built in vpn watch dog? possible script, if not.

[weech]

hi,
i will be getting an rt-ax88u, in the next day or so. currently, i have a linksys 3200acm with dd-wrt.
on the dd-wrt forums, i got some great help and was provided a script to run at startup that runs a vpn watch dog. if the ping through the vpn tunnel fails, it restarts the openvpn client without rebooting the router.

not having the asus router, yet, and doing a fair amount of searching, i can't determine if the merlin firmware has a built in checkbox for a vpn watch dog. is there one?

if not, will the vpn watchdog script that i have in dd-wrt, work in merlin? one of the dd-wrt gurus there, egc, wrote it and it works great. i can post it (it's not long), if requested.
just from looking at some sample scripts for merlin, the syntax looks quite similar.

thoughts will be appreciated. thanks!

 

[RMerlin]

OpenVPN clients shouldn't need a watchdog, they already send a ping every "x" seconds, and restart if there is no reply.

 

[eibgrad]

I agree the OpenVPN client shouldn't need a watchdog (i.e., need to ping across the tunnel). OpenVPN already provides its own internal "ping", provided either the server or client use the keepalive directive (one or the other usually does).

However, imo a watchdog is still warranted because some OpenVPN providers will use a forced AUTH FAILED condition to either prevent access to a server, or throw connected clients off an existing connections. Since it's considered a FATAL error, it kills the OpenVPN process! And the router is none the wiser for it. You tend to see this w/ the lower tier providers like KeepSolid, FastestVPN, etc. Not so much the more reputable ones (ExpressVPN, PIA, etc.). But even then, it's NOT unheard of.

That's why I've written and use a watchdog for all my OpenVPN clients, whether I'm running Merlin, DD-WRT, or FreshTomato. In each case, I provide an option to ping across the tunnel, although personally I've never found it necessary. The keepalive seems to do the job. More importantly, it monitors the process table, looking for any indication the OpenVPN client has stopped running, and if so, restarts it.

merlin-ovpn-client-watchdog.sh - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

BTW, ironically the OpenVPN *server* includes a watchdog that monitors the process table (it runs every two minutes), which in my experience isn't necessary. But it does no harm to have it regardless.

admin@lab-merlin1:/tmp/etc# cat /tmp/etc/openvpn/server1/vpn-watchdog1.sh
#!/bin/sh
if [ -z $(pidof vpnserver1) ]
then
   service restart_vpnserver1
fi
admin@lab-merlin1:/tmp/etc# cru l
*/2 * * * * /etc/openvpn/server1/vpn-watchdog1.sh #CheckVPNServer1#

 

[RMerlin]

However, imo a watchdog is still warranted because some OpenVPN providers will use a forced AUTH FAILED condition to either prevent access to a server, or throw connected clients off an existing connections.

Then those providers need to be called out for having a broken implementation, rather than people figuring out ways to work around it.

BTW, ironically the OpenVPN *server* includes a watchdog that monitors the process table (it runs every two minutes), which in my experience isn't necessary. But it does no harm to have it regardless.

That's because it's far more critical than a client. A remote OpenVPN server that crashes can mean losing access to a remote site with no way of recovery unless someone can physically go on site to fix it.

 

[weech]

thanks for the script, eibgrad!

rmerlin, thanks for the information on how it should work. i wasn't aware of the inner workings of openvpn and the periodic ping. i have protonvpn, and no idea whether theirs works properly, or not. do either of you know if there is a way to tell?

 

[RMerlin]

thanks for the script, eibgrad!

rmerlin, thanks for the information on how it should work. i wasn't aware of the inner workings of openvpn and the periodic ping. i have protonvpn, and no idea whether theirs works properly, or not. do either of you know if there is a way to tell?

Check the config, there's typically a ping and/or ping-restart parameter.

 

[Travion2402]

Thanks a lot for this great script. Exactly what I was looking for. I still need to figure out how to add this script to the start up routine.
In the script there is the line 2>&1 | logger -t $(basename $0)[$$] & -> this seems to be for writing a log, right?
For some reason I cannot find the log. Would you know where it is saved?
Thanks a lot.

 

[eibgrad]

Thanks a lot for this great script. Exactly what I was looking for. I still need to figure out how to add this script to the start up routine.

asus rt-ax88u vpn director not connected right after reboot

Hello, i have installed latest asuswrt merlin on asus rt-ax88 router. I have installed a vpn connection as vpn client with openvpn protocol. When i reboot the router or take it from power, vpn director shows vpn connected status but it is not connected and i have no internet connection. Always...

www.snbforums.com

In the script there is the line 2>&1 | logger -t $(basename $0)[$$] & -> this seems to be for writing a log, right?
For some reason I cannot find the log. Would you know where it is saved?

The output is written to the syslog, which you can dump and filter w/ the following command.

grep services-start /tmp/syslog.log

 

[Travion2402]

Ah - very cool ! Thanks a lot for your help !
I really appreciate it