Solved: Protocol based VPN ( Port 5060 Blocked )

[Martineau]

Alright so what I did now is I create a "VPNPortRouting.sh" file in /jffs/scripts/ and I am calling it from "nat-start"

And then in "openvpn-event" file I add this code ( found it from this forum )

This way I'm calling the required "vpnclient1-route-up" so I want to know is this still the preferred method to call this file?

The openvpn-event template was posted by @john9527, so whilst not being a formal standard (it should be added to the firmware!) it eliminates the maintenance of a potentially humungous script that is easy to break i.e creating individual files for each VPN Client/Server instance reduces the chances of breaking 'everything'.

Obviously if you only have a need for 'vpnclient1-route-up' then you could simply use script openvpn-event, but should you wish to create a script for the event VPN Client 'DOWN' then it is safer to work on a separate script file 'vpnclient1-down' knowing you won't break the existing VPN Client 'ROUTE UP' code.

 

[Asad Ali]

What I am doing is since I dont need VPN client "DOWN" event to do anything to the routing tables etc, Im just using it to send me a email each time it runs so that I know my VPN is down

 

[Asad Ali]

Just one more question, is there any command I can run to check if my applied port bypass rule is still active or not?

 

[Martineau]

Just one more question, is there any command I can run to check if my applied port bypass rule is still active or not?

You can always check the help for the 'ip' and 'iptables' command usage, but these two commands will list the rules:

ip rule
iptables -t mangle -nvL PREROUTING --line

You could simply continue to use the 'nat-start' code I posted (renamed as 'VPNPortRouting.sh') i.e. always recreate the two fwmark tagging rules regardless, but you could tweak the code:

VPN_ID=1       # VPN Client #; Change to the appropriate VPN Client to be used (1-5, if available)
DPORT=5060     # Port number (or CSV list of ports) to be routed via VPN Client #

TAG_MARK=0x${VPN_ID}000
PRIO=999${VPN_ID}

RPDB_FWMARK="from all fwmark $TAG_MARK/$TAG_MARK table 11$VPN_ID prio $PRIO"
IPT_FWMARK="-i br0 -p udp -m multiport --dport $DPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK"


# Check if required RPDB fwmark routing rule exists; if not then insert it
if [ -z "$(ip rule 2> /dev/null | grep -oF "$RPDB_FWMARK")" ];then
   ip rule add $RPDB_FWMARK
   ip route flush cache
fi

# Check if required fwmark tagging rule exists; if not then append it to the chain
iptables -t mangle -C PREROUTING $IPT_FWMARK 2> /dev/null
if [ $? -eq 1 ];then
   iptables -t mangle -A PREROUTING $IPT_FWMARK
fi

 

[Asad Ali]

The openvpn-event template was posted by @john9527, so whilst not being a formal standard (it should be added to the firmware!) it eliminates the maintenance of a potentially humungous script that is easy to break i.e creating individual files for each VPN Client/Server instance reduces the chances of breaking 'everything'.

Thanks a lot for helping me so much, I'm learning a lot from you, Okay so I have a question regarding @john9527 "openvpn-event" script, it seems like its not running on a Hard Reboot ( Power button toggle ) and I get this message in the log:

Spoiler: Web Log

Oct 17 02:01:10 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1553 10.9.152.140 )
Oct 17 02:01:11 openvpn-event[1373]: VPN script vpnclient1-route-up already run

I did some testing of my own with the limited knowledge I have on these things and according to my understanding this variable "nvram get vpn_script_state" is not being reset properly on Hard Reboot but it's working perfectly on Soft Reboot ( By Web GUI ) OR if I toggle the VPN connection manually ( after hard reboot completes ) which will write the correct state to the "nvram get vpn_script_state" and it runs properly.

