nice if we could put a comment in the GUI? - Version 2 perhaps! ;-)
                                                #  e.g. nvram set vpn_client1_custom="<existing># Using BIND $BIND_IP via $VPN_IF"
else
   logger -st "($(basename $0))" $$ "VPN Client allowed to BIND to any WAN interface ('"$VPN_IF"' not found!)"
   sed -i "s/^local.*$//" $CONFIG               # Just in case?????!!!!! ;-)
fi

logger -st "($(basename $0))" $$ "Complete."

exit 0

This script is suppose to dynamically get the wan ip address and alters the openvpn config and with that you choose from which wan you want your openvpn client to go out. See the script and you will understand what it does. Unfortunatelly in my case it gives back not the wan ip but the Gateway ip and needs some fixing but you can try it for sure.
If anyone get positive response of the script and is working for him i will take out the 1st solution.

thx everyone for the help and especially @Martineau for his time and effort.

 

[Martineau]

...i cannot control somehow from which wan the opevnvpn will connect and i need the openvpn to be connected with wan1.

EDIT: Specify the following VPN Client Custom Configuration directive:

--local host
Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.

 

[bluechris]

If I recall correctly, Dual-WAN creates routing tables '100' and '200'?, if this is still the case, then you simply need to ensure that the RPDB rule for your VPN traffic uses table '200' (WAN1?).

ip route show table 100
ip route show table 200
ip rule

Atm im connected to vpn and is working but i dont see it anywhere with this commands you told me in 100 or 200 tables

Is there any other command to find from which wan is the vpn connected? also sorry i made a mistake i need wan0 for vpn but this is minor if i find the way i will alter the script you told me.

admin@NETGEAR-7936:/tmp/home/root# ip route show table 100
192.168.4.1 dev vlan2  proto kernel  scope link
192.168.6.0/24 dev vlan3  proto kernel  scope link  src 192.168.6.22
192.168.5.0/24 dev br0  proto kernel  scope link  src 192.168.5.1
192.168.4.0/24 dev vlan2  proto kernel  scope link  src 192.168.4.22
127.0.0.0/8 dev lo  scope link
default via 192.168.4.1 dev vlan2
admin@NETGEAR-7936:/tmp/home/root# ip route show table 200
192.168.4.1 dev vlan2  proto kernel  scope link
192.168.6.21 dev vlan3  proto kernel  scope link
192.168.6.0/24 dev vlan3  proto kernel  scope link  src 192.168.6.22
192.168.5.0/24 dev br0  proto kernel  scope link  src 192.168.5.1
192.168.4.0/24 dev vlan2  proto kernel  scope link  src 192.168.4.22
127.0.0.0/8 dev lo  scope link
default via 192.168.6.21 dev vlan3
admin@NETGEAR-7936:/tmp/home/root# ip rule
0:      from all lookup local
200:    from 192.168.4.22 lookup wan0
200:    from 192.168.6.22 lookup wan1
200:    from 8.8.8.8 lookup wan0
200:    from 8.8.4.4 lookup wan0
200:    from 8.8.8.8 lookup wan1
200:    from 8.8.4.4 lookup wan1
400:    from all to 192.168.4.1 lookup wan0
400:    from all to 192.168.6.21 lookup wan1
400:    from all to 8.8.8.8 lookup wan0
400:    from all to 8.8.4.4 lookup wan0
400:    from all to 8.8.8.8 lookup wan1
400:    from all to 8.8.4.4 lookup wan1
32766:  from all lookup main
32767:  from all lookup default
admin@NETGEAR-7936:/tmp/home/root#

 

[Martineau]

.. also sorry i made a mistake i need wan0 for vpn

admin@NETGEAR-7936:/tmp/home/root# ip route show table wan0
<snip>
default via 192.168.4.1 dev vlan2

admin@NETGEAR-7936:/tmp/home/root# ip route show table wan1
<snip>
default via 192.168.6.21 dev vlan3

Updated my original post. Having RTFM'd the OpenVPN 2.4 manual, it states you can specify the I/P address to bind to - simply specify either the WAN0 or WAN1 I/P address assigned to the appropriate VLAN.

