VPN Failover script

[Olivier L]

Hello I am trying to get it work in multiconfig mode.
Running manually is ok but it fails when it comes to having it started automatically upon vpn up.

I have created a vpnclient1-up file with
---
#!/bin/sh
VPN_ID=${dev:4:1}
logger -st "($(basename $0))" $$ "Requesting VPN Failover monitor with 2 min delay....."
sh /jffs/scripts/VPN_Failover.sh "$VPN_ID" "multiconfig" "interval=60" "delay=120" "force" "curlrate=2M" &
---
But no monitoring starts when I restart VPN client 1

What am I wrong ?

Thanks

 

[Martineau]

"This script feature [multiconfig] is now available in the OpenVPN GUI configuration".

I cant see where in the GUI we can specify various servers IP?

Use the '--remote' directive(s) (see OpenVPN manual) in the Custom Configuration GUI

 

[Martineau]

Hello I am trying to get it work in multiconfig mode.
Running manually is ok but it fails when it comes to having it started automatically upon vpn up.

I have created a vpnclient1-up file with
---
#!/bin/sh
VPN_ID=${dev:4:1}
logger -st "($(basename $0))" $$ "Requesting VPN Failover monitor with 2 min delay....."
sh /jffs/scripts/VPN_Failover.sh "$VPN_ID" "multiconfig" "interval=60" "delay=120" "force" "curlrate=2M" &
---
But no monitoring starts when I restart VPN client 1

What am I wrong ?

Do you have the '/jffs/scripts/openvpn-event' script? - it is this script that calls the 'vpnclient1-up' script. see here but you need to change

PROJECT_REPO="/jffs/scripts/x3mRouting"

to (like Xentrk should have done)

[ -d "/jffs/scripts/x3mRouting" ] && PROJECT_REPO="/jffs/scripts/x3mRouting" || PROJECT_REPO="/jffs/scripts"

to use the default script directory

Do you have the message "Requesting VPN Failover monitor with 2 min delay....." in Syslog?

grep -E "vpnclient|VPN_Failover" /tmp/syslog.log

​

 

[Olivier L]

Hello
I have a /jffs/scripts/openvpn-event but only to send an email when vpn is up or down.
I am using x3mRouting as well (to bypass Netflix) but without using the openvpn-event you have mentioned. Am I wrong ?
May I risk any side effect appending your openvpn-event file (I will mod the PROJECT_REPO) to mine ?
I do not really understand what your openvpn-event is for ?

Thnks for your help

 

[Martineau]

I am using x3mRouting as well (to bypass Netflix) but without using the openvpn-event you have mentioned. Am I wrong ?
May I risk any side effect appending your openvpn-event file (I will mod the PROJECT_REPO) to mine ?

No idea, I don't need to use x3mRouting.

I do not really understand what your openvpn-event is for ?

@john9527 recognised that in most cases users have no idea what code to place in the 'openvpn-event' script, resulting in a script that can be difficult to manage, and easily broken by incorrect logic.

So the idea is that his template separates the OpenVPN event action logic into discrete scripts that are easier to understand (functionally the script name gives it away) but more importantly, the action only applies to a specific VPN Client instance or Server.
NOTE: It also prevents an event rule from unexpectedly executing the same script multiple times consecutively - due to an unexpected loop etc.

I have a /jffs/scripts/openvpn-event but only to send an email when vpn is up or down.

As you are seemingly comfortable using your existing custom single 'openvpn-event' script then simply include

VPN_ID=${dev:4:1}

logger -st "($(basename $0))" $$ "Requesting VPN Failover monitor with 2 min delay....."
sh /jffs/scripts/VPN_Failover.sh "$VPN_ID" "multiconfig" "interval=60" "delay=120" "force" "curlrate=2M" &

inline to the appropriate VPN Client UP section.

P.S. You can now safely delete 'vpnclient1-up' unless you prefer to call it from 'openvpn-event'.

 

[Olivier L]

perfect, now it works. thanks for your time.