 

[john9527]

Okay so I have a question regarding @john9527 "openvpn-event" script, it seems like its not running on a Hard Reboot ( Power button toggle ) and I get this message in the log:

That's a protection for having an 'up' script without a corresponding 'down'.....but I should move that to a temp file rather than nvram and fix it to handle multiple vpn instances.

in the mean time, make a /jffs/scripts/init-start
with

#!/bin/sh
nvram set vpn_script_state="boot"

(or add the nvram set to an existing init-start"

 

[Asad Ali]

That's a protection for having an 'up' script without a corresponding 'down'.....but I should move that to a temp file rather than nvram and fix it to handle multiple vpn instances.

I do have a down script too but I name it as "vpnclient1-route-pre-down" so should it be "vpnclient1-route-down" ?

 

[john9527]

I do have a down script too but I name it as "vpnclient1-route-pre-down" so should it be "vpnclient1-route-down" ?

Any change in script name is fine......it's just when you power cycle you don't execute the 'down' side ....a gui reboot does.
I have the init-start nvram set in my own init-start script.

 

[Asad Ali]

Perfect, I understand it now thanks and setting the init-start nvram set fixes the issue.

 

[john9527]

Perfect, I understand it now thanks and setting the init-start nvram set fixes the issue.

Here's an update to the openvpn-event script with some fixes/updates

• Keeps the script state in memory vs nvram (fixes power cycle without an init-start script)
• Keeps separate states for each server and client instance
• Only tracks states which actually have a script

#!/bin/sh

scr_name="$(basename $0)[$$]"
wan_gw=$(nvram get wan0_gateway)
wan_ip=$(nvram get wan0_ipaddr)
wan_if=$(nvram get wan0_ifname)

# Determine caller
case "$1" in
    "tun11")
        vpn_name="client1"
        ;;
    "tun12")
        vpn_name="client2"
        ;;
    "tun13")
        vpn_name="client3"
        ;;
    "tun14")
        vpn_name="client4"
        ;;
    "tun15")
        vpn_name="client5"
        ;;
    "tun21")
        vpn_name="server1"
        ;;
    "tun22")
        vpn_name="server2"
        ;;
    *)
        vpn_name=""
        ;;
esac

# Call appropriate script based on script_type
vpn_script_name="vpn$vpn_name-$script_type"
vpn_script_log="/tmp/vpn${vpn_name}_state"

# Check script state
vpn_script_state=$(cat $vpn_script_log)
if [ "$vpn_script_name" = "$vpn_script_state" ]; then
    echo "VPN script" $vpn_script_name "already run" | logger -t "$scr_name"
    exit 0
fi

# Execute and log script state
if [[ -f "/jffs/scripts/$vpn_script_name" ]] ; then
    echo "$vpn_script_name" > $vpn_script_log
    sh /jffs/scripts/$vpn_script_name $*
else
    echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
    exit 0
fi

exit 0

 

[Asad Ali]

Awesome!! Now it runs perfectly after a Power Toggle too and without any use of init-start script

Thanks!

 

[Martineau]

Here's an update to the openvpn-event script with some fixes/updates

• Keeps the script state in memory vs nvram (fixes power cycle without an init-start script)
• Keeps separate states for each server and client instance
• Only tracks states which actually have a script

Perhaps change

vpn_script_state=$(cat $vpn_script_log)

to

vpn_script_state=$(cat $vpn_script_log 2>/dev/null)

to keep things tidy (just in case)!!!

./VPN_Client_Switch.sh stopall

(VPN_Client_Switch.sh): 1758 Request..... [stopall]
(VPN_Client_Switch.sh): 1758 Stopping VPN Client 1
(VPN_Client_Switch.sh): 1758 Blocking WAN for VPN Client 1 to ny.us.hma.rocks
(vpnrouting.sh): 1814 v380.68 Patched by Martineau [wan_block tun11]
cat: can't open '/tmp/vpn_state': No such file or directory
  Waiting for VPN Client 1 (HMA New York) to disconnect.....
  VPN Client 1 (HMA New York) disconnect'd in 11 secs
(VPN_Client_Switch.sh): 1758 VPN Syslog Event Monitor terminated.