 

[bluechris]

Updated my original post. Having RTFM'd the OpenVPN 2.4 manual, it states you can specify the I/P address to bind to - simply specify either the WAN0 or WAN1 I/P address assigned to the appropriate VLAN.

Thx for the suggestion.. i read all the options in openvpn and the --local directive was suppose to do the trick but there is a problem now and openvpn client dont start.

I had set this directive in 1st openvpn client

local 192.168.4.22 #wan0 ip address

But i get this error in log

Mar 21 10:44:37 openvpn[2975]: Options error: --local and --nobind don't make sense when used together
Mar 21 10:44:37 openvpn[2975]: Use --help for more information.
Mar 21 10:44:37 syslog: VPN_LOG_ERROR: 452: Starting OpenVPN failed...
M

it appears that exist a nobind directive that cannot used together with the --local but i dont see that anywhere in my config to take it out.

 

[Martineau]

local 192.168.4.22 #wan0 ip address

But i get this error in log

Mar 21 10:44:37 openvpn[2975]: Options error: --local and --nobind don't make sense when used together
Mar 21 10:44:37 openvpn[2975]: Use --help for more information.
Mar 21 10:44:37 syslog: VPN_LOG_ERROR: 452: Starting OpenVPN failed...
M

it appears that exist a nobind directive that cannot used together with the --local but i dont see that anywhere in my config to take it out.

RTFM!

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

Hint: You will need to create the script /jffs/scripts/openvpnclient1.postconf.

 

[bluechris]

Ohh when you said RTFM i thought the generic openvpn manual .. now i got you thx.

I tried what you said so i created the file /jffs/scripts/openvpnclient1.postconf with this inside

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "nobind" "local 192.168.4.22" $CONFIG

and appears that the router in home connected correctly to my work (untangle appliance) with the wan0 ip address but the setting i changed doesn't appear nowhere in the web page of openvpn client1 or in log...
Is there anywhere that i can get the full current running config? i searched and in /etc/openvpn/client1/config.ovpn there are the original settings before the altering.

thx for your help m8

RTFM!

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

Hint: You will need to create the script /jffs/scripts/openvpnclient1.postconf.

 

[Martineau]

Ohh when you said RTFM i thought the generic openvpn manual .. now i got you thx.

Sadly in life there are many manuals although sometimes RTFM still doesn't work!

Is there anywhere that i can get the full current running config? i searched and in /etc/openvpn/client1/config.ovpn there are the original settings before the altering.

In Syslog there should be a line confirming the BIND address for the desired WAN interface:

RT-AC68U daemon.notice openvpn[11431]: TCP_CLIENT link local (bound): [AF_INET]xxx.xxx.xxx.xxx:1194

..but I'm 1000% sure /etc/openvpn/client1/config.ovpn should correctly reflect the VPN config used by the active VPN Client 1 connection etc.

P.S. Isn't it a bit silly/terribly inconvenient to hard-code the I/P address?

pc_replace "nobind" "local 192.168.4.22" $CONFIG

Why not allow say the 'invalid' placeholder directive:

local wan0

to be permanently specified in the VPN Client Custom GUI?, then write the code to see which interface is to be used, then extract the current I/P from the appropriate route table i.e. 100 (WAN0) or 200 (WAN1)

 

[bluechris]

Sadly in life there are many manuals although sometimes RTFM still doesn't work!

In Syslog there should be a line confirming the BIND address for the desired WAN interface:

RT-AC68U daemon.notice openvpn[11431]: TCP_CLIENT link local (bound): [AF_INET]xxx.xxx.xxx.xxx:1194

..but I'm 1000% sure /etc/openvpn/client1/config.ovpn should correctly reflect the VPN config used by the active VPN Client connection.

P.S. Isn't it a bit silly/terribly inconvenient to hard-code the I/P address?

pc_replace "nobind" "local 192.168.4.22" $CONFIG

Why not allow say the 'invalid' placeholder directive:

local wan0

to be permanently specified in the VPN Client Custom GUI?, then write the code to see which interface is to be used, then extract the current I/P from the appropriate table i.e. 100 (WAN0) or 200 (WAN1)

My 2 wan are both 2 other routers that do Nat so the ip is static from them and it will never changed. (both wan interfaces are coming from 2 Ubiquity AC19 Ap's)

In syslog i dont find any bound line at all really (i see the general log in the web interface)
i found this info

Mar 21 17:29:44 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Mar 21 17:29:44 custom script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)
Mar 21 17:29:44 openvpn[691]: OpenVPN 2.3.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct  1 2016
Mar 21 17:29:44 openvpn[691]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Mar 21 17:29:44 openvpn[692]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 21 17:29:44 openvpn[692]: UDPv4 link local: [undef]

i suppose this means its trying to take the script.