 

[mister]

Hi @Martineau,
I updated to the newest version (because I had problems with the newest x3mrouting script) but if I want to check the status I got the following output:

***ERROR Orphaned PID file '/tmp/vpnclient1-VPNFailover'

What could I do and how to solve the error ?

EDIT : V1.23


Thanks a lot
Hugo

 

[Viktor Jaep]

Hi @Martineau !

I continue to have occasional issues with the VPN_Failover script, but it seems these issues only happen when things get unstable... ie, my internet connection drops for a minute and reconnects to the internet provider... The script will notice that the line is down, and move to the next VPN profile, until the internet comes back up and the VPN reconnects. But during this process, I get some weird results (at times):

1. Sometimes, the script may not have successfully shut down another VPN profile, and I will end up having 2 VPN connections going at the same time... it rarely happens, but it does... and thankfully the internet typically still works when this happens.
2. The bigger issue is that sometimes when the VPN reconnects directly after an internet outage, the VPN will be up, but there seem to be some strange networking issues that prevents any VPN client from being able to get on the internet. The amount of traffic going over the tunnel is abnormally low, and what resolves this is to kill the VPN tunnel, and reinitialize it. Then things start working. Unfortunately, in this particular situation, the VPN_Failover script will act as if everything is fine with this VPN tunnel. I would think that if other clients cannot get on the internet, that the VPN_Failover script would be having issues too... but that is not the case.

My question to you is what other switches I could be utilizing to see if the VPN_Failover script can identify and recover from this situation #2? I am a little confused if the curlrate parameter would be able to help in this situation? Since I'm using 5 different VPN profiles, would this be the correct command to use?

VPN_Failover 1 force curlrate=1MB, minrates=?,1MB,1MB,1MB,1MB

Thank you!

 

[chinaa108]

Hi, I just tried to install this script by copy and pasting this

curl --retry 3.....etc

then I get this
**ERROR** VPN Client '' is INVALID (1-5 only)

I have one vpn connection, am I supposed to edit anything in the file? Im new to this, please help

 

[eibgrad]

A word to the wise.

I generally do NOT recommend external OpenVPN failover scripts. And this is NOT a criticism of anyone's efforts to do so, but just a realization that trying to detect and manage a failed VPN (however that is actually defined, which I'll get to in a moment) is a VERY difficult job. Even I would find it a challenge, and I've been working w/ OpenVPN and developing my own scripts for many, many years.

As anyone familiar w/ OpenVPN quickly realizes, it's not all that easy to detect a failure. It's not as if OpenVPN makes it obvious. It may attempt to retry the connection, sometimes indefinitely! The typical way YOU decide it's a failure in that case is if it takes too long to recover. And that's subjective.

I've found the best solution is to use a good, reliable VPN provider (and admittedly that's not always an easy task) and specify multiple remote directives (servers) in your config file. Here's an example of my own (w/ ExpressVPN, no secrets here).

server-poll-timeout 10
remote-random
remote us-new-york-2-ca-version-2.expressnetw.com 1195
remote usa-atlanta-ca-version-2.expressnetw.com 1195
remote usa-chicago-ca-version-2.expressnetw.com 1195
remote usa-dallas-2-ca-version-2.expressnetw.com 1195
remote usa-dallas-ca-version-2.expressnetw.com 1195
remote usa-denver-ca-version-2.expressnetw.com 1195
remote usa-losangeles-1-ca-version-2.expressnetw.com 1195
remote usa-losangeles-3-ca-version-2.expressnetw.com 1195
#remote usa-losangeles-ca-version-2.expressnetw.com 1195
remote usa-losangeles5-ca-version-2.expressnetw.com 1195
remote usa-miami-2-ca-version-2.expressnetw.com 1195
remote usa-miami-ca-version-2.expressnetw.com 1195
remote usa-newjersey-1-ca-version-2.expressnetw.com 1195
remote usa-newjersey-3-ca-version-2.expressnetw.com 1195
remote usa-newyork-ca-version-2.expressnetw.com 1195
remote usa-saltlakecity-ca-version-2.expressnetw.com 1195
remote usa-sanfrancisco-ca-version-2.expressnetw.com 1195
remote usa-seattle-ca-version-2.expressnetw.com 1195
remote usa-tampa-1-ca-version-2.expressnetw.com 1195
remote usa-washingtondc-ca-version-2.expressnetw.com 1195

The server-poll-timeout directive tells OpenVPN to only wait 10 seconds for a connection attempt before moving on to the next server. And in my case, I've decided to randomize that selection w/ the remote-random directive (the default is sequential).