As for the /etc/openvpn/client1/config.ovpn its showing the web page config for certain (with putty).

I must have something wrong somewhere else for sure.

 

[Martineau]

My 2 wan are both 2 other routers that do Nat so the ip is static from them and it will never changed. (both wan interfaces are coming from 2 Ubiquity AC19 Ap's)

In syslog i dont find any bound line at all really (i see the general log in the web interface)

As for the /etc/openvpn/client1/config.ovpn its showing the web page config for certain (with putty).

I must have something wrong somewhere else for sure.

Ahh OK, but I have just written the flexible script as it was an interesting issue that clearly others (without static WAN VLAN addresses) i.e. with say an expensive 3/4G DUAL-WAN interface that shouldn't be used might find interesting.

Hmm strange you can't confirm the BIND address etc.

NOTE: In my recent ' isolate IoT device' endeavours, I decided to buy a 'cheap' (Generation 1) UniFi UAC AP AC-Lite, and the difference between an 'Enterprise' class AP vs. a 'SOHO' class router running as an AP is clearly evident.
On the Unifi - "Do you want VLAN tagged SSIDs"? - no problem..."How about a 'Captive Portal? OK - "Will that be voucher based or Facebook/Paypal?" etc!!! - brilliant.
P.S. Only downside is that multiple SSID/Guest/VLANs defined on the UniFi AP takes a performance hit :-(
Looks like I will be investing in the newly announced UniFi Generation 2' kit!

 

[bluechris]

M8 i found why the script wasnt working... the script needed to be readable either way i maked it 777 and now it runs succsesfully and i got bound in syslog

Mar 21 18:20:05 openvpn[713]: UDPv4 link local (bound): [AF_INET]192.168.4.22:1194

When i tried with wan0 i got error so the wan0 or wan1 doesnt work there.. it needs something else for dynamic assignment.. maybe needs a vlan3 as i see in log vlan's

Mar 21 18:12:06 openvpn[703]: RESOLVE: Cannot resolve host address: wan0: Name or service not known]

Thx for your help really... i now started to dig in this firmware and seems pretty great.

NOTE: In my recent ' isolate IoT device' endeavours, I decided to buy a 'cheap' (Generation 1) UniFi UAC AP AC-Lite, and the difference between an 'Enterprise' class AP vs. a 'SOHO' class router running as an AP is clearly evident.
On the Unifi - "Do you want VLAN tagged SSIDs"? - no problem..."How about a 'Captive Portal? OK - "Will that be voucher based or Facebook/Paypal?" etc!!! - brilliant.
P.S. Only downside is that multiple SSID/Guest/VLANs defined on the UniFi AP takes a performance hit :-(
Looks like I will be investing in the newly announced UniFi Generation 2' kit!

UBNT devices are great really... in work i have 3 Unifi AC lite and 1 Pro and they are up with no problem 120days now.
I use vouchers for the employes for 1 year access with bandwidth limitations offcourse and i even printed 1 day access vouchers for visitors and the reception gives them to whoever client needs internet.
I recommend if you do a big installation a unify gateway also that is doing DPI etc.
Great times with this devices believe me.

 

[Martineau]

When i tried with wan0 i got error so the wan0 or wan1 doesnt work there.. it needs something else for dynamic assignment..

Mar 21 18:12:06 openvpn[703]: RESOLVE: Cannot resolve host address: wan0: Name or service not known

This is what I came up with..my version - hopefully you can see what I meant by using the virtual 'wan0/1' interface names that most people would logically feel more comfortable with, but they could be anything really, e.g. 'FastWANLink' etc. in the GUI (providing the script is able to identify which of the DUAL-WAN route tables is associated with the custom name!)

Spoiler: openvpnclient1.postconf

#!/bin/sh
#
# Version 1.01
#
# This script allows you to specify which WAN interface is to be used for this VPN Client connection...
#
#  e.g. WAN0 may be a Slow/Expensive/Data-capped 3/4G link but WAN1 may be a fast VDSL/Fibre link
#
#        So in the VPN Client Custom Configuration dialog box enter
#
#              local wan1
#              or if you *REALLY* want to force the VPN tnnel via the EXPENSIVE 3/4G WAN...
#              local wan0
#
#  and the current ACTIVE BIND I/P address for the requested virtual WAN interface will be extracted from the DUAL-WAN tables
#
#
# NOTE: If DUAL-WAN is not configured, then if alias 'br0:VPN' exists:
#
#   i.e. 'ifconfig br0:VPN xxx.xxx.xxx.xxx up' was created in '/jffs/scripts/init-start'
#
#               then xxx.xxx.xxx.xxx will be EXPLICITY used - just to prove this script works!! ;-)
#               i.e. it will ignore the actual WANx directive specified
#
#               'local wan1' -> 'local br0:VPN'

CONFIG=$1

source /usr/sbin/helper.sh

logger -st "($(basename $0))" $$ "Started....." [$@]

# Check if DUAL-WAN interfaces exist
if [ "$(nvram get wans_dualwan)" == "wan none" ];then
    VPN_IF="br0:VPN"                   # For SINGLE-WAN default 'WAN0', use the alias 'br0:VPN' if it exists
    BIND_IP=$(ifconfig $VPN_IF | grep 'inet addr'|cut -d':' -f2 | awk '{print $1}') # For testing! ;-)
else                                   # DUAL-WAN assumed
    VPN_IF=$(grep -iE "^local" $CONFIG | cut -d" " -f2)         # Get virtual 'WAN0/1' from custom config GUI
    VLAN_ID=$(ip route show table $VPN_IF | grep "default" | awk '{print $5}')   # Extract the real 'vlanX' interface name referenced by WAN0/1
    BIND_IP=$(ifconfig $VLAN_ID | grep 'inet addr'|cut -d':' -f2 | awk '{print $1}') # Get the I/P assigned to the 'vlanX' interface
fi

# Do we have a valid BIND address?
if [ -z "$BIND_IP" ] && [ "${VPN_IF:0:3}" == "wan" ];then
    logger -st "($(basename $0))" $$ "***ERROR** VPN Client WAN BIND I/P address not found for virtual interface '"$VPN_IF"'"
    echo -e "\a"
    exit 99
fi

# Use the valid BIND address if we have one! -> 'local xxx.xxx.xxx.xxx'
if [ ! -z "$BIND_IP" ];then                  # If 'local' specified then update it
    if [ "${VPN_IF:0:3}" == "wan" ];then     # Still using the virtual interface names?
        VPN_IF=$(ip route show table $VPN_IF | grep "default" | awk '{print $5}')  # Cosmetic..replace virtual 'wan0/1' with say 'vlan2/3'
    fi
    logger -st "($(basename $0))" $$ "VPN Client will BIND to" $BIND_IP "via interface '"$VPN_IF"'"
    #pc_delete "nobind" $CONFIG                  # Delete the conflicting 'nobind' option using the new 'helper' function to see if it works!
    sed -i "s/^nobind.*$//" $CONFIG              # Only Firmware >380.63+ includes 'pc_delete' :-(
    sed -i "s/^local.*$/local $BIND_IP/" $CONFIG # Replace the virtual 'local wanX' to force the VPN Client to BIND to the desired WAN interface
                                                 # It would be nice if we could put a comment in the GUI? - Version 2 perhaps! ;-)
                                                 #  e.g. nvram set vpn_client1_custom="<existing># Using BIND $BIND_IP via $VPN_IF"
else
    logger -st "($(basename $0))" $$ "VPN Client allowed to BIND to any WAN interface ('"$VPN_IF"' not found!)"
    sed -i "s/^local.*$//" $CONFIG               # Just in case?????!!!!! ;-)
fi

logger -st "($(basename $0))" $$ "Complete."

exit 0

If you did find time to test it, that would be much appreciated as I currently don't have a DUAL-WAN environment to test with! - but I can wait until someone else stumbles across my shoddy script to tell me where it fails!