The benefit here is that we let ***OpenVPN*** decide when and where to reestablish the connection, rather than try to manage it externally, via our own scripts. Nobody knows more about the state of affairs and how to proceed correctly than OpenVPN itself. I don't care how good any given external management script may be, it will never be able to handle all situations, or all situations as cleanly and effortlessly as you may be expecting. Not when it comes to that beast called OpenVPN.

In all my years of dealing w/ OpenVPN, I can't think of a single case where there was a need to failover to a *different* VPN provider, *provided* I was using a good, reliable VPN provider. But if you cheap out and expect some fly-by-night VPN provider who offered you a lifetime subscription for $10 to be that provider and work w/ these external management scripts, you're kidding yourself. Dollars to donuts that's likely the underlying cause of your problems. In short, no one should need failover scripts. OpenVPN is *designed* to handle failover itself, internally.

To make matters worse, using multiple VPN providers, you now have to duplicate all your PBR (policy based routing) (should you choose to go down that path) across the VPNs. Ugg.

The only circumstances I can imagine where you would actually need external failover protection is a) if the VPN provider was stupid enough to require completely different configurations (certs, keys, etc.) for different servers (ala, NordVPN years ago, and if that's the case, find a better provider), b) you insist on one very specific server location, and your VPN provider only offers one selection, so you employ several different providers (again, find a *single* better provider), or c) you fail to pay your bill, so your provider shuts you down, across the board (all servers).

OpenVPN isn't like your ISP, where you have the one and only option of a single connection, and if it fails, you're dead in the water without an external failover solution (e.g., dual WAN).

FWIW, my ExpressVPN setup as described above runs 24/7/365, flawlessly. On the rare occasion a connection drops/fails, it just moves on to the next server, transparently. Only way I know it even happened is if I happen to see it in the logs.

In short, at least for some of you guys, you're creating the very problem you're attempting to solve. The point of failure is NOT OpenVPN, it's YOU!

JMTC

 

[Viktor Jaep]

A word to the wise.

...

FWIW, my ExpressVPN setup as described above runs 24/7/365, flawlessly. On the rare occasion a connection drops/fails, it just moves on to the next server, transparently. Only way I know it even happened is if I happen to see it in the logs.

In short, at least for some of you guys, you're creating the very problem you're attempting to solve. The point of failure is NOT OpenVPN, it's YOU!

This is HUGELY beneficial! Thank you so much for sharing. I've turned off my VPN failover script in favor of trying your method. I'm excited to see how it's going to recover when my ISP connection drops on occasion.

 

[RMerlin]

OpenVPN does has its own monitoring functionality, as it will regularly try to ping the remote end. Leveraging that instead of reinventing the wheel is probably more robust (as long OpenVPN's implementation isn't broken - I never looked at it personally).

 

[eibgrad]

This is HUGELY beneficial! Thank you so much for sharing. I've turned off my VPN failover script in favor of trying your method. I'm excited to see how it's going to recover when my ISP connection drops on occasion.

You could always simulate the failure of the WAN/ISP by releasing the DHCP lease for a few minutes. Let various processes that depend on having an internet connection suffer the loss for a while and see what happens when you renew it. Should anything fail to recover (could be more than just OpenVPN), it's not a bad idea to create a "keepalive" script for those processes which restarts them, or in the worst case, reboots the router.

In my case, given your scenario, my OpenVPN client (which actually runs on a separate machine) tries to recover, ad infinitum. But as a precaution (since I have customers w/ whom I can't take the risk and assume that will always be the case), I maintain a script which makes sure the OpenVPN process hasn't decided to exit. If my script sees that happen, it restarts it.