So in the VPN Client GUI, simply include

local wan0

and see if the script correctly identifies (and reports in Syslog) which BIND address it detects and uses.

 

[bluechris]

This is what I came up with..my version - hopefully you can see what I meant by using the virtual 'wan0/1' interface names! so they could be anything really 'FastWANLink' etc.

Spoiler: openvpnclient1.postconf

#!/bin/sh

# This script allows you to specify which WAN interface is to be used for this VPN Client connection...
#
#        e.g. WAN0 may be a Slow/Expensive/Data-capped 3/4G link but WAN1 may be a fast VDSL/Fibre link
#
#              So in the VPN Client Custom Configuration dialog box enter
#
#                local wan1
#                or if you REALLY want to use the Slow/Expensive/Data-capped WAN!!
#                local wan0
#
#        and the current ACTIVE BIND I/P address for the requested virtual WAN interface will be extracted from the DUAL-WAN tables
#
#            e.g.    ip route show table wan0
#                    or
#                    ip route show table wan1
#
# NOTE: If DUAL-WAN is not configured, then if alias 'br0:VPN' exists:
#
#        i.e.    'ifconfig br0:VPN xxx.xxx.xxx.xxx up' was created in '/jffs/scripts/init-start'
#
#                then xxx.xxx.xxx.xxx will be EXPLICITY used - just to prove this script works!! ;-)
#                i.e. it will ignore the actual WANx directive specified
#
#                'local wan1' -> 'local br0:VPN'


CONFIG=$1

source /usr/sbin/helper.sh

logger -st "($(basename $0))" $$ "Started....." [$@]


# Check if DUAL-WAN interfaces exist
if [ "$(nvram get wans_dualwan)" == "wan none" ];then
    # If you only have the standard WAN0, use the alias 'br0:VPN' if it exists
    VPN_IF="br0:VPN"
    BIND_IP=$(ifconfig $VPN_IF | grep 'inet addr'|cut -d':' -f2 | awk '{print $1}')    # For testing! ;-)
else
    VPN_IF=$(grep -iE "^local" $CONFIG | cut -d" " -f2)                                   # Get specified virtual 'WAN0/1' from custom config
    BIND_IP=$(ip route show table $VPN_IF | grep "default" | awk '{print $3}')            # Identify the current virtual 'WAN0/WAN1' interface
fi

# Do we have a valid BIND address?
if [ -z "$BIND_IP" ] && [ "${VPN_IF:0:3}" == "wan" ];then
    logger -st "($(basename $0))" $$ "***ERROR** VPN Client WAN BIND I/P address not found for virtual interface '"$VPN_IF"'"
    echo -e "\a"
    exit 99
fi

# Use the valid BIND address if we have one! -> 'local xxx.xxx.xxx.xxx'
if [ ! -z "$BIND_IP" ];then                                # If 'local' specified then update it
    if [ "${VPN_IF:0:3}" == "wan" ];then                   # Still using the virtual interface names?
        VPN_IF=$(ip route show table $VPN_IF | grep "default" | awk '{print $5}')        # Cosmetic..replace virtual 'wan0/1' with say 'vlan2/3'
    fi
    logger -st "($(basename $0))" $$ "VPN Client will BIND to" $BIND_IP "via interface '"$VPN_IF"'"
    pc_delete "nobind"                   $CONFIG            # Delete the conflicting 'nobind' option using the new 'helper' function to see if it works!
    sed -i "s/^local.*$/local $BIND_IP/" $CONFIG            # Replace the virtual 'local wanX' to force the VPN Client to BIND to the desired WAN interface
                                                            # It would be nice if we could put a comment in the GUI? - Version 2 perhaps! ;-)
                                                            #     e.g. nvram set vpn_client1_custom="<existing># Using BIND $BIND_IP via $VPN_IF"
else
    logger -st "($(basename $0))" $$ "VPN allowed to BIND to any WAN interface ('"$VPN_IF"' not found!)"
    sed -i "s/^local.*$//" $CONFIG                          # Just in case?????!!!!! ;-)
fi


logger -st "($(basename $0))" $$ "Complete."

exit 0

If you did find time to test it, that would be much appreciated as I currently don't have a DUAL-WAN environment to test with! - but I can wait until someone else stumbles across my shoddy script to tell me where it fails!

So in the VPN Client GUI, simply include

local wan0

and see if the script correctly identifies (and reports in Syslog) which BIND address it detects and uses.

Wow great work m8.
Im in home now and i don't dare to touch the internet or the wife will kill me plus my 4 years old son jumps on me lol but later on i will for sure.
Thx for your great work.
Btw the correct chmod for a script is 644 or 755 to be able to run fine?

Sent using tapatalk

 

[Martineau]

Btw the correct chmod for a script is 644 or 755 to be able to run fine

Rightly or wrongly I personally use 755

 

[bluechris]

Rightly or wrongly I personally use 755

Wife and kid left so i went for it.
i puted in custom configuration

local wan0

I get this.. i suppose it doesnt delete the nobind correctly

Mar 21 20:49:09 kernel: tun: Universal TUN/TAP device driver, 1.6
Mar 21 20:49:09 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Mar 21 20:49:09 custom script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)
Mar 21 20:49:09 openvpn[706]: Options error: --local and --nobind don't make sense when used together
Mar 21 20:49:09 openvpn[706]: Use --help for more information.
Mar 21 20:49:09 syslog: VPN_LOG_ERROR: 452: Starting OpenVPN failed...

 

[john9527]

None of his logger statements are showing in the syslog.....make sure that the script is in unix format by running
dos2unix /jffs/scripts/openvpnclient1.postconf

 

[Martineau]

i puted in custom configuration

local wan0

I get this.. i suppose it doesnt delete the nobind correctly

Mar 21 20:49:09 kernel: tun: Universal TUN/TAP device driver, 1.6
Mar 21 20:49:09 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Mar 21 20:49:09 custom script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)
Mar 21 20:49:09 openvpn[706]: Options error: --local and --nobind don't make sense when used together
Mar 21 20:49:09 openvpn[706]: Use --help for more information.
Mar 21 20:49:09 syslog: VPN_LOG_ERROR: 452: Starting OpenVPN failed...

Err...the code should write messages to Syslog showing that it has started....

Mar 21 16:06:19 RT-AC68U kern.notice custom script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)
Mar 21 16:06:20 RT-AC68U user.warn (openvpnclient1.postconf): 30430 Started..... [/etc/openvpn/client1/config.ovpn]
Mar 21 16:06:20 RT-AC68U user.warn (openvpnclient1.postconf): 30430 VPN Client will BIND to 10.88.8.4 via interface 'br0:VPN'
Mar 21 16:06:20 RT-AC68U user.warn (openvpnclient1.postconf): 30430 Complete.
Mar 21 16:06:20 RT-AC68U daemon.notice openvpn[30459]: OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar

what happens if you run the script direct on the terminal via SSH/Telnet?

cd /jffs/scripts
./openvpnclient1.postconf

is 755 set?, is the file in Unix format...

dos2unix ./openvpnclient1.postconf

Is it encoded correctly ? Here's someone identifying why a script of mine didn't run

https://www.snbforums.com/threads/o...e-to-site-connection.24268/page-5#post-313573

Which editor was used to cut'n'paste nano/vi/WinSCP/notepad++ ?

 

[bluechris]

Oh well... i copy it from the spoiler .. im using chrome and i paste it in putty after i create the file with nano.. i always do that but the lines are bracking now .. let me fix it

I paste it also in notepad++ and the lines are fine... when i copy from chrome or notepad++ and paste in putty i get the line brakes...

 

[bluechris]

doesnt work neither from putty and the file is correct..
idont get the problem really... i get this when i run it
./openvpnclient1.postconf: line 1: ο»Ώ#!/bin/sh: not found

 

[Martineau]

doesnt work neither from putty and the file is correct..
idont get the problem really... i get this when i run it
./openvpnclient1.postconf: line 1: ο»Ώ#!/bin/sh: not found

So clearly the file's corrupt.

Have you manually deleted the first line, save the file, then manually re-edit, retype '#!/bin/sh', as the first line then save the file and retry to run it again manually from the terminal.

If cut'n'paste is beyond you then I'd give up Ha ha!

Anyway thanks for trying, enjoy the evening.