(
while :; do
    if [ "$(nvram get openvpncl_enable)" != "0" ]; then
        ps | grep -q [o]penvpncl || openvpn --config /tmp/openvpncl/openvpn.conf --daemon
    fi
    sleep 20
done
) &

Note, my OpenVPN client is running on dd-wrt x86 (and is initiated in the dd-wrt startup script), so some of the references are dd-wrt specific. But it's easily adaptable to any router which supports scripting. It just keeps checking the process table to make sure the OpenVPN client is always there (presumably trying to reconnect). Very simple protection.

Again, I can't recall having OpenVPN actually exit just because it couldn't connect *unless* perhaps there was only a single remote. Perhaps it *might* exit in that case believing the situation futile. But again, I don't recall this actually happening.

Regardless, if it happens, it's not really a OpenVPN failover situation, but just a case of having to deal w/ some of the vagaries of these routers when the WAN/ISP fails.

 

[AlexHK]

I have tried the script and noticed that while ie. 3, 4 and 5 are disabled, it still sends an email that it is going to switch to it (while the script correctly outputs that the corresponding client is ignored). It also shows something that looks like a verbose curl output while (I assume) it is sending the emails (I am using pingonly, so that's why I assume it's related to the emails being sent).

example:

/jffs/scripts/VPN_Failover.sh 1 once pingonly=192.168.0.1 verbose ignore=3,4,5 sendmail emailcfg=/jffs/scripts/email.conf

 

[mister]

Dear all,
could anybody tell me the command for killing one instance of the script (not all).
e. g. what command should I use if I want to kill the vpnfailover script for ovpnc1?

From. my point of view I see an advantage of the script if you only have one name server to login. my vpn provider chooses to which server of the region (I decided) I will connect. I have no influence (of course I could collect the ipadresses and use them as radom servers, but the ip adresses changes over time).

It sometimes occurs, that the speed of the choosen serves goes down over time. I don't know, if my vpn provider then moves me to another server automatically, I think not. In that case the Failover script seems to me very usefull.

 

[eibgrad]

could anybody tell me the command for killing one instance of the script (not all).
e. g. what command should I use if I want to kill the vpnfailover script for ovpnc1?

You have to identify its process ID from the process table (ps command), then kill that process ID.

kill <process-id>

 

[mister]

thanks a lot.
Is the process ID after reboot the same or does it change after reboot?

 

[eibgrad]

thanks a lot.
Is the process ID after reboot the same or does it change after reboot?

Process IDs are assigned sequentially, and at the time the program/script is started, so they change w/ each invocation.

For programming purposes, you can try using the following:

killall <program-or-script-name>

Doesn't always work though. It searches the process list for the name and kills those processes. But it doesn't always find the name, and it's indiscriminate. IOW, if more than one process has the same name, it kills *all* of them.

 

[Martineau]

Dear all,
could anybody tell me the command for killing one instance of the script (not all).
e. g. what command should I use if I want to kill the vpnfailover script for ovpnc1?

From. my point of view I see an advantage of the script if you only have one name server to login. my vpn provider chooses to which server of the region (I decided) I will connect. I have no influence (of course I could collect the ipadresses and use them as radom servers, but the ip adresses changes over time).

It sometimes occurs, that the speed of the choosen serves goes down over time. I don't know, if my vpn provider then moves me to another server automatically, I think not. In that case the Failover script seems to me very usefull.

Does this answer your query?

 

[mister]

Does this answer your query?

Yes and No ,
the answer is clear but it doesn´t solve my problem, because every instance of the VPNFailoverscript would be killed by the command.
I was hoping, it would be possible to have a specific command for each instance of the vpnfailoverscript, which can be used in a openvpnX-down event.

e.g. I use the VPNfailoverscript e.g. for VPN1 to force to reconnect if the speed drops down - works. But what happens if I decide to manually turn off the vpn1 connection? In that case the vpnfailoverscript would reestablish the connection wouldn´t it ? So a manual turn off is not possible - right??

By the way : Did you find an explanation or a solution for the error I described earlier (#67) ?

Thanks a lot to all of you for your